Practical Password Management

I did a quick count today of the passwords that I use at least once per month and was surprised to find that I have 41. I appreciate that this is higher than the average but suspect that anyone who uses a PC for work and does a bit of online shopping or banking is at least in double figures. It’s all very well security specialists (like me) telling us to use different complex passwords for each account and to change them regularly but how the hell can you remember 41 passwords? What I imagine most people do is to use the same password for all accounts and change them as infrequently as possible. This is obviously far from ideal so a compromise needs to be found.

The most important password is the one for your email. Nearly every other password you have will rely on it in some form for resetting it in the event that it is forgotten. Hence a unique strong password here is vital. Afterwards it is a case of assessing the importance of the data held with each account. If it limited personal information you can get away with your generic password, although it should still be difficult to guess.

Another option is to use password management tools. The idea is that you have a secure encrypted database of all your passwords, protected by a strong pass phrase, which means you only need to remember one password. I use Ubuntu Linux which comes with just such a program called Seahorse. It can also be used to managed PGP keys and certificates. More recent versions of Windows come with something called Credentials Manager which is fine in a Windows centric world but isn’t much use for storing passwords where the authentication is built into the end application. An open source utility that I use for password management on Windows but which also works on Linux and possibly MacOS is Password Safe. There are many programs of this type available for free but this one is particularly easy to use and so far has never let me down.

Another thing to do, at least for your systems is to change the default username. A recent study from Microsoft showed that brute force attacks target usernames such as administrator or administrateur.