Monday, October 26, 2009


On remembering passwords

Terry Zink, a spam-fighter at Microsoft, recently blogged about remembering passwords. His problem, a problem most of us share, is how to strike a balance between using distinct passwords for different services, and remembering myriad passwords:

Why do I say this? While we should always use good passwords (like letter/number combinations, nothing obvious like “123456” and “password”), it’s completely unrealistic to have different passwords for every site if you have a very wide reach on the web. Consider myself:

  • I have an online bank account from back in Canada
  • I have another online bank account (which I opened when I moved to the United States)
  • I have a third online bank account
  • And I opened up a fourth online bank account! In truth, I did this to get the free $100 for opening an account, but now that it’s open I think it’s kind of convenient to have since the bank is not local
  • I have an online trading account
  • I have an online retirement account from back in Canada
  • I have an online retirement account when I moved to the United States
  • I have a Facebook account
  • I have a Twitter account
  • I have Yahoo, Gmail and Hotmail accounts
  • I have a login to my work computer
  • I have a login to my Mac computer at home
  • I have logins to two or three discussion boards which I participate in every once in a blue moon
  • I have logins to a couple of websites (including this one) on which I write articles
  • I have logins to a bunch of bill payment sites like electricity, rent and car insurance
  • I have logins to online websites which I use to buy things
In total, I must have close to thirty different sites at which I login to. How in the heck am I supposed to remember 30 different usernames and passwords? On at least 1/3 of these sites, I have forgotten the password and I have to reset it nearly every single time I return to the site because I login maybe once a month. It’s so frustrating! I know that using different passwords is good advice, but how realistic is it? Humans cannot remember that many different combinations of things without resorting to some memory tricks. Even then, it is still difficult.

There must be a better way.

It depends upon what you think the threat model is. For most people, the threat model is that a bad guy will find a password remotely (through guessing, phishing, or whatever), and will use it to access something as you. For most people, the threat model does not include physical access to your computer, breaking into your house or office, or any such.

So, for most people, writing the passwords down in a book that you keep in your desk is fine. Using one of the many “password-keeper” applications is fine. It’s not a question of having to memorize them all.

Let me repeat that: Most people should write their passwords down in a list. There may be one or two key passwords that you don’t write down, that you’re confident of remembering. But for the pile of others... write ’em down.

Also, the threats against all the things you have access to are not equivalent. If someone breaks into your email account and can then get access to your bank from there, that’s bad. If someone breaks into one of your discussion-board accounts and can post a message pretending to be from you, that might be briefly embarrassing, but it would be obvious quickly, and doesn’t cause any real loss.

And you can group things: perhaps you consider Facebook and Twitter “equivalent”, in the sense that if someone gets into your Facebook account and that means they can also access Twitter, you think that’s OK. I’ll refer to them as being in the same “trust group” for you, and you can use the same password for both of those. Probably you can use the same password for all the blue-moon discussion boards (putting them into a common trust group). The online vendors can all share a password, as long as they don’t have your credit card saved.

But if you have the vendors save your credit card information, you probably do want separate passwords. That way, if someone who breaks into your L.L.Bean account they can’t also go rob you blind at Land’s End and Amazon.[1]

The questions I ask myself when I’m creating a password for a new service is, “If someone breaks into this, could he then get access to other things (or vice-versa)? And if so, would that be a problem?” If the answers are “Yes,” and “Yes,” then I use a new password. Otherwise I may reuse a password, putting this new service into the same trust group as some other services.

As a commenter on Terry’s entry points out, there are also various suggestions going about that tell you how you might use a seed phrase to generate unique passwords that are easy for you to re-derive at will, but that attackers are unlikely to be able to use to figure out all your passwords if they’re able to steal one.

I haven’t taken to that, but I might try it in future. In any case, I do have my passwords tucked away for a forgetful day.

[1] U.S. law does limit your liability for credit-card fraud — in most cases your liability stops at $50, and you often wouldn’t even be on the hook for that. It can still cause you lots of problems, and it’s in your best interest to minimize the exposure.


scouter573 said...

The great irony, of course, is that when you forget your password, they challenge you for your mother's maiden name or one of a couple of limited alternatives (favorite car, favorite pet, or favorite something else). I think you've commented on this before - it's usually easier to guess the answer to the security question than the password, so pick a bizarre answer; something "Corvette" when asked about favorite pet, or "hula-h00p" when asked for mother's maiden name.

Dadinck said...

One can keep the list on a cell phone or PDA. In my particular PDA, the memo I keep the passwords in is protected by a password. That would make it difficult for others to access, even if the PDA was stolen.

I also have password tips here: