It used to be that any IT person worth his salt would tell you never to write your passwords down. Memorize your password, never tell it to anyone, and guard it like you would your only daughter. That works for your network login because you only have to remember one password, but what about all of the other accounts that you have in your online life? It’s not feasible to remember more than a few passwords and it’s not safe to use the same password for multiple sites.
With so many places being targeted and the arms race that is hacking versus security, using the same password everywhere means that once one site gets compromised — all of your accounts are compromised. Since the unique identifier most sites use now is your e-mail address, any site that shares your e-mail address AND password have just given a potential breach everything necessary to compromise another of your accounts. Therfore, it makes sense to use different passwords for different locations. By different passwords, I don’t mean “My password plus the number 1, then 2, then 3.” I mean completely different passwords, unrelated to each other. This is especially important because you may not know that your account has been breached until long after the breach occurs. There is no magic “We have been breached!” alarm that goes off, websites generally find out that they’ve been breached the same way you and I do: something bad happens.
To moderate this, I use a password storage software and I randomly generate passwords for most of the sites that I visit. It doesn’t give me a false sense of security — if someone were to hack into my e-mail account, they would have all the access they need to reset my password on any site — but it does decrease the chances that a breach of one site will compromise my account on another site.
The first step in this is to determine the sites that you use most often and the passwords that you have to or want to have memorized. For me, that’s my personal e-mail account and the software that I use to store my passwords. Beyond that, I frequent enough sites that it becomes too tedious to look up the password in the password software. It may be different for you, things like Facebook, Twitter, LinkedIn, all may be passwords you want to have memorized. I recommend getting this list to less than 5, and down to 3 if you can manage it. We want to change these passwords from time to time so trying to rememorize 5 passwords is going to be a pain.
Now that you have the passwords you use most often, find a way to memorize these. It can be a pneumonic, a phrase complete with punctuation, or something you’ve committed to memory in some other way. It’s important to remember that passwords for things like your e-mail and your password management software should be very secure because these are locations that, if compromised, open you up to attacks in many different areas. Don’t make your password “mycatsname.” For my e-mail I also use Google’s two-factor authentication which means that I not only have to enter my memorized password, but also a code generated from my phone that is unique to me. It’s not impossible to hack, but it does make it much more difficult. Since this is a high target area for someone looking to compromise my digital life, I want it protected.
The next step is to choose a secure place to store all of your other passwords. While this goes against the old “never write it down” idiom, it’s better than the “I’ve forgotten my password again” method. There are several pieces of software for this including SplashID, eWallet, and Roboform. Find the one that has the features you want and is the easiest for you to use and have at it. I prefer not to have my passwords stored “in the cloud” since it seems like that would be a high priority target for a hacker looking to find a lot of passwords at one time. But that’s just me. Make sure your software is kept up to date with the passwords you use and that you can easily access them when you need them, but also that you’re comfortable with their security.
Finally, change your passwords periodically. For each website I go to, I have the last time that I changed the password stored in the software I use. It lets me know that I need to change the password. I randomly generate a new password, replace the old one, and keep my passwords cycling. The reason for this is the longer you keep a password the more likely it is that a brute force method (guessing, or having a computer keep trying the passwords) will get your password. How often I change the passwords depends on what information is stored in the site. Bank information? Change it often, not being broke is important. Facebook information? If someone posts crazy stuff on my wall or tells all my friends I hate them, it’s probably not as big of a deal. Change it seldom. Although, it would be embarassing considering what I do for a living. Change it moderately often.
Given the proliferation of sites requiring login, it’s no wonder I see monitors covered in post-it passwords. It doesn’t make sense any more to not write your passwords down somewhere. Just make sure when you do, it’s somewhere that you’re the only one likely to see.