Wednesday, September 2, 2009

The password dilemma

Like many people, I have a few standard passwords, which I alter mostly by attaching various numbers to them. I've sat through the usual lectures on password security, but most of my passwords are for sites that I consider fairly low-stakes. It was probably a horrible mistake, but I never worried about it too much, other than for my bank's website.

A few weeks ago, I got a new computer at work. As I set up my browsers -- I use Google Chrome and Firefox about equally -- I wanted to find some way to take all my stored passwords and transfer them to the new system. I found a program that claimed to decrypt Chrome's storage files, and decided to try it.

It didn't work. But then I started to worry. Maybe it did work, and all my passwords had just been transmitted to some nefarious entity. Uh oh. Time to start worrying about password security all of a sudden.

While running a spybot check on my machine, I started to change the most sensitive of my passwords -- my Google account. See, I mail usernames and passwords to myself, using my Gmail as an easily-searchable credential retrieval system. So if you have my e-mail password, you have all my important passwords.

Then I started changing more, working my way down the sensitivity list -- bank, PayPal, etc. How to keep track of all these passwords, though? I wasn't willing to use Gmail anymore, seeing its vulnerability so suddenly.

I researched password storage programs, and the open-source KeePass system seemed to be the consensus winner. A brand new master password later, I was storing my refreshingly diverse passwords in the program. I installed one version at work, one version at home, and a similar app on my iPhone.

It's unsettling to think that I won't necessarily have access to my passwords if I'm away from my computer. Sure, you only need them when you're online, but what if you're working on another terminal -- at the hotel courtesy boarding pass printing station, or at the internet cafe in a foreign land? There are a few key passwords that I'm going to have to carry in my head, the ones I use every day. I wish there were a web application that I could trust with my passwords -- then I'd know they were there no matter where I was, like they used to be in my Gmail.

How do you keep track of your passwords? Are you a password slacker, or have you seen the light?

Oh, and the postscript... I figured out how to transfer the key Chrome files to the other computer. My stored passwords aren't there, but a lot of autofill information (including usernames) is. So at least I didn't have to start completely from scratch.


Marilyn said...

Honestly, I have a moleskine journal that hides around my room (I always know where it is) and all it does is keep up with absolutely vital information regarding anything from FAFSA pins to email passkeys to facebook logins. It's easy to throw in my purse when I fly places and it's always there.

the secret knitter said...

I'm definitely a slacker. I have four passwords that I've tended to use most. I have to guess the right one for those sites that I don't have to enter them regularly.

zetzertzak said...

My password actually consists of what would appear to the naked eye as a random assemblage of letters and numbers.

It's based on a relatively simple word that has a google hit of 4. Fortunately, the word has an appropriate number of letter to number ciphers along the lines of S=$, A=2, E=3.

So, my slacker password consists of said word, modified to whatever the password people set as the parameters (some don't like numbers, some do).

I know that if I forget my password, I can "uncover" it within four tries.

Random guessing might yield the password somewhere on the order of 46^8 power. Yes, it's an eight letter 'word' :)