So we all know the drill for passwords:
- Make them unique, don’t use the same password twice.
- Change them every month or so.
- Make them complex, paraphrases are good.
I’m sorry, your reality cheque just bounced. Lets be conservative and say I have about twenty usernames and passwords for online sites including things like my blog, my personal e-mail, Passport and the like.
Because I am a consultant I also am actively managing between five to ten passwords to access client systems on top of my Readify username and password. I am forced to cycle each of these every one to two months and if I don’t lock out occurs. The cute thing about lock out is that it typically requires me to call an outsourced service provider over an unencrypted telephone network (no – I don’t have a speak easy sitting on my desk – and the help desk operator definately doesn’t).
So what is the solution? A password manager? Essentially a password manager hopes to defend multiple passwords through one super strong paraphrase-style password. That doesn’t make me terribly comfortable, but even if I could get over it I have a more serious problem to contend with.
For example – most password managers run on your local machine and require you to back up their data files (no problem). But what happens when I forget my laptop? Occasionally I go into high security sites where I can’t bring in my laptop or mobile phone - what do I do then? Should I load the data onto the Internet? Now I am feeling really uncomfortable!
The reality is that the security guys demand that we use complex and unique passwords but don’t consider how well that scales in reality. The only way a mortal can cope is by deliberately weakening their passwords so they can remember them.
What is the solution? Until strong biometrics are everywhere I don’t think there is one!