Password Pandemonium
Passwords are the bane of modern computing. They're a fundamental aspect of confidentiality on any computer system or web site, that's for sure. But, ask any computer user what's the problem with passwords, and they will instantly tell you: "Too many to remember".
For years, the industry has tried to come up with solutions that will enable a user to be securely identified through the same simple method for every website and business network resource, without all the hassle of passwords. But, realization of this has many obstacles we won't cover in this article. Suffice to say that for now, and in the foreseeable future, you're stuck with a long list of passwords—for your business network login, your home computer, your phone, your voicemail, and every banking and shopping and photo sharing and social media website and mobile app, plus so many more you don't even remember signing up for.
So, what to do? You can try using the same password for everything, but there are a few problems with this:
- If you accidentally expose this password to someone, especially if that person knows your e-mail address, Facebook account, what bank you use, where you work, etc., then you'll have lots of work ahead of you changing the password on all those accounts—at best. At worst, your attacker will have already breached those accounts.
- You might find you can't use your favorite password to sign up for certain sites that enforce complexity rules your password doesn't comply with.
What about writing down your passwords? Although some security experts admonish you never to do this, it's impossible not to. If you do this, save it only on the local hard drive of a fixed computer. Or, if your desk is truly secure, just print it out, put it in a locked drawer, and delete the file on your computer. Update the sheet with a pen until it gets too unwieldy, then retype it.
Don't upload your passwords file to cloud storage (such as Dropbox, OneDrive, Google Drive, or iCloud)! We see people do this often, and it's understandable why. It's comfortable, especially for users who are not familiar with saving files on a computer's hard drive, or for people who are highly mobile and want to access their passwords from any computer or device. But, if you choose to do this, keep in mind how much easier it is for someone to gain access to your files stored in the cloud, either because you accidentally misconfigured your sharing settings, or because someone managed to break into your account through the cloud provider's failure to maintain security.
Modern cloud providers, such as Google Drive, do encrypt your files when they're saved to their systems. So if someone who works for Google simply copied a file you saved in Google Drive, they couldn't see the contents. But, Google manages the encryption keys, and decryption is automatic when you access your files, all part of normal use of Google Drive in a web browser or in the mobile app. A criminal is much more likely to gain unauthorized access to your file by exploiting you or the apps, thus getting the contents of the file due to the automatic decryption.
So if you must save a passwords file in cloud storage, figure out some way to encrypt the file manually before uploading it, either using tools provided by the cloud provider, or some separate file encryption method. That might mean you have to type a password each time you want to open your passwords file, or that you can only open it on certain devices, but this offers much greater assurance your file will remain confidential.
Saving your passwords in your web browser might work for you, as virtually all resources you access are through the web. But, then you have to implement some sort of synchronization if you switch devices, and this usually means transmitting all your passwords to Google or Apple or Microsoft, which can be distasteful for obvious reasons. Also, it makes your accounts that much less secure if your computer is accessible by others; for example, someone who works at a hotel front desk should not check the "save password" box on a website for accounts relating only to that individual.
Some users take the approach of not bothering to record or remember their passwords, especially for sites they don't access often. They are fine taking the extra time to reset the password via e-mail every time they want to log in. Unfortunately, it seems like users do this because they have surrendered to the password pandemonium, and have stopped trying to keep up. Such users often don't take other aspects of password security seriously, increasing their risk of being a victim.
Speaking of risk, let's close with this. As you're reading this, you might think you've heard all this before, and you probably have. There's not much that's groundbreaking here. And you might feel a tinge of annoyance at the preachiness if you're not as careful as the above implies you should be, because you've been using computers and the Internet for decades and never had a problem. Well, in this case, keep this in mind: Everyone's risk profile is different. The following factors affect the likelihood and impact of a password-related breach:
- What company network resources you use
- What public websites you use
- The nature and value of the information stored on these systems
- How high-profile your company is, or even you personally, or otherwise how prone you are to be specifically targeted
- The potential financial loss of a given password breach
- The potential intangible loss, such as loss of reputation
- Who you're in the same boat with (such as co-workers on a company system), how well-trained they are in their password security, and how much a breach of their accounts will affect you.
Only you can make this assessment for yourself and your business, so it is completely up to you whether and how to implement the suggestions in this series of articles about passwords. If you've never had a breach and a breach wouldn't bother you, then you probably don't need to change. If a breach of one or more of your accounts could be catastrophic, and you're feeling any sense of dread or inadequacy after reading this regardless of how unlikely you think a breach may be, then do what you can to improve your password and account security today.