Over on Staunchly Technical, Nate gives a rundown of his password scheme:
“Unique” memorized password: Google, Password manager(s), home server (exposed to Internet).
- These are “master key” systems – if these are compromised then the hacker effectively has the ability to get my password to anything else. As a result, the password for these is not used on anything else (really, I ought to have a separate pw for each of these, but since they’re all so unrelated I’ve just got one for all 3).
Random stored individual passwords: All things potentially damaging (banks, brokerages, prosper, IRA, etc)
- These are randomly generated 10-character passwords – they might get sniffed, but they’re not going to get hacked. These get saved in the Firefox password DB and are also in my password manager program (Keepass, for anyone who cares)
Work password: all things work-related
- Everything I do at work requires me to change my password every 3 months – since I have trouble with multiple passwords anyway, I just set them all to the same thing. Only one of them can be accessed from outside the intranet anyway, and my VPN is protected by a keyfob.
Easy (but still relatively secure) non-changing password: social networks and anything else that can’t cost me money or too much heartache.
Useless password: sites that I really don’t care about and/or don’t trust.
Nate’s a really smart guy, so he wouldn’t be spending all this time thinking and writing about it unless it was important. Why is he using so many different passwords?
What’s going on here
He’s segregating them into security zones. The most important one is his email or his password system manager. If someone gets the key to his email they can reset passwords to his bank or investment accounts and the password reset email goes where? That’s right.
When Gawker’s poor security and taunting of 4chan led to the usernames and passwords of every user being posted online, it was a very big deal. Most people use the same username in many places – because they want a sense of identity and reputation that can follow them around. Or maybe it’s just easier to remember. That’s probably why most people use the same password everywhere. Like their bank and gizmodo. So those folks are having trouble.
Not Nate. All they can do is post nasty comments on social networks under his name, and he can reset the password and get past that.
Also, not me.
My Suggestion
I tend not to use the same username on every website. I register something using the site itself as a key. So if my email is mk @ gmail.com (it isn’t) I would just use the gmail “name+” trick to register at lifehacker as mk+lifehacker@gmail.com. This lets you know who is selling your email address or getting hacked into.
I manage my passwords differently, in a way you might use. I use a passphrase and then I use select letters from the site to construct a unique password per site. Like so:
My passphrase is a memorable poem or sentence. Let’s use the first two lines of Yeats’s The Second Coming
“Turning and turning in the widening gyre,The falcon cannot hear the falconer”
I take the first letter of every word to make my password: “TatitwgTfchtf”
That’s a big password and easy to remember! But you want your password to be unique across many sites. Let’s do that by pulling the site into it.
Lifehacker has 6 consonants and 4 vowels. Let’s add those on to the end and the beginning: “6TatitwgTfchtf4”. Even if someone gets your password and knows another account of yours, you have a unique password at the other account. You could also put the first and last letter: “LTatitwgTfchtfR”. Whatever you want to put a little extra randomness in the mix.
Want to see how strong your current favorite password is? Go to the MicroSoft password checker and try it.
Practice good password safety – I don’t want to get emails from your account asking me to help split up your Nigerian fortune.
The main idea was actually to _reduce_ the number of passwords I had to memorize while still keeping a relative sense of security. With this scheme I'm actually down to 4, and my biggest concern is keeping Gmail secure.
Using the gmail+ trick for each individual site is a really good idea – I never thought of the forensic applications. I'm going to start doing that from now on.