Friday, July 13, 2007

So many passwords! How to manage your passwords

Although passwords are not the best way to tell any system who you are, it is, by far, the most common authentication mechanism currently used in Information Systems.
At home (e.g. your web-based email account, your blog service, your airline website user, etc.) and at work (e.g. your corporate account and applications) you collect usernames and passwords and very soon you start forgetting them, especially if you have different usernames and passwords for different systems.
It is usual to count 10 to 20 new passwords per year for an average Internet user, particularly now that most sites require you to enrol and create a username and password before offering any service. Some corporate environments and Internet services offer single sign-on to their users i.e. they log in once to the corporate network or entry portal and have seamless access to all their applications without the need to insert their username and password repeatedly. Unfortunately, this is yet the exception rather than the norm.
A simple measure against password loss is to keep always the same password in all systems. However, when you have to type your credentials every time you need to access a system, it is advisable to use different passwords. Why? Should any of those systems be compromised and your password exposed, then your identity could be potentially misused in all systems where you have an account. You just lost a key that open all your doors.
As a very simple rule of thumb, keep a different password for those critical systems (e.g. your online bank service) and change that password regularly. Select always a password that it is not contained in any dictionary and that it is composed of at least eight characters and, as a minimum, three different types of characters (lower, upper case, numbers and punctuation signs).
How can you then cope with all those different passwords? Use a password manager.
Password managers are programs such as e.g. Anypassword (for Windows) or Gorilla, Kiskis or Password Safe (for most existing platforms) and even websites (www.agatra.com) that manage and store, some of them for free, all your passwords in an encrypted manner so that you only have to remember one password i.e. the master password that opens your password manager and then you have easy access to all your credentials.
Finally, just a handy tip: Remember your master password that gives you access to the password manager. Without it, you will lose access to all your individual passwords!