What’s the worst thing that you can do with your computer passwords? Write them down, of course, right?
Clearly, that has always been the conventional wisdom in such matters, and it is not a wise move for many obvious reasons, especially if you leave your hand-scrawled list of credentials close by to your desktop, or saved on your unprotected laptop, or even in the same case as your unattended handheld device.
But, as pointed out by AVG’s Roger Thompson in a recent blog post, the necessity of having to remember log-in details for so many sites and applications these days, combined with limited amounts of human short-term memory and the avoidance of writing passwords down, has led many people to use the same words and phrases over and over again for many different systems.
And that, Thompson wisely points out, may now be worse than actually writing the dang things down.
It seems counterintuitive, but think about it, what’s more likely, someone lifting your passwords off your physical desktop, like the cleaning person or a house thief or whoever, or a malware program lifting passwords off your desktop, as in your computing environment.
It’s interesting food for thought at least.
There are always risks of both… but when’s the last time something went missing out of your desk at night? Could someone already find most of your personal information in your laptop bag, or in your desk, or god forbid your wallet? Probably.
Thompson’s point is that the risk related to people using the same passwords all over the place, then having those credentials lifted by spyware, is likely far greater than the risk of keeping a list of varied passwords tucked in your desk drawer somewhere, especially if you hide it.
“Unlike twenty years ago, where you maybe only had an e-mail password, and a network login password at the office, there are now a zillion places to log into. As well as your e-mail and the office, there’s all the web 2.0 stuff … your bank, YouTube, MySpace, Facebook, Amazon, eBay and Twitter to mention but a few,” the expert writes. “Guess what … if they’re all using the same password, and _one_ of them gets hacked or phished, you lose your password to everywhere. If that includes your bank or PayPal password, that’s about the key to the kingdom, and you might not even know until real money starts disappearing.”
My take is this – you have to work to achieve a zen-like balance between your personal memory and password variety.
Create long, complex and unique passwords for sites and applications that really matter, like your laptop log-in, your network log-in, banking and payment applications or any site that holds loads of your personal data.
For lesser assets, such as Web sites that don’t hold your credit card, or anything that can be stolen, like social networking sites, fantasy sports teams or content sites, you can allow yourself to fall into the single password habit.
Writing down your passwords probably isn’t the worst thing, and may even be more safe than using a mere few terms for everything you use, but in the end if you can manage your systems wisely and keep your list relatively short, you should be able to avoid either pitfall.
So, btw, what was your first pet’s name?
I thought so.
Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to [email protected].