You are probably like me, having literally tons of password (Windows password, email password, Skype password, Dropbox password, and so on…). You should already have different passwords on each different services. If not, we’ll imagine someone stealing a user database from one service. They can get your password! If they do and it is the same password you are using at other websites/services, they could gain access to those accounts also!
Without being too technical, you could pick any one of your service and simulate you have lost/forgotten your password. Most site will confirm your identity by asking you your “personal” questions then, will either :
- Allow you to reset your password
- Send you your actual password (!!!!!!)
I cannot believe that some business still doesn’t encrypt their user’s password! No one, I said no one should ever store a password non-encrypted! If they send you your password, it means that it isn’t encrypted on their server!
Small situation just to show you my point of view :
- My primary email is : firstname.lastname@example.org
- My Gmail password is : ad978bh!fhn__ (real hard to guess password. That way I am sure it is safe!)
- My mother’s maiden name is : ThatsHerName
I am subscribing to a well known online news site.
- I use the username : howtos
- Type in my email email@example.com
- Give answer to my “personal” questions (my mother’s maiden name) : ThatsHerName
- And, type in a password. I decide to use my hard-to-remember Gmail password since it is hard to guess so, I think it is secure!.
Everythings looks fine… but what if, the well known online news site have their password unencrypted in their database ? That means that any employees having access to that database (all the database administrators and probably the system administrators and operators) have access to your user account information (email, username, secret answer AND your secure-hard-to-guess password!!).
See, no one had to hack thru firewall or use any other means! And now, all those employees could try the password on my Gmail account and see if that works. Then who knows what all the information in my email account they will find!
Since I do not trust any services as secure as they should be, I use a different password on each of them. Better, all my “personal answers” to their mandatory questions aren’t real answers, they are randomly generated. So there is no way, if some employees or actual hacker have access to my information on one site, that my account could be used elsewhere as all the information they got it is only used on their site!
Now, there is no way to remember all the password in my head. I know some people like to use some kind of pattern to help them memorized all their password like :
- Using the same password but changing a digit
- Using the first letters of each word of a song that was playing on radio while registering on the website
- Using a pattern on keyboard (qwerty….)
I prefer to use KeePass
! It is a free software that is protected by either a master passphrase, a keyfile or both (I use it with a passphrase only). Everything is encrypted localy on your computer.
When I registering myself to a new website, I fill in my desired username, my Spam email address (I’ll talk to you about the SpamGourmet service in another post) and a generated password from KeePass. I enter the same thing in KeePass then submit my registration. I do not have to learn the new password, all I must remember is my master passphrase to open KeePass.
I do hope that you understand the need to have strong password and most important, a different password per website.
My next post will be about installing and using KeePass.