It was a cold, rainy afternoon as my friends and I sat by the fireplace, enjoying a warm beverage and some good conversation. And as we chatted, the conversation inevitably turned to password security. (Or maybe that just happens when I’m around.) It all started quite simply: one friend was talking about some bit of technology that I was singing the praises of, saying he’d check it out as soon as he remembered what password he’d used to set up his account there a few months back.
I reminded him of the “forgot password” option, and he went on a side-tangent about all the various rules different sites have for crafting passwords (it must be at least 8 characters, or it must be no more than 8 characters, it must include special characters, it must not include special characters, and so on). I really can’t argue with him on this point – this is a fairly infuriating and ridiculous fact of Internet life right now.
Both folks I was chatting with know better than to reuse passwords, but yet they both admitted to doing exactly that. We all have limited space in our heads for secure, unique passwords, much less ones that comply with these contradictory rules. I mentioned how password manager software can be very helpful with this problem, and both of them expressed concern for having a single point of potential failure. Putting all your password eggs in one basket is sort of a scary proposition. But in a way, that’s precisely what people do when they try to keep all their passwords in their head.
Given how many breaches we’ve seen of popular web services, and how many subsequent attacks we’ve seen on reused usernames and passwords, the small risk of an attack on password management apps is vastly less problematic than using poor password hygiene.
Few, if any of us, have perfectly secure machines. We balance risks and usability with our knowledge of threats and the various aspects of the technology we use. What do you find to be the most difficult things to balance when it comes to security? What sort of things would you find helpful to mitigate your own security worries (more information or more technology, for instance)?