In keeping with the theme of the previous post, I was recently asked by Tyler Dukes of The News & Observer, who writes the biweekly “Stump the Geeks” column, to comment on issues with choosing good passwords. Here’s a link to the article below:
http://www.newsobserver.com/2012/03/19/1935703/passwords-are-still-securitys.html#storylink=misearch
Due to space considerations, a lot of what I wrote didn’t make it past the editor’s knife so I’m posting here my larger response so you can see what didn’t make the paper and, hopefully, get a better sense of my thinking in this area…
Ideally you would want each password to be chosen randomly and comprised of a mixture of upper and lower case characters along with a few numbers and special characters like *!%$ thrown in for good measure. Also it is best not to also use same password on any other system so that if it does become compromised, the damage is limited. Finally, it should be changed at regular intervals such as every 90, 180 or 365 days, depending upon the risk involved with the information being protected.
All this is to make the password hard to guess. The problem is that things that are hard to guess often tend to be hard to remember, which is people naturally bristle at such guidance.
I think the best compromise is to use password storage or single sign-on software. These tools can generate strong, random passwords that are unique for each system they will be used to log into and only require the user to remember a single password to unlock the password storage “vault.” I have literally hundreds of passwords — all unique and none that I actually know, but with tools like these I only need to keep up with the one password that unlocks the tool and it keeps up with the rest.
IBM sells a product called Tivoli Access Manager for Enterprise Single Sign-On that I work with that is designed to do this for an entire organization’s user population. There are consumer products as well that are both free and fee-based. One nice freebie that I have used is Password Safe, which is an open source tool available from SourceForge.net. Still other tools offer to save your passwords on a shared system (i.e. in the cloud), which is convenient if you need them to be available across multiple systems. Just bear in mind that when you store your passwords on someone else’s system then you are totally at the mercy of how good a job they do with their security and, in most cases, there is no way for you to verify if their claims of using strong encryption and the like are valid or not.
As with all such decisions, there’s a trade-off between security and convenience and the answer will be different for different people depending upon their tolerance for risk and their understanding (or lack thereof) of that risk.
Inside Internet Security 
Never leave your password(s) up to somebody else! I use a “personal safe”, i.e. an organizer with a master password, where all I store all my passwords.
I agree, Henrik. I use Password Safe for this purpose.
Hi Jeff … hope you are doing well. Password Safe appears to only be for Windows. What are your thoughts on 1Password for MacOS? It’s not open source, but it’s very polished, can be used across platforms with Dropbox integration and their customer support seems to be great. I’m evaluating it now but would appreciate your thoughts.
Hi David,
I haven’t used 1Password so I can’t really give you much guidance there but I have heard from others who like it. In general, I’m not wild about passwords being stored in the cloud since you are completely dependent upon the level of security from an organization you may have no insight into. I don’t know if 1Password does that or not but if it does, I would probably look for another option.
Hi Jeff. Thanks for your thoughts. 1Password stores their encrtypted key chain file on the local file system, but you have the option to share it across platforms by putting that local file out on DropBox. I have the same feelings about allowing a 3rd party to know all my passwords, but in this case DropBox is a different entity than 1Password so I feel better about it. I’m thinking I’ll probably stick with 1Password.
David.
If 1Password encrypts the password BEFORE sending it to Dropbox, then that might be a pretty good solution since Dropbox has it’s own encryption as well. That way a compromise of your Dropbox would only yield an encrypted version of your passwords.
Jeff