Strong passwords suck, but they don’t have to

August 26, 2008 in en, rant, security

Amrit Williams wrote a nice piece on sucking passwords. But as Martin McKeay pointed out Amrit didn’t provide any real solutions except maybe using passphrases. Passwords are gate to online existence of most people. Most people know that there are certain rules for creating strong passwords (at least I hope so). But only a handful of people use really secure passwords. Moreover you should have different passwords for every program/email account/social networking site/etc. Why? So that when one account becomes compromised (by whatever means), others will stay safe.

You can find a lot of rules for chosing good passwords all around Internet. There is only one problem with them. If we would like to really follow all the rules, most of us would end up with 20+ passwords, every one longer than 8 characters, most of them without any meaning. Good luck with remembering them. But hey! We are in computer age, we don’t have to remember stuff anymore right? Why not use a decent password manager? Then you have to remember only one password (but it better be REALLY secure).

This approach creates one more problem for us though. Mobility of our passwords. You want to access website x.y.com? I hope you have your password manager with database at hand. Otherwise you’re screwed. I see two solutions:

  • If you use some kind of UNIX-like system, and you have a public IP, you could use command-line password manager to access your passwords from anywhere.
  • Carry your password manager with your database around.

I like the second method more because you don’t have to worry about firewalls, proxys and similar stuff.

Recently I found out about PortableApps. It’s a set of open source applications designed to be run from USB thumb drive without leaving anything behind after you close them. No registry changes, no temporary files etc. One of applications offered is KeePass Password Safe. It uses AES encryption to securely encrypt database of passwords. This Windows-only set of applications provides means to have strong, unique passwords that you can carry around with you. So what are you waiting for? Make them unique!

Note: I tend to use gpass password manager (Unix-only, but I usually have access to my machine) and I remember most important passwords by heart. I’ll probably migrate to some other multiplatform solution soon (maybe PasswordSafe?)

Note2: Apparently there is similar (or even better) software for MacOS X (1Password) I haven’t tried it though.