There are a few commonly-known password sins, in rough order of how I think most people think of them:
- Writing down your password.
- Telling someone else your password.
- Reusing a password.
Of these, many people — myself included — were historically led to think that the first is the worst. Back in the old days, it was a reasonable idea: You should never write down your passwords — especially not on a sticky note attached to your computer monitor. The logic here is that if a malicious agent wanted to gain access to your system, they would just sit down in front of your computer, and a password written down visibly within arm’s reach obviously was’t very secure. So you learned not to write down your passwords.
Then, it followed that if you were trying to prevent access by not leaving your password in an easy-to-find location, you should also never share your password with another person. “Tell your wife your password?! Well I never!”
To the extent people worried about reusing passwords in the past, it didn’t seem like a big issue. Most people had a few different things they might possibly have under password protection, and doing so with the same password wasn’t a big deal.
Why You Should Absolutely Never Reuse Passwords
Today, given an average person’s security and vulnerability profile, the biggest sin is the reuse of a password across different services. Even if it’s a rather secure password, you’re better off with a higher number of less secure passwords than you are with one single one you use everywhere.
But my contention is this: today, given an average person’s security and vulnerability profile, the biggest sin is the reuse of a password across different services. Even if it’s a rather secure password, you’re better off with a higher number of less secure passwords than you are with one single one you use everywhere.
The two cardinal rules of passwords we learned in the 1990s were based on the idea that your most valuable password was protecting your local computers from a local attacker. Given that few computers were on the internet and even fewer passwords were stored on the internet, this was reasonably thought to be your most likely threat.
Today though, when “the cloud” hosts almost all of our data, and the average person has signed up and forgotten about more online services than there were computers in their neighborhood in the ’90s, the risk profile is quite different. While you do still need to worry about someone getting access to your computer while you’re out of the house, it’s far more likely that your security will be compromised from a computer that isn’t yours sitting out on the internet somewhere.
One doesn’t need to look very hard to find a reported vulnerability that exposed or leaked user passwords or other data. And because not every part in the cloud gets the importance of hashing and salting for secure password storage and identity verification, your password getting out in one of these attacks has a reasonably high probability. Maybe the attacked site stored passwords in plain text, maybe they just used a highly vulnerable hash without a salt, maybe they’re got a more complicated and hard-to-summarize security vulnerability. In any of those scenarios, a dedicated attacker would be able to eventually find the password you used on a compromised site.
If you use the same email address for everything — most people do — an attacker with knowledge of the password you use everywhere can pretty quickly get into almost all of your services. Your whole digital life could quickly become someone else’s plaything…
If you use the same username or email address for everything — most people do — an attacker with knowledge of the password you use across all the services you use can pretty quickly get into almost all of your services. Your whole digital life could quickly become someone else’s plaything. And if one of those things is your bank, your financial life can be theirs pretty quickly as well.
(Side note: banks and other security-conscious service providers set up secondary factors like geographical login tracking, trusted computer tagging, and security questions to try to minimize this kind of risk. They’re relatively useful and helpful speed bumps for an attacker like I’m theorizing, but depending on them as anything but a last line of defense it probably not wise.)
Why Writing Down is Better Than Reuse
The risk of writing your passwords down in plain text near your computer is not zero. Surely your teenager eager to screw with you because you’re enforcing a strict curfew can find and use your book of written-down passwords for great mischief. But given the likely single-digit number of angry teenagers (or jerk roommates, or suspicious spouses, or angry siblings) who would have access to your book of passwords, you almost certainly face a much bigger and worse threat in the dozens or hundreds of sites where you created an account one time with that password you always use.
Writing your passwords down in plain text is not a risk-free act. But on paper someone would need strict access to your paper to use it. On a computer, even if kept as a completely bare file in text or Word, an attacker would at least need to have breached your basic security, which unless you’re trying hard to put yourself at risk probably involves at least a basic firewall and password. And that attacker would need to take a specific interest in you — to figure out the file location and formatting of your (hopefully not on your desktop and labelled “passwords.txt”) password document. Unless you’re famous, it’s pretty safe to say you aren’t of sufficient interest to most possible attackers for them to shoulder that cost.
But I’m not really recommending you create a “mypasswordsarenothere.txt” file. If you’re going to commit to writing down relatively high-grade, unique passwords, I recommend you get a password vault, like 1Password or LastPass. These have the distinct advantage of letting you copy and paste your hopefully long and complex passwords when you’re needing to enter them, and they’re built by the best of the cryptographic good guys. If you can’t do that, your next best option, as unintuitive as it sounds, is probably to write your passwords into a paper notebook you keep with you.
Security is a complex thing, and understanding it deeply and putting up with the hassle of stronger security procedures can seem a lot to ask. But you suffer one breach, or see someone else suffer one, and you’ll never go back. Get a jump on that eventuality: stop reusing passwords (and start writing them down) now!
Image Credits: Lulu Hoeller
Pingback: Password Security | Should I Write Down My Passwords? - PortalGuard Authentication Blog