It was a couple of months ago. I’m a regular xkcd.com reader — the cartoons often make me smile; but this one made me think. Not the last couple of frames about Google. Everybody knows that they are being evil, big time. It’s not important right now.
But passwords. I don’t know about you, but I was reusing the same couple everywhere, even where it might be important, such as Amazon or eBay, where money could be involved.
I don’t attach too much weight to the possibility of being hacked on Facebook or Twitter (or, indeed, WordPress) and looking like an idiot. Few people would notice the difference anyway. But once the idea was planted, it did nag at me until I did something about it, and now I have, so I’m telling you about it.
Obviously, the reason for using the same password is that you can remember it. If you’re an obedient child and follow the usual advice, you’ll make your password hard to guess or find systematically. Not your partner’s nickname. Not your pet’s name. Not any ordinary word that’s in the dictionary. (That’ll be /usr/share/dict/words) Something difficult, with numbers or funny characters.
Which is exactly why remembering a dozen different ones is too much for most people. Around a dozen, actually, was the number of “important” passwords that I decided that I needed to change, noting the accounts down over a couple of weeks as I used them. And then I changed them, and wrote down the new, secure password as I did so.
Danger! Danger! What am I — a complete amateur? Everybody knows that you should never write down your password (or PIN). Oh, yes, sure. Because somebody is going to break into your house and steal your passwords and buy stuff on your Paypal account? Well, it could happen, but it’s not very likely. Even if your house is broken into (which will happen for 10% of us during our lifetimes) you aren’t going to have a prominent piece of paper with “Look! Here is my Paypal password.” written on it. Are you?
(Admittedly, during my IT career, I visited offices where they’d got the Administrator password on a yellow Post-It stuck to the monitor, but in the face of such stupidity, what can you do?)
No, it’s better to have good passwords that can’t be cracked or guessed or stolen on line, even if you do need to note them down. Don’t type them into a spreadsheet or document on your computer though — there are too many ways in which that could be compromised, either physically, by losing your laptop; or network-wise by being hacked. Likewise, letting your browser “remember” passwords for you isn’t a great idea. They can be retrieved, even if you’ve set a “Master Password”.
My reaction to the xkcd strip was to clean up my act. But maybe some other people thought that the plan it it was a neat idea. Typed your “usual” password into any registration screens recently?