One of the major reservations many people have about using web-based applications for business purposes is security concerns. While hosted apps will always contain at least some security risk, one of the biggest problems can come from bad password practices, including the use of poor passwords, or reusing passwords for multiple sites. As such, establishing and sticking to a good system for generating and remembering strong, unique passwords is an important step for securing your data and control online.
The ideal password system would be to:
- use strong (long and unguessable, e.g., random) passwords
- use a different password for every account
The main problem with these two criteria is that good passwords are generally difficult to generate and remember. As a result, many people end up using a small set of (hopefully) good passwords for all their logins. Such a system is vulnerable primarily because even the best password might be discovered (e.g., through a security break at a website), thus compromising multiple services.
A number of solutions exist to enable you to generate and remember good passwords, but they almost all have the same structure:
- Have a method for determining a unique password for each site
- Make sure that the method is extremely secure
The low-tech version that follows this structure is to come up with a new password for every site, and then write down all of your passwords on a sheet of paper that you keep safe. Unfortunately, it's not easy to keep that list both secure and accessible, but a number of solutions exist that basically let you do exactly this on a computer. Options like LastPass (which we mentioned in a previous list of browser extensions) and KeePass make it easy to generate new random passwords, and store them securely by encrypting them with a master password (that's to satisfy the second bullet point). Firefox also enables a similar system by enabling a master password. The downside of any such system is that anything that is stored outside of your memory may ultimately be compromised.
Another strategy that can get around the need for recording all of your passwords is an algorithmic one, in which you develop a system for generating a new password to a site by combining information about that site with a base password. For example, you might use a based password like "l355@nnoy" and add domain specific information such that your google password might be "GOOl335@nnoyGLE." The advantage of the algorithmic options is that you don't necessarily have to write down the passwords, if your algorithm and base password are simple enough to remember. Lifehacker had a nice run down about some algorithmic options a while back that is worth checking out, and recently ran a thorough overview of how to get your passwords in shape.
Personally, I'm a fan of a variant of an algorithmic system called SuperGenPass. I may have a full post about how you can use a system like this at some point, but the basic idea is to have a piece of code that generates a random string of characters based on a master password and a website domain. With such a system, you can easily generate unique, strong passwords that can be regenerated with a single master password, and never need to be stored.
Regardless of the system you choose, having a good method in place is an important part of your online security. Furthermore, keeping in mind the two sets of bullet points above can be useful when deciding on a strategy. In all cases, the goal is to generate unique, strong passwords for every site. Doing so often requires a system that uses a single secure method to store or generate all your passwords.