I have too many passwords, way too many. Its dangerous I am signed up to many websites, often using my email as a username. I am careful though not to use my the same password for my email as I do for the websites where my username is my emails address. http://bit.ly/rqYTu0 XKCD sums this up quite nicely. I am a big fan of using google account /facebook /twitter logins for other sites. This makes perfect sense to me. I only need one strong password for my gmail account and google with authorize my login to other sites. I really hope many sites pick this up, the internet will become a much safer place, though could force some people to get accounts with services they do not want. The other day I almost signed up to facebook as it was the only way to log in to a site. I didn't in the end so I never got to use that site, but doubt many people will be in this situation.
This was not the main purpose of this rant. There are some sites, mainly banking, and also at a previous company where you have to change your passwords every 3 months. I just think this is totally excessive. No one takes security seriously at this point. Every time I have to change my password one of two things happen. I forget my password and I get locked out or I have to write it down on paper and leave it next to my computer. Additionally in order to try to remember it I have to pick something easy to remember. I am not the only one that does this. That being the case the very process used to create more security is actually creating less security. So Sysadmins I beg you, stop this there are better ways to increase security. Insist on very secure passwords that never change or use something like and RSA secureID key. I admit that they are not always practical measures but at the same time they are better than this pseudo secure method of changing passwords every 3 months.
/rantover
RSA securID might be a bad choice, their security's recently been broken: http://bit.ly/or2IyT
ReplyDeleteI keep all my passwords in KeePass and put it in a dropbox folder so I can get it on any computer. I remember passwords for about 4 sites and let KeePass save the rest.
I like the gmail login idea, but I'm not sure how to tell whether a site is really using that or if it's got a fake google login page to steal your details!
Hmm, seems like your comment box wants my google credentials.... Don't steal my identity please.
".. put it in a dropbox folder so I can get it on any computer"
ReplyDeleteAnd so can the authorities.
http://www.pcworld.com/businesscenter/article/228096/dropbox_speaks_out_on_data_security_controversy.html
May not be the safest place to put stuff.
http://news.cnet.com/8301-31921_3-20072755-281/dropbox-confirms-security-glitch-no-password-required/
Also heard that they have some security issues. I am amazed we have got this far without global logins. I mean seriously how many websites have you joined up to. Having global logins from your email (gmail or Yahoo) or from your favourite social network (facebook, twitter or linkedin) would encourage people to sign up, because you don't have to, and people would come back because they wouldn't have to remember their username and password.
You should be able to tell that its a real gmail (or whatever) login in the same way you know you are on a trusted site when you make a payment.
see follow up post for some a new initiative on single login browsing
ReplyDeletehttp://ctoisrael.blogspot.com/2011/07/passwords-and-security-cont.html