The Importance of Using Multiple Passwords
One of the most hated security policies is that of asking users to have different passwords for each different service they make use of. Many see this as unnecessary because they reason that if their chosen password is strong enough then having multiple passwords is an unnecessary precaution. Worse still, it is not just everyday users that ignore this best practice as we have seen by the HBGray federal compromise; even senior managers, up to the CEO, of a security company had been using the same password on multiple services.
Thinking that a single strong password is effective enough protection is flawed. A strong password might make it very difficult or even impossible for an attacker to crack it, but that’s not the only risk that can result with your password being compromised.
We use many different services, from forums to games, and in each of these we are asked to create accounts for authentication. We have no way of knowing how these work, how secure they are or even if they are legitimate. What if you sign up with a web hosting service, use your really strong 20 character password (which even includes symbols!) and then it turns out that this service is storing that password as plain text?
It might seem highly unlikely but unfortunately it happens, as reported by The Register where InterWorx, a web hosting control panel system, suffered a data breach and they admitted that their system was storing client credentials in plain text. Those clients who used the same credentials on all servers and whose credentials were stolen have figuratively opened their organization’s (and home) doors to these hackers until they change their credentials.
It is also safe to assume there will always be a sizeable gap between identifying an attack, informing the users about it and the users changing their passwords on all their systems, thus giving attackers plenty of time to gain a foothold before the situation is resolved.
Best practices and security policies are there for a reason and it is important that they are followed.
For me the problem wasn’t thinking that one strong password is secure, but rather keeping track of 17 or 18 passwords at 20 characters each. Obviously having some kind of file or physical copy of those passwords is just as risky. Passwords in general are simple methods of security, but we see time and time again how easy they can be to get around. I think it’s time we find a reliable, cost-effective method of upping the ante in terms of security authentication for software at home and in the office.
You’re right John that can be quite tricky. It is not impossible however. If you want length you can use phrases rather then simple words and for added complexity substituting a character for a symbol is enough.
If you don’t like passwords altogether there are 3 ways of authentication – og how a computer can tell that you are really who you say you are. This can either be done through something you know, something you own or something you are.
- something you know is the password.
- something you own can be either a dongle, or a onetime password generator (like the on line banking token)
- something you are is biometrics (finger print scanner, retina scanner etc.)
Every one of these has its strengths and weaknesses. Passwords are popular because they are, by far, the easiest, quickest and cheapest form of authentication but they are not the only option.
I too have multiple passwords. This does not only protect my personal information, it also safeguards my financial data.
I have multiple online financial and bank accounts:
-1 for my local bank
-1 for my international bank, which I use to send money to my employees in the Philippines
-1 for my PayPal account
-2 for my credit cards
All these accounts have different passwords. Although sometimes I get confused which is which, I still prefer having multiple passwords. This way one will not be compromised if the other is attacked.