[Also published on testuff.com]
Most people I know tend to simply use the same password on ALL websites. Email, Paypal, Amazon, Ebay, Facebook, Twitter. This is obviously a very bad idea.
Passwords are always a problem. Difficult to remember, hard to think of a good one when you need a new one, tricky to keep safe. For the moderately-paranoid and the sufficiently-techie there are many good solutions out there. Password managers. Online, offline, commercial, free. So I usually suggest to my friends and colleagues to use a password manager.
I personally like to use clipperz (online). I also used keepass (multi-platform). Both free and open source tools and do a good job.
However, I doubt many of my friends actually follow my advice. They’ll have to install something, or log on to somewhere JUST FOR THAT. It’s a little annoying to use and make every login complicated. It might not be available when they’re using the computer at work/friend’s house. So they end up doing the same thing and simply use one password.
So what’s the solution?? Well, lets refine the problem. The main concern for me is that IF I use the same password and it gets compromised. Even if it’s super-strong, ALL my ‘online assets’ almost immediately get compromised too. By the time I log in to change the password on ALL those websites, it’s probably too late. That’s assuming I know it was compromised on one of those websites. So I tend to trust the security of Amazon and Paypal (not that they are 100% immune to attacks and leaks), but what about this website I order coffee at (great coffee and a great website, and I do not imply that their security is not good, it probably is as good as their coffee), or that other website I ordered some computer parts at 2 years ago… The thing is, it only takes ONE. And then if someone grabs this password, the first thing they’re going to try is logging in to paypal, amazon, ebay etc.
It got me thinking. What if I carried on using the same (super-strong) password, but instead of using my usual email, used a different one for each website??! you must be thinking now “How can I use a different email for each website?? Sign up with a gazillion hotmail accounts??” No, there’s a simpler way, but lets leave it aside for now, I’ll show you how to in a moment. So what are the benefits? Even if someone grabs my (super-strong) password from this one website, the email address won’t work on any other website. And they won’t be able to guess my other email accounts Because each email address is different and hard to guess!!
How do I get those gazillion email addresses without signing gazillion times for an email account then? Do you have a gmail account? Hotmail? Yahoo?! No??!! Well, you should probably get one of those (although others may allow the same thing). All these webmail accounts allow you to create aliases. (here’s a quick overview for gmail, hotmail and yahoo). Essentially it’s another email address that is linked to your main email. So instead of firstname.lastname@example.org you can use email@example.com. Not the most friendly address, but virtually impossible to guess. All you need to do now is sign-up for an account using this alias. Don’t forget to create a new alias for every online account you create though! And make sure the alias is hard to guess. Just stick a bunch of random characters and digits at the end. the longer the better (size DOES matter).
The only remaining question is therefore “how do I know which alias I used for <insert name of website>?”. My suggestion is relatively simple. Keep it inside your email account. Keep a draft email, send an email to yourself, add a task/note or whatever you can use inside your online webmail account. The list would look something like this:
facebook – firstname.lastname@example.org
ebay – email@example.com
amazon – firstname.lastname@example.org
It’s not super-secure, but:
1. Only if your email account gets hacked they would see this list (and they need to know to look for it too)
2. The list of aliases would NEVER include your super-secure password. This is something you still have to remember.
3. If you make sure you use a different (super-secure) password for your email account, then even if your regular (super-secure) password gets compromised, they won’t be able to get into your email account and get this list.
So you end up with two super-secure passwords you have to remember, and a (not super secure) list of email aliases inside your email account. That’s the passwordless password-manager.
* Be very careful of losing this list. Without it, you won’t be able to log in to your online accounts. So if you do plan on using this, make sure you have a few copies of this list elsewhere. A simple solution is every time you use an email alias, send yourself an email with a note about it. Try to use the same subject so you can find it later and send this email to more than one email if you have more than one. Then you can simply search through your email account(s). I suggest somthing like
To: email@example.com, firstname.lastname@example.org
Subject: new alias for <website name>