ARCHIVE: What's the deal with passwords?
Every other day some IT security company comes out with a new security method claiming it will eliminate the need for usernames and passwords forever. From the use of biometrics that grant access to systems to a picking out a series of pictures that only you remember, they try their best to make you stop using passwords. Sometimes they want to consolidate all of your logins into one, e.g. MS Passport or provide software to remember them for you, e.g. RoboForm. After all, it's not easy to remember the usernames and passwords for tens (sometimes hundreds) of different websites and systems you have an account on. So solving the password problem is big business and will be as long as humans don't have perfect memory. Or until everybody starts doing what I do.
While every method proposed to eliminate passwords has its own set of security, implementation, and logistic problems, I am unable to see any issues with the following one-step method:
The most I can learn is that your yahoo.com password hint is LP8 and so is your hotmail.com. And if I happen to know one, I can find out the other. For important accounts that require more security, you can just use different passwords and write down good hints. The hints could be symbols, words, sentences, or anything you want. Just make it so that nobody other than you can ever figure it out. I'm so sure of my hint methods that I'm posting some of my hints exactly below. I use hints for everything, not just the passwords so there's slightly more secrity. However, that is a personal preference and you are pretty secure just writing hints to passwords with everything else being written out explicitly.
A lot of people use software applications to store and auto-fill their passwords. Sounds great till your hard drive crashes or worse, your laptop is stolen! Now whoever has your laptop, also has access to your bank account, your PayPal account, your domain registry account, and of course, all your email. Additionally, do you have the source code to the software? Don't you think if crackers can write malicious spyware, they can also write Password-Managers that pretend to help you remember things but once a night upload ALL your logins to some random IP address? How do you know if the software you use is trustable? If you EVER store passwords to your bank/financial accounts and there's more than $100 in it, you would be taking a BIG risk, trusting anyone, let alone a software that you downloaded from the Internet. All software or web-applications that store your password exactly, no matter HOW securely, are a security-loophole. You just cannot give your password verbatim to anyone or anything. EVER.
Password hints that mean something to you and nothing to others are absolutely the only secure way. Because even if your hints are stolen, they're useless to anyone but you. You can always make your hints, well, more "hintful" so that they ALWAYS mean something to you and that you never forget what they stand for.
Store your hints in a secure location - online/offline. But don't ever trust your secure location. Also if you use online storage like Yahoo Notepad or ChimeNote.com, use a totally different password for your secure location and make sure that is absolutely the ONLY password you ever 100% remember. Write a hint for that password on paper and put it in your wallet.
Just FYI, I created ChimeNote.com last year and it works great for me because in addition to being web-accessible and SSL-enabled, it also has a little software that runs on your PC and makes it easy to access your notes with a single click. You can get a free account on ChimeNote and begin using it rightaway - just don't store your credit card numbers etc. in there. Because I don't want to be held liable in case someone figures out your ChimeNote.com password.
Additionally, the entire ChimeNote.com database is backed up to a remote PC every day. Worse that can happen is you lose a few hours of stuff. Moreover, the backup is useless to anyone, including me, because every note you make is encrypted with your own password. Now, playing the devil's advocate, I could have written the ChimeNote.com pages to secretly store the notes unencrypted somewhere that only I can access. However, if you have only password hints, then you are still good. I don't know what "yahoo.com - username: someguy44 - password: LP8" means, but I'm sure you would.
Alternatively, use Yahoo's NotePad feature or write your own online notepad/post-it style application. It's not ChimeNote.com that I'm plugging but the idea of password hints as the only viable solution to the password problem. ChimeNote's website and the free software just make it easy to access your password storage notes.
But please, don't suggest that I take a retinal scan just to post on Fark.com.
While every method proposed to eliminate passwords has its own set of security, implementation, and logistic problems, I am unable to see any issues with the following one-step method:
- Store HINTS to all your passwords in an easily accesible secure storage bin.
The most I can learn is that your yahoo.com password hint is LP8 and so is your hotmail.com. And if I happen to know one, I can find out the other. For important accounts that require more security, you can just use different passwords and write down good hints. The hints could be symbols, words, sentences, or anything you want. Just make it so that nobody other than you can ever figure it out. I'm so sure of my hint methods that I'm posting some of my hints exactly below. I use hints for everything, not just the passwords so there's slightly more secrity. However, that is a personal preference and you are pretty secure just writing hints to passwords with everything else being written out explicitly.
- aex - cm - / - /, - 1
- amz - a@c - /
- bam - s# + p#
- bhh - wcare - c98 - **
A lot of people use software applications to store and auto-fill their passwords. Sounds great till your hard drive crashes or worse, your laptop is stolen! Now whoever has your laptop, also has access to your bank account, your PayPal account, your domain registry account, and of course, all your email. Additionally, do you have the source code to the software? Don't you think if crackers can write malicious spyware, they can also write Password-Managers that pretend to help you remember things but once a night upload ALL your logins to some random IP address? How do you know if the software you use is trustable? If you EVER store passwords to your bank/financial accounts and there's more than $100 in it, you would be taking a BIG risk, trusting anyone, let alone a software that you downloaded from the Internet. All software or web-applications that store your password exactly, no matter HOW securely, are a security-loophole. You just cannot give your password verbatim to anyone or anything. EVER.
Password hints that mean something to you and nothing to others are absolutely the only secure way. Because even if your hints are stolen, they're useless to anyone but you. You can always make your hints, well, more "hintful" so that they ALWAYS mean something to you and that you never forget what they stand for.
Store your hints in a secure location - online/offline. But don't ever trust your secure location. Also if you use online storage like Yahoo Notepad or ChimeNote.com, use a totally different password for your secure location and make sure that is absolutely the ONLY password you ever 100% remember. Write a hint for that password on paper and put it in your wallet.
Just FYI, I created ChimeNote.com last year and it works great for me because in addition to being web-accessible and SSL-enabled, it also has a little software that runs on your PC and makes it easy to access your notes with a single click. You can get a free account on ChimeNote and begin using it rightaway - just don't store your credit card numbers etc. in there. Because I don't want to be held liable in case someone figures out your ChimeNote.com password.
Additionally, the entire ChimeNote.com database is backed up to a remote PC every day. Worse that can happen is you lose a few hours of stuff. Moreover, the backup is useless to anyone, including me, because every note you make is encrypted with your own password. Now, playing the devil's advocate, I could have written the ChimeNote.com pages to secretly store the notes unencrypted somewhere that only I can access. However, if you have only password hints, then you are still good. I don't know what "yahoo.com - username: someguy44 - password: LP8" means, but I'm sure you would.
Alternatively, use Yahoo's NotePad feature or write your own online notepad/post-it style application. It's not ChimeNote.com that I'm plugging but the idea of password hints as the only viable solution to the password problem. ChimeNote's website and the free software just make it easy to access your password storage notes.
But please, don't suggest that I take a retinal scan just to post on Fark.com.