What do you think this is?

Just thoughts of a restless mind...

Stop remembering passwords

Posted on Sunday, 3rd of April 2016 • security • permanent link •Read time: 3 minutes

What do you do with your passwords? Are you one of the persons who are using a password manager for their web sites' credentials? Yes, me too.

With the amount of websites and passwords (a couple of online email accounts, Facebook, Twitter, Instagram, LinkedIn obviously and so on) there are actually three mainstream approaches to password control:

  • you use strong passwords and then use a password manager to store them. If you get bored doing it, you eventually start using the same password over and over again; unfortunately, if you do, then chances are that the one you choose, is not going to be a very strong password because you have to remember it instead of opening the password manager every single time,
  • you use -as much as possible- OpenID and OAuth; either you understand what these mean or not, it is a good solution, eventually limiting the number of passwords you have to remember; you usually register with your google+, facebook, twitter, linkedin - whatever credentials,
  • you give up and use a single password for everything. If you can memorize a strong password, well done, otherwise you just use something like 123456 (yes, still one of the most widely used password); even if you memorize a strong password, sharing passwords among websites has some serious security implications

Depending on your concern about your security and privacy, you probably end up in one of these three categories.

Lately I use a different approach, and I suggest to my friends and family to do the same:

Forget all your web passwords

Really, all? No. Not really. Remember or use a password manager for your mail, your tax office, your bank. But forget most of the others.

How does this work?

You simply click on the "remember me" check-box on the website you visit after you register or login. If you're lucky, you don't even have to do that. These check-boxes are so last-decade, and most websites remember you anyway! You forget everything and never attempt, unless you have a reason, to logoff or sign out. That's it! If you are not recognized any more from the website and need a new password, click on "password reset". Then you receive a new password or password reset instructions (or, don't be surprised, your old password) in your registered email.

Is this secure?

Yes! From the security perspective, and for reasons that I would rather avoid explaining here to keep this article short and not technical (but I would gladly explain to a technical savvy audience), if you type 10 - 12 random characters in the "password" field when you register, you're better of than using :

  • a weak password
  • the same password in different websites even if this is strong
  • retyping the password every time you connect to a website

Be careful though, to use a strong password for your personal computer, a smart and strong pin for your mobile phone, and two factor authentication for your mail account and every other website (like web banking) that you can not use that option.

That is all. In security, thinking out of the box is a significant success factor. Use this out-of-the-box-approach and you'll thank me later, when you realize what a life saver that method is.

Once again, if you're concerned about the solution's security, don't. It is probably much more secure than anything else you're doing.

For you, security-aware persons reading this: You're using good password hygiene anyway, so you will understand that this is definitely not less secure than your current tricks. It is though, usually, much easier and less cumbersome, hence more user-friendly.