Yesterday I was on the receiving end of a drive-by slashdotting. A comment on yesterday's /. story about writing down passwords sent a bunch of folks to my simple single sign-on screencast. So now's a good time to summarize some recent conversations I've had on the topic.
As Nic Wolff notes on his password generator page, there's a distinction between high-value and low-value passwords. My identity at my online bank matters a whole lot more to me than my identity at www.nytimes.com. Nic's point, with which I agree, is that it's really useful to separate these classes of passwords and treat them differently.
Currently I do maintain separate strong passwords for a set of high-value accounts. And, as per the /. article, I do write them down in an encrypted database which is guarded by its own master passphrase. Meanwhile, for my various and endlessly proliferating low-value accounts -- I can't seem to get through a week without having to create a bunch of new ones -- I'm transitioning to the password generator.
This divide-and-conquer strategy is quite common. One correspondent told me he has three reusable passwords: for high-, medium-, and low-value accounts. By using the password generator to create unique passwords for each of my low-value accounts, I'm a bit more secure than I'd be if I plugged the master passphrase directly into each back-end system. But only a bit more. As several other correspondents have pointed out, if any generated password is captured, all are vulnerable to brute-force attack.
To resist such attack the master passphrase should be long, or incomprensible, or both. That would require more effort than I'm willing to spare in order to secure my low-value accounts. I might, however, be willing to work that hard to secure my high-value accounts. It would be nice not to rely on my encrypted database which is system-dependent, subject to loss, and tied to its own vulnerable master passphrase. But I haven't made that transition yet, and I'd be interested to hear more argumentation pro and con.
Meanwhile, of course, most people use the weakest passwords they can get away with, and they reuse them as broadly as they can, making no distinction between high-value and low-value accounts. We can require people to handle high-value accounts differently, and arguably should, but that demands effort. If we can in parallel suggest an easy and slightly more secure way to manage low-value accounts, we can help people focus that effort where it's most needed.
Former URL: http://weblog.infoworld.com/udell/2005/06/10.html#a1247