Aug 19, 2008

How people deal with password overload today

Working on for the last few months has given me the chance to question quite a few people about their current password habits. It's been eye opening to hear just how many people use the same exact password for any application they're faced with, completely not recognizing or not caring about the risk they're facing.

The people that do recognize the risk, typically 'tier' their passwords, making a strong one for the sites they care about the most, and a lower level one for ones they care about less.

Both of these are pretty flawed approaches because some companies are radically better at authenticating users than others; the most secure companies (like LastPass) use https (encrypted data passing), create a one way hash of your password client side (so your password never leaves your computer), and salt that hash against that for what they store.

Unfortuantely almost no companies are that careful, many allow you to send your password over a non-encrypted channel to them, then store your exact password unencrypted in their databases and will even send that password to you over email (which is also insecure), meaning that there's at least 6 distinct ways your password could fall into a nefarious person's hands for just that one site (sniffed over the network, taken by an employee at the company, sniffed over the network between the company and your email provider, sniffed over the network between the email provider and you, taken by an employee at your email provider, and stored unencrypted in your email client) .

Handling passwords the right way isn't hard if you have software that will create and remember strong passwords for you.