Those in the IT industry regularly remind users that good practice should be followed when using and setting passwords. You should use a different password for every site/service, use non-dictionary words and use alphanumeric phrases where possible.
The question is, how exactly are users supposed to manage these passwords? In the early days of computing, a user may have to remember a few passwords at most. Today, even the most basic of users probably has access to numerous services which require a password. It's easy to see why some consider it unreasonable to require a different password for each of the services they use, and those that try to adhere probably get berated by the system administrators when they regularly request a password reset!
So in order to minimise the confusion, this post will explain the principles of good password management. I've posted advice on how to avoid password theft, how developers should handle passwords and the importance of using secure passwords. In this post, however, we'll be looking more specifically at how users can try to cope with the resulting influx of secure, unmemorable passwords.
Don't Write It Down
Users are commonly advised that they should never, ever, write their passwords down. In today's world, it's becoming quite difficult for the average user to avoid. It seems wiser, therefore, to ensure that users offer a suitable level of protection to the document containing their password(s). So let's begin with some basic ground rules;
Don't store your passwords electronically (i.e. in a Word File)
Store your password log somewhere safe (i.e. locked in a Safe)
Don't note full details (i.e. username, service and password)
Put simply, you need to ensure that this record is as useless to unauthorised viewers as possible. Even if you were to store the document in an encrypted format, it's electronic medium means that it could potentially be duplicated and cracked without your knowledge. Only ever make a note in hard format, whether this be a notebook or a sheet of plain A4.
Ensure that the record is somewhere very safe. A post-it note stuck to the underside of your keyboard simply does not provide the level of security that your credentials should be afforded. Lock them in a safe (to which only you have access), or somewhere very similar.
The most important thing is to think about what happens if someone else does manage to get hold of your record. If you've noted web address, username and password then they are simply a few clicks away from impersonating you.
Remember that this record is only supposed to serve as a reminder, if you can't remember which password you used when viewing a list of passwords, it's probably better that you request a password reset.
Finally, make an effort to learn the passwords. The less frequently you need to utilise the list, the less likely it is to get lost/stolen/copied.
Security breaches do occur, far too many sites continue to store passwords in plain text so be aware that there is a risk of your password being discovered by persons unknown. As soon as you become aware that your password may have been compromised retire it. If you've used the password on multiple sites/services then visit each of these and change the password. It doesn't matter that a different system was compromised, the password you used is now potentially known to persons other than yourself.
You also need to ensure that you don't reuse that password in future. If you are keeping a list of passwords, find a red pen and write COMPROMISED next to the relevant passphrase.
Don't get stuck into the habit of always re-using the same subset of passwords. Continuously generate new passwords whenever you need them. It's very easy to register for a service and then forget all about it, only to re-use that password for other services.
The original site could become compromised, causing you to retire that password. Imagine the time involve in scouring all your regularly used sites and services to ensure that an old password has in fact been fully retired. As I discovered after the Fisher Hargreaves Proctor Security breach, it can be painstaking work, often occurring at the most inconvenient of times.
You don't necessarily need to invent new passwords yourself, use a password generator such as this one. Use of a tool such of this will help prevent a pattern of similarity between your passwords.
Good password management is actually no different to good Information Management. You need to ensure that the data is only available to those with a genuine need (you), and that you constantly review to ensure both the security and the integrity of your passwords.
Ensure that a retired password remains retired and that you will not be haunted by a password generated and used many years ago.
Many will disagree with the advice on writing down passwords, and if you can avoid it you should, but the reality is that many users are simply unable to remember the number of passwords that they require in today's world. If we accept this at true, then surely we need to ensure that users are educated in how to protect their passwords (at least until alternative authentication methods become widespread).