“Oops… How did you figure that out?” I thought when @czbug, a very smart colleague of mine, gave me the initial password of my new account. That’s exactly the password of the wifi router in my home.
It’s not hard to guess, not a strong password after all. There are rules telling me not to put birthday or the name of my family member in my password. All of them are broken.
But this is just of my router. Of course I don’t use such weak password for my gmail account. But my gmail account password is still not strong enough, not including symbols and capital letters.
For login password to my computer, it’s even simpler. I’m so obsessed to the single-handed password. No matter how I change it, the login password must be able to be inputed with a single hand, left or right. That means the keys converge either in the left or the right section of the keyboard. My theory is that I can always finish the repeated boring password input without putting down my mug. I think that’s already safe enough. If the IT guy wants to break into my computer, he could just boot it with another portable disk. Brute force is never necessary.
When you have hundreds of online accounts, how to specify password will be a headache. Since they are from websites of different security requirement, you can’t just use same password for all of them. But you can’t possibly remember all of them if they are all exclusive.
The approach I use consists of two steps. First, I categorize them as important or irrelevant. Then for the latter, I use all the same simple password, birthday is OK. For the important accounts, I don’t use the same password, but I use the same algorithm. The password is calculated according to the website name, trademark or something.
I’d been pretty satisfied to my approach, until someday I found it is still vulnerable. I’m not always so sure about the security of the website. Actually I will never know. So it’s highly possible 4 or 5 of them will be stolen. With those disclosed passwords, hackers can easily figure out my algorithm. So, for my very important account, like gmail, I use a unique password, staying away from that algorithm.
This is becoming more and more complicated. If I dwell on this, it will drive me crazy. So I just switch to other questions: How safe is enough? How much damage can I afford when password is lost?
For online payment account like Paypal and important account like Gmail, I use unique and complicated passwords for them. Other relatively important account, I may just take that risk, sharing the same algorithm between them. In case I lose them, I can still reset them and get the new ones from my gmail account. Of course, I’ll permanently lose them if the websites let users change email setting without any verification mechanism.
I can use an encrypted text file to jot down all those unique passwords. But that’s very counterproductive. I’d rather lose the account.
One of my friends said he uses random password for almost every website, using the ‘save password’ function of the browser to save it. If he loses the password, he just resets it and gets a new one through email. This idea is not bad, except that it will be a nightmare when you’re using it on multiple computers, including cellphones.