Thursday, April 10, 2014

Don't Re-Use Passwords

Timely reposting:

At one point amid the blur of late-stage, before we sold the thing to CNET, something fell apart and needed repair. When my business partner Bob explained the problem, I suggested we look at the user passwords in order to easily solve the problem. Bob immediately cut in, and sharply told me we couldn't look at the passwords....ever! I asked why not, since we controlled (and could see into) the areas the passwords protected, anyway.

He told me something which startled me: most people use the same password for everything. So if we looked at someone's password for Chowhound, we'd know their password for lots of other things, as well.


I abandoned the idea of ever so much as glancing at a password. [I can't for the life of me remember what this was all about; the site itself didn't require passwords to register, and our commerce site was third party, so viewing passwords was not an option. But I know it happened and I didn't just hallucinate it!]

I'm telling you this story to explain why you shouldn't use the same password for different purposes. Because at some point, some clerical worker somewhere will be able to see your password for the operation he works at, and he can google you, and then easily find his way into many aspects of your life with that same password.

Memorize your email password, and a few of the other critically important passwords. For the rest, use a password manager (I like 1Password, which also is a smartphone app).

Note that for non-critical sites (where you read but don't post or do transactions), this is much less less important. So you may want to have the same shared password for, say, knitting discussion sites and the NY Times site. Just don't buy anything or post anything from such sites without first changing to a unique password.

1 comment:

Richard said...

Also, as a developer, you should go out of your way to never save a password. Saving the complex one-way hash is far better, and there are great libraries out there that do all the heavy lifting for you.

Few things squick me more about a website than clicking "forgot password" and getting an email with my password in it. That information just plain shouldn't be available.

Also, XKCD is once again on top of this.

Blog Archive