Password Security

One of the most painful things I find about life in the digital age is trying to keep track of information that I need to know, but that I don't want anyone else to know. For example the pin number for my bank card, the password for my financial accounts, the passwords for work, the secret question answers that all sorts of web sites now use to "improve security", and the list goes on and on.

Obviously the easiest way to deal with all of this is just to write them all down and stuff them in your wallet, or hide it somewhere at home. This is actually not that bad of a method. It has a fairly limited attack vector, basically someone who is in your home could get a hold of them (most of which you probably trust) or someone has to break into your house and find where you hid it (most peoples houses are never broken into and when someone does they aren't looking for a piece of paper hidden in your sock drawer). This does have the problem of it only being available to you when you are home, but for most people this would probably be my recommendation.

The rest of the solutions almost all have more significant vulnerabilities (because they are software based), but have extra convenience and abilities that the first solution doesn't (because they are software based). There is a range of them from storing your passwords in an email to yourself, to using a encrypted file on your laptop or cellphone, to using an encryption solution that stores the passwords in the cloud somewhere.

The method of sending yourself an email with all of your paswords is one that I would never recommend anyone use. There is just too many problems, your email account could be compromised, someone at your email service provider could access your email, you could leave your phone or computer unlocked which may allow someone to access your email, etc. So this solution has a lot of convenience, it is available to you almost anywhere, but has a huge amount of risk.

Almost all of the second level solutions are okay, basically using a security product that stores your passwords for you, this product could be something on your local machine, or something that you use through the web. The main problem with these solutions comes down to trust. Do you trust that the company that made the product did a good job and paid extra close attention to security the whole way through the product, do they do a good job of protecting their servers from getting hacked, do they make sure that a limited number of staff have access to the data stored on their servers. I find it very difficult to completely trust any company, no matter how good their intentions, you never know when they will hire a bad employee, get bought out by a company than no longer cares, or just make a mistake. For the products that just run on your local machine this may require less trust and so be more agreeable to me, but they don't have the convenience of being available anytime, anywhere.

In my opinion the sweet spot is somewhere in between. Use a product that creates an encrypted file with your passwords, possibly an encrypted word file, an encrypted open office document, or some other companies encryption tool of which there are many. And then store the encrypted file to a regular web service possibly gmail, yahoo mail, dropbox, or some other service. This gives you the convenience of being able to access this file almost anywhere, and not having to completely trust any company to leak your information. There is still lots of possible weaknesses to this type of a system, for example if your computer is compromised, but it is reasonably good and reasonably convenient for most people.

Obviously all of the information in this article is just my opinion and shouldn't be relied upon, you should use your own judgement about the risks and rewards of any password solution. The method I use is a hybrid approach similar to what I talked about in the previous paragraph. This method gives me a reasonable amount of convenience while being secure enough for my uses.