Challenges with unique passwords

It is very important to have different passwords for each different system you have (to make sure that if a password is compromised, only one system will be affected).
How many of us can honestly say there are no two systems we use that have the same password?

@GetSafeOnline recently tweeted

Your passwords are the keys to your internet life. Take time to make them strong:

The article reiterates what a good password should look like, and the need for different passwords on every site.

The difficulty becomes remembering each unique password. I use a system which enables me to have a password tailored for each site (see here for a simple example of such a system*).  BUT even this system is fallible:

  • Too many sites have restrictive policies, so I can’t use punctuation marks, forcing a different password model for each site
  • Too many sites force a particular structure which is not compatible with other sites
  • Too many sites force a counter-productive regime of changing passwords too frequently (Sophos suggest this is counter productive)
  • Too many sites force a structure on the username

This last point is particularly annoying, I am now finding I can generally recall the password (within one or two attempts), but the username is harder. Why can’t I have a DOT in my user name, forcing me to use colinrobbins rather than colin.robbins. Why can’t I always use my email address for example.

The more forward thinking providers let me use two factor authentication, but this does not reduce the user name consistency issue.

Come on service providers, it you want us users to use strong passwords, PLEASE HELP by implementing a common set of restrictions.

Finally, if having a strong password is so important, following a sites particular rules, why do so many still email the password in clear text if you hit the forgot password link.  Considering a name and shame campaign next time I come across one of them.

— end —

* Also see here for a more detailed discussion of the merits of such a scheme.

* See GetSafeOnline about choosing a good password.

* See “children warned name of first pet should contain 8 characters and a digit” for a more humorus look at the issue.