I'm sick of passwords.
I want to be secure:
- Never reuse a password, month-to-month or site-to-site
- Use a secure, reliable random password generator
- Change all my passwords each month
- Don’t write them down on a post-it note on my monitor
I want it hassle-free, so I could:
- Use the same password.
- Never change it
- Make it the name of my pet/son/wife/mistress
Some sites place restrictions on passwords, in an attempt to make them more secure. If I’m doing a good job of selecting my password, then any restriction is a reduction in entropy in my password, actually making it less secure.
I’ve seen restrictions on the max length of the password, which is just the worst.
I want it something that helps me with my MS corpnet password, my bank’s web site, my Everquest message boards, my ATM PIN, etc.
I need something that identifies me uniquely, and securely. I also want my privacy, so I don’t want two providers to be able to figure out that my identity with one is the same as with the other.
I want computers to help me with this problem. What can be done?
Smart cards: By providing 2-layer security (the card + a pass code), it’s more secure because it’s harder to compromise both at the same time. Fails the privacy test, as I have one smart card for all providers.
Send them all to my hotmail account: Any time I have a web browser, I have my passwords. But it’s not secure.
Write them down on a piece of paper: Compromised if stolen; lost if washed in the laundry; annoying to type them in, useless if I forget it in my other pair of pants.
Carry a pocket PC: I don’t want to carry another piece of equipment that I must maintain, recharge, repair, replace, etc.
I think the PGP Passphrase FAQ is a good read.