Friday, March 25, 2011

Password Security

I'm not one of those paranoid people who gives each website its own unique password, memorizes it, and then changes it weekly.

I have two basic schemes I think work well:

The first is the one I use, a security gradient; you maintain a fixed number of passwords, changed occasionally, to which you attach different security levels.

So my personal e-mail uses my medium-security password; all my online game accounts use my low-security password (oh noes smbdy stoled all my roonz/gold in diablo/lotro however will I live).  My bank account uses my highest security, and the e-mail I have my bank notices sent to uses my second-to-highest security.

In practice these each have a couple of variants; I attach a number to the end of my low-security password for websites which insist I use a higher security level.  (Really, people, my password choice is deliberate, I don't -care- if somebody steals the account information to a blogging site I only joined to write a comment on somebody's shit with.)  I have two high security passwords after freaking out that a site just stole it.  (My bank account site redirects you to a different domain if you get logged out due to inactivity, and I only noticed the domain after I typed in my username and password.  I late figured out the domain was legit, and accessed by redirect every time I log in for some retarded reason, but I was freaking out for a little while there.)

The other scheme I think could work, which I've seen referenced, is to have -one- password, and to encrypt domain names using that password as a key, to constitute the passwords for those individual domains.  I'm slightly reluctant to move to this because string-based encryption isn't terribly secure, and a clever site could potentially reverse-engineer what I'm doing.  (Using a proper encryption key would be better, but would fuck you over if you ever lost said key.)  So mixing this scheme with the first scheme would probably be ideal.

Except for sites with retarded limits on passwords.  Seriously, people, can we standardize password lengths?  My low security password, the shortest of my passwords, has exceeded the maximum length before.  In regards to said site, wtf good is a 6 character password, and why in the fuck do you also require this absurdly short password to have punctuation, numbers, lower case letters, AND upper case letters?

Could a single unethical site - say, my bank - fuck me over?

Yes.

But as a rule, any company I use my high-security password with could fuck me over even without the password.  That's why I used my best password to begin with.

No comments:

Post a Comment