I am still waiting for the results of the Digital Forensics course I was studying earlier this year but I started my third Open University module a couple of weeks ago: M811 Information Security. This one makes use of the course forums mandatory, counting for part of our final mark, and so they have been very busy. It is a job to keep up but also stimulating, with thoughts firing in all sorts of different directions and one area I have been covering is passwords. Received wisdom is that your passwords should be long, contain a mix of character types (preferably upper, lower, digits and $pecial) and be unique for each place you use them. In other words, each separate login should have its own associated password.
If I’m allowed to breathe a little heresy, is it so bad to use the same password in more than one place? In an online context, a tool like LastPass is fantastic – for accessing online services it doesn’t matter that you have to be online to get the password as you also have to be online to use the system. However, I do sometimes fudge the matter to think of ‘system’ as a wider entity than ‘computer’ and use the same credentials for a group of machines so that, where I need to manually type secure passwords, I only have a small set to remember (still periodically changed but with that change propagated across the set).
And, after all, isn’t that essentially a reduced version what a single sign on (SSO) system is doing in a generally accepted manner – a single point of failure for logging in across multiple systems? Of course, I’m not going to tell you which sets of systems those are or how many points of entry each one contains.
The two places where I absolutely agree that the unique password rule is essential are for key systems (like email accounts which can be used to authorise a password reset somewhere else – if that is compromised it allows lots of other things to be unlocked) and for ones where you’ve got any concerns about how well they look after your data (so, for example, TalkTalk but also similar companies which might have similar weaknesses) and, since all those systems are online, I think there is a lot of value in finding a password vault you trust (see, for example, this fairly recent round up) and work towards having all your online passwords that you never need to type in manually as long, random strings of characters.