If the various sources on the Web can be believed, the average user has to handle up to nine different passwords at the same time. How can a single person remember so much information, especially if these are all “good” passwords?
All security experts agree that using the same password for different accounts is a very bad idea. There are different opinions about how to sensibly manage a large number of complex passwords, though. Here are two suggestions:
Using a password pattern
Some security experts recommend using a shared pattern for different passwords, where the pattern itself is easy to remember. Such a password would consist of a fixed, invariant part that is the same for all accounts, and a variable part that can be easily derived from the kind of service or product that the account is for.
Just to give you a simple example:
Let’s say the fixed part of your pattern is „Tp1etr.“ („This-password-1s-easy-to-remember.“)
For the variable part, just add four capital letters referencing the type of web service, placed within square brackets. So, for example, we might end up with the following passwords, which are all easy to remember once we have memorised the fixed pattern:
- Tp1etr.[MAIL] (for use with mailbox.org)
- Tp1etr.[FACE] (for use with Facebook)
- Tp1etr.[TWIT] (for use with Twitter)
This way of managing passwords has the advantage that there is no need to write them down or to use special software.
Using a password management software
Another way of handling many complex passwords is to use a password manager, in other words, a piece of software. The advantage is that a user only needs to remember a single master password, which is then used to encrypt the other passwords and pins stored by the software.
Modern browsers such as Mozilla Firefox or Google Chrome, and e-mail clients like Thunderbird have built-in password management modules that can keep passwords for different services in one place. By default, the information will be stored as plain text on the local machine. Only once a master password has been set will the information be encrypted.
If you use password managers like these I think it is really important to enable the master password, because we have seen an increasing number of cases in the past five years where viruses specifically targeted the password databases of browser software.
Are all password managers equally safe to use?
Unfortunately not. Although there are various programs that offer a password management function, not all of them feature a master password option to encrypt the information – as is the case with the instant messenger client Pidgin, for example. I can not recommend using any password management software that does not encrypt the passwords it stores.