Passwords: a thorny issue

Much debate went into issue of what questions we could reasonably ask about passwords in our Five Minute Healthcheck. While we wanted to encourage people to think about what they did, we did not want people to feel we were asking for sensitive information. This blog looks at the question “Where do you keep your passwords?”.

Where do the passwords go?

PasswordStoreGraphThe good news is that no one in our sample keeps passwords on sticky notes by the PC.  Surprisingly few people use any type of electronic document and no one uses a password safe. Writing them down in a book is popular but most are remembered.

On the face of it, this suggests one of two things:

  • Our respondents have exceptional memories.
  • People are compromising their internet safety by repeating passwords or using a “system”.

A more reasonable explanation is that most people remember the passwords that they use every day and write down the rest.

Type “strong passwords” into Google to find some interesting articles on ways of creating unique and strong yet memorable passwords. Instead of remembering the password itself, you memorise the system and apply it each time. This will suit some people most of the time. There is always the exception where a site will reject your chosen password because of some rule of its own.  If a system works for you, use it.

For the rest of us, keeping some sort of record is the only practical way. A book has the advantage of not being accessible to an online hacker. It can however be lost, stolen or left around and read by a third party. If you do write down passwords, disguise or encrypt them and do not link them the site and username in an obvious way. The big problem can be transferring them when you finish the book!

If you only need passwords on a single device, an encrypted spreadsheet or local password safe will do the job. When you start needing access from more than one device, things get tricky, especially when the devices use different operating systems and software. You need to ensure that each device has access to the current file and can unlock and read the contents. The solution here depends on what devices you are using. An encrypted USB key is one possible answer; a cloud based password safe another. Neither answer is perfect or will work in every situation. Go with whichever works for your need and risk profile.

One final thought: secure passwords make us break a couple of habits built up over a lifetime:

  • If you are using a dictionary word, misspell it.
  • When asked for password reset questions based on your history or preferences: lie.