This is a quick post aimed at my non-technical friends and family which I've been meaning to publish for some time. I am reminded of my intentions every time I hear someone lament that they have too many passwords to remember, or reveal that they use the same handful of passwords for all sites that they frequent (usually incorporating the names and birthdates of their nearest and dearest).

Do I need to recap why password reuse is a very bad thing?

xkcd792

(and it’s not just the black-hats you have to worry about, it’s the incompetent service providers too, as the recent well-publicised hacks of Gawker and the PlayStation Network have shown).

So, what is my suggested solution to this problem of the modern age?

I have long since given up trying to memorise passwords, or indeed racking my brain devising suitably strong passwords for each site I visit. There are many fine password management applications out there which excel at both these tasks - I use and endorse KeePass Password Safe, a free and open-source application which is available for many platforms, including Windows, Linux and Mac OS.

keepass

By saving my KeePass password file to my DropBox, I have all my credentials easily available from all the machines I use at home and on client sites. Both DropBox and KeePass have apps available on Android (and iPhone), so my credential management solution neatly extends into my mobile life (and means I always have a copy of my passwords to hand – useful for when evil clients choose to block DropBox).

Yes, I still need to memorise at least one password (to protect the actual KeePass file) – this is a lengthy pass phrase chosen using techniques similar to those described in this XKCD comic.

If you’re still relying on your grey matter to retain an ever-expanding list of passwords, I strongly recommend you consider offloading the burden to some dedicated software such as KeePass. Then take the time to visit all the sites you frequent and change your weak, oft-used passwords for unique high-entropy ones.