I recently finished a huge revamp of my password management system by moving to a one-password-per-site model. Here’s why I decided on this model and how I implemented it.
I was using a base password system to generate passwords I could memorize. The recent breaches at high-profile sites like Zappos, Last.fm and LinkedIn made me rethink this strategy. Remembering passwords doesn’t scale with the growing number of online services we use. One-password-per-site is perhaps the best model (and maybe even a bit overkill), but I was nervous about trusting my passwords to a password manager. But a few realizations made me more comfortable:
- I do a horrible job of remembering usernames and passwords anyway. Every time I’m faced with a login form, I sit there staring blankly trying to remember how to get in. I had a handful of passwords and usernames I would cycle through, but trying to remember the right combination was often futile (at worst, I’d get locked out before I hit the right combo). I found myself using the “reset password” link out of convenience. I don’t want these various username/password combinations taking up space in my head. I want to fill those nooks and crannies of my brain with more useful bits of information. Because...
- Passwords are just a means to an end. It’s a subtle point, but there’s nothing intrinsic in a password that makes it a necessary part of accessing your data. Passwords are merely the inconvenient price we pay for online convenience. If I lost online access tomorrow, I could still call customer service in order to manage my bank account. I can always request a new password if I absolutely need to access a site but don’t know my password. Forgetting a password is not the end of the world: just get a new one.
- Device consolidation. Even when memorizing passwords, the only devices I trust with my passwords are my laptop and the phone. Once I’ve logged into these devices, I seldom need to log back in again (especially thanks to Chrome sync). I avoid logging in from public computers, and can’t imagine a critical situation where I couldn’t wait to log in from one of my devices.
Once I was comfortable with the idea of one-password-per-site, here’s how I implemented it:
- All passwords are stored in KeePass. I only need KeePass for a Mac (via KeePassX) and an Android phone (via KeePassDroid), but it is also available on various platforms if necessary. I like KeePass because its free, open-source, and not cloud-based. I’ve heard a lot of great things about LastPass, but I’m still not comfortable with the idea of a third-party managing my passwords. The system I describe here has many of the benefits of a cloud password manager without introducing a third-party player.
- Each site gets its own unique password generated by KeePass. I generate a 25 character password with letters, numbers and symbols (unless the site has its own restrictions).
- There are certain passwords I still need to memorize, such as the password to the KeePass database itself (of course), passwords to apps I share with my wife (such as Hulu+ and Rdio), passwords to anything work-related and various odds and ends (like my router password).
- I also memorize the password to my Google account. This is important because my email is on Gmail, and email is the proxy for identity on most services.
- The KeePass database is stored in Google Drive. This allows me to access the database from any computer I trust.
- Two-factor auth is enabled on my Google account.
- I have a printed copy of my passwords that I keep with my other important documents (such as passports). This is stored somewhere only my wife and I know how to access.
- The flow for logging into a site goes like this:
- Open up KeePassX.
- Find the site I want to log into to
- Hit Ctrl-U to navigate to the site
- Hit Ctrl-B to copy the username, paste that into the site
- Hit Ctrl-C to copy the password, paste that into the site
I’ve been migrating sites to this scheme over the past month, and I’m happy with the results. I don’t waste time staring blankly at a login screen anymore. I just hit a few keys and keep moving forward.