In a funny (scary?) case of coincidence, the password problem became got highlighted in TechMeme just weeks after I came under an attack that caused me to rethink my password strategy.  My login credentials got compromised at a Gmail account that I only use for mail-lists:  – I fixed it soon, no harm done.  Two month earlier my eBay account got hijacked, and while I was p***ed at eBay not doing anything about it, again, I could regain control, and changed all related accounts (PayPal ..etc, before suffering any consequences).

Then I started to think: what’s the point in stealing an account at a site like, let’s say photo sharing?  The hijackers really can’t benefit… or can they?  Then it hit me: I am (well, I was, until that point) just like 61% of Internet users, using the same userid/password combination on all sites.  To purpose of attacking not-so-critical sites may just be to harvest login credentials, which the bad guys then can feed to their bots to try on all sorts of financial sites.  Oops.. now I had a crisis.  Needless to say I spent the next half day researching the subject and changing my login credentials.

Now, while I am fairly opinionated, I am by no means expert on Internet security best practices, so instead of trying to dispense advice, I am opening to subject to discussion, and hope to get some real feedback.   Here are some of the options we all have:

• Use the same, or very few userid/password combos on all sites, so we can remember them without having to write them down or physically store them in any form.  This may not have been that bad… years ago, when we all accessed less than a handful sites.  With the proliferation of Web usage, this practice has become a timebomb waiting to explode.
  
• Use some variation of the basic credentials, simple enough to remember the actual “algorithm”,  i.e. some characters from the site name combined with your own “standard” keywords.  The benefit is that you use different credentials on every site (which you probably would not remember, but can re-construct every time), and still don’t need to record all the passwords. The weakness is that once the bad guys get hold of two-three sites, they can pretty much figure out your simple algorithm.
  
• Use different credentials on every site, preferably strong ones.  The benefit is obvious, very secure, but it would be impossible to remember, so you would need to record them somewhere, whether on paper or electronic form, which itself is a huge security risk.
  
• Use different, strong credentials, and use a “password manager” system.  There have been a number of client (PC) based solutions, or ones that code your information on a USB stick, but I don’t want to depend on anything tied to a physical location/device.   I am experimenting with Web-based solutions, but am not fully convinced.  OpenID got a huge boost today, with Yahoo adapting it.  The system I am trying out is PassPack: here’s  why Passpack’s founder thinks her solution is significantly different from OpenID.   I can tell you it’s a hell of a pain to log in to PassPack – I guess it’s supposed to be that way.  But other than the inconvenience, whether it’s Passpack, OpenID, or any online system, I am worried that if the info there ever gets compromised, it will expose everything.

With that, I’d like to turn this over to the security experts (I hope I have some amongst my readers). What do you think?  What’s the ideal Web-login policy?

Update:  How could I not think of this?   (via Web Worker Daily)

Related posts: ReadWriteWeb, The Guardian,  TechCrunch,  Jeremy Zawodny’s blog, InfoWorld,  Mark Evans, Compiler,  CyberNet, Identity Woman,  WeBreakStuff,  Mashable!, Ars Technica, and many others.

Tags: id theft, openid, passpack, password manager, password security, web indentity, web login, web passwords, web security