I’m not a security expert and don’t pretend to be one, but half-cooked advice on fundamental security issues p***es me off big time.  Today it’s a lengthy article at the Boston Globe: Please do not change your password.

It’s based on a study by a Microsoft researcher, who concludes that regularly changing passwords is a big waste of time – so far so good and I’ve just saved you reading 3 pages –but what’s the conclusion?

• Use strong, bullet-proof passwords in the first place
• Use updated security software, don’t install unknown stuff to avoid keyloggers

It all makes sense, except that it’s hard to do. Statistics show that over 60% of Internet users have a favorite set of login credentials and they use that single set across many systems.  Very-very dangerous, but the reason we do it is that this is what we can remember easily.

The missing piece from the advice is how we deal with the “bullet-proof” and unique set of login credentials we create on dozens of systems we need to log in.  Some people will develop a formula to make up such passwords – too bad such patterns are often recognizable.  Others will write them down … ouch!

So we’re left with two options:

• physical devices, be it lists, passcode cards, USB sticks..etc, what if you lose them?
• password management systems like Keypass, Lastpass, Passspack, Syferlock… – what if they get compromised?

What’s your solution?

Related posts:

• LastPass – So Good I’ll Dismiss Any Concern
• SyferLock Almost Solves The Password Security Problem
• Wake Up People, It’s More than Just Your Twitter Password
• Mandatory Password Changes Costs Billions in Lost Productivity [Passwords]
• Changing Your Password – Security Measure Or Pure Nonsense? You Decide (lockergnome.com)

(Cross-posted @ CloudAve)