Why your tiered password scheme is flawed, and what to do about it.

First, let me explain what I mean by “tiered password scheme”. Many perfectly smart people I know have one strong password they use for one or two online banking type sites. They’ll then have a “medium security” password they use on sites that kind of important to them (maybe those sites have their credit card info stored), but not critical to day to day stuff. Then they’ll have one or two passwords they use on all the other sites like Twitter, Yahoo!, Facebook, GMail, etc.

Obviously they’re being relatively careful about the important stuff and that’s good, but the flaw in this system is in the perception of pain. People think “wow, it would massively suck if my bank account password got out, but it’s not such a big deal if my Twitter password gets compromised. I can always make another Twitter account.” Or, they’ll say “Why would anyone care about hacking my account? There’s nothing special about it.” And while there’s nothing inaccurate about those thoughts, they’re also totally missing the point.

The thing is that many of those low value sites aren’t even remotely careful with your data. They’ll store your passwords unencrypted on their servers. And while people are unlikely to try and go after your account in particular, it’s not unthinkable that someone might try to hack Twitter (just an example), or even better, one of the myriad tools that you have to enter your Twitter username and password into and are much more likely to be insecure.

Now, they’ve got a list of thousands, or maybe millions, of usernames and passwords and because so many people use a tiered password scheme (or worse, only one password) those passwords are going to work all over the place. Now, most people I talk to say “I can just make another Twitter account.” but It’s not just *that* account. How many hundreds of sites have you used that low value password at? Do you really want to go and change it on all of them? And how would you even know you need to change it on all of them. Considering how many you’ve probably used it at, it’s a safe bet that someone could be using your name and spamming people, or linking to virus ridden sites, or whatever from your account and you might not find out about it for months, if ever. Not because it’s your account, but because your username and password just happened to be in the list of thousands they stole from some site. It is simply not realistic to claim that, if you somehow knew the password had, or might have been compromised, you are going to change it on all the sites you’ve used it at. And worse, if any of your accounts that got compromised, and probably killed by administrators, were ones where you’d made friends, built up lists of contacts, etc., then you’re going to be experiencing some serious pain and frustration when it comes to figuring out how to contact all those people, telling them that no, that wasn’t really you trying to sell them male enhancement pills, and that you’ve got a new account now…. Gods forbid this happens to your e-mail account.

So, what are you supposed to do? Well, the “simple” answer is that you’re going to have to start using a different password on every site, and, because you’re human, you’re going to have to use a password manager to keep track of them all. There are a ton of password managers out there and while they’ll all get the job done securely, the usability of these apps varies wildly. Typically the process is: load a web page that needs a password, launch your password manager (if it isn’t running already), find the entry for this site in a list, copy the password to your clipboard, switch back to the browser, select the password field, and paste in the password. That’s six steps, two applications, and possible wait time while one of them launches, just to enter a password!

“But Kay,” you say, “my browser remembers my passwords.” And that’s great. It’s going to save you from having to do this all the time, but sooner or later your browser’s cache is going to get emptied, and you’re going to have to go through the process again. Even worse, what if you’re at someone else’s computer?� The latter is a strong argument for having a password manager on your smartphone, but the usability is even worse when you’re talking about an entirely different device that you can’t copy the password from to paste into your browser.

So, again, what are you supposed to do? Well, first off, you need a password manager that’s not going to make you leave your browser. This means we’re talking about browser extensions, or maybe a web based password manager. And while there are a ton of choices, some of them are wildly complicated and most of them fail when it comes to usability. If you’re going to stick with this, and protect your identity and passwords the way you should it is absolutely imperative that you use a tool that makes it easy, easy, easy, to get your passwords in there. The act of retrieving your password and entering it into the site you want can’t be frustrating or annoying to you. [Update: A number of people have felt that I’m trying to promote Passpack below. Passpack just happens to be one of the few services that meets all of my personal criteria, but there are other services out there and I encourage you to explore them. Furthermore, web based services aren’t right for everyone. Some of us prefer Firefox Extensions, or apps that live on our phones.� Really, I just want you to go find a tool that will help you to practice good password hygene, and am offering up what I’ve discovered whilst searching for tools for me.]

So far I’ve only found one that I’m really willing to recommend: Passpack. Unlike most web-based password managers it can work offline, if you have Google Gears installed. It’s got a ton of features (probably far more than you need), and while it’s interface can be a bit overwhelming with all it’s options and it’s big grid of icons, it appears relatively easy to use, and most of the time you’re just going to click its bookmarklet when you want to log in to some site you’ve stored the password for. Once you’ve saved a password for a site it’s two clicks the next time you need to retrieve your password and log in. I definitely recommend checking out their video tour. [Update: the icon grid, can be turned off, and will be off by default in the next version.]

When it comes to browser extensions I simply haven’t seen any that get the usability right. Some have daunting management screens, or just bad tools for initiating the action of getting the password and almost all of them finish by copying the password to the clipboard and making you paste it in to the form, which is just brain-dead considering that extensions have access to essentially every feature of the browser. Many (most?) of them are going to leave you screwed if you need to access a site from someone else’s computer. The same can be said for desktop apps. The things the extensions do typically do right is generate good passwords for you, store them securely, and save you from having to open another app. But, all of the ones I’ve seen simply aren’t painless enough when it comes to usability, or management, or both. Actually, there was one exception that got the usability right, but ultimately encouraged users to go with something resembling a tiered password scheme.