Back in 2007 I wrote a post (One Ring To Rule Them All) detailing my idea for coping with the Internet-necessitated need to manage a whole bunch of passwords with some modicum of security, and without fear of tearing all your hair out.
At the time I commented that while there’s plenty of advice to the effect that one should maintain different passwords for each application/ website one uses, there’s a dearth of information regarding how to manage umpteen different passwords.
That’s still true. However, it’s also not the whole story; there are ways of storing passwords.
You could, for instance, save them in a spreadsheet, and you could also password-protect that spreadsheet — although if using a Microsoft product such as Excel, you should be aware that passwords in Microsoft’s applications are notoriously insecure; cracking them is a relatively trivial matter (if you’re interested, Bruce Schneier has an illuminating article on why Open Source cryptography is superior to proprietary code).
However, I maintain that the ‘One Ring‘ is superior to all these, for several reasons.
Firstly, with the One Ring you can’t lose your list of passwords. Any ‘password safe’ is susceptible to system failure (if your hard disk should crash: bye-bye password list, hello ‘OMG how do I get into my online bank account now?’). There’s also the problem of transferring the data to your new computer when you get a new one (admittedly, this might be straightforward: then again, it might not; old software — chances are you’ve had your password safe a while now — often has compatibility issues). With the One Ring, you need only fear amnesia. Or, maybe, senility.
Secondly, the One Ring is 100% portable between real-world locations. If you’re relying on a password safe and you pop into an Internet café, you won’t be able to log into [insert website name here] because you probably don’t have your password safe with you. (You could carry it around in a pen drive, but then that’s just another thing to lose.) If you’re using the One Ring your head is always there, right where you are. Handy, that.
Thirdly, unlike a password safe, the One Ring is not easily transferable between individuals. It’s in your head, and communicating it to another person can only be accomplished by deliberate, wilful action. I think it’s safe to assume that the risk of explaining your One Ring to someone else accidentally is minimal, even if you are a somniloquist.
Fourthly, if you should choose to use a password safe, there are three things to consider:
- You’d better be absolutely certain that the password safe software you’ve chosen isn’t a trojan that will pass your passwords to someone else…
- If you open a password safe you’d better be absolutely certain that you have no malware on your machine that’s looking for you to do something like… open a password safe, for instance.
- To access a password, you have to open the password safe software, locate the password you need, transfer it reliably to the application you want to log into (copy and paste might work; then again, it might not), and, finally, you need to close the password safe. All of which is a lot more palaver, and quite a lot slower, than retrieving a password that’s stored safely inside your head.
A note to cryptology experts: by all means, if you think that I’m deluding myself, please do get in touch. I’d love to hear what you think of the One Ring and its sequel, Two Rings To Rule Them All. Oh, and there’s my nifty idea for remembering credit card PINs, too :)