How to manage your passwords
In this blog I'm going to give you a method of handling passwords that is safe and easy. There are many methods around, and most people don't use them because of the hassle. This method is fairly hassle free, as well as being completely under your control. It is a good compromise between security and practicality. This is the method I use.
I recently saw a video about password management. While the video had some great advice, it did recommend not re-using passwords. Unless you use a password manager, this is completely impractical. I have 30-40 passwords.
Here's what I do.
1. Divide your passwords into two or three groups
Your first group is ultra secure - bank accounts, credit cards, paypal, etc. There's a good argument for putting your email password in that group too, as long as you always use a secure login (that's one where the url starts with 'https'). Email passwords are a major source of hacking and identity theft. Then, if doing three, you have a middle group that is medium secure. These would be accounts that have plenty of personal details. This would include sites where you regularly buy stuff. The last group is ones you don't care too much about - like forums you post to infrequently, or small ecommerce sites you don't expect to use again. Call them Groups 1,2 and 3.
The idea is that there will be a lot of Group 3, and the sites won't be so secure, so this password is the most likely to be hacked. If one is hacked, you can either go through them all and change the passwords, or you may decide that you can live with just changing each one when you next use it. If there's any compromise of Groups 1 or 2, you should change them all immediately.
2. Choose one password for each group
Use this well known method for choosing a safe password - pick a phrase with words, numbers and a capital letter. For example - "walking in the London rain 1997". Take the first letter of each word, and the numbers, giving "witLr1997". This is a pretty decent password. I usually use about 8 characters, with 9/10 or more for Group 1.
3. Write it all down!
Really? Aren't we supposed to never write down passwords? Well, correct, you aren't, but you do need to write something down. If you have 30/40 passwords, you'll have various combinations of user ids - self created ones, email addresses, login numbers, pin codes etc. You won't be able to remember them all. So write down each website you care about, write down the user id you have to use, and write down a hint to the password. For the above example password, I might write "lon".
If you're pretty forgetful, you could also write down hints to your security answers. The key to this file, of course, is that nothing should be guessable from the hint. I keep the file on my PC, and my mobile. I'm pretty confident that if someone got the file, they'd know pretty much all the places to try, but they'd find it hard to guess any passwords. Of course, you may feel more comfortable writing it all in a notebook.
Lastly, if any of your important logins offer two step authentication, like Google's, use them!
Update - As a result of some feedback I wanted to clarify a few things. There are more secure password policies than this, and this is intended to be a simple workable improvement for people who have little or no password policy already.
The advice about not reusing passwords is, of course, good advice and good for security if any of the passwords are discovered. The problem comes when you have 40 passwords (and if they're really strong they'll be over 10 characters each). One solution is to use a password manager. There's a good summary of the potential problems with that here. Another solution is to write them all down, and some people do advocate this. If you then have to carry the written passwords (and presumably login ids etc) around with you, then you need to weigh up the risk of losing the list, which would be a disaster. An additional problem is that people tend not to want to make the effort, especially when it comes to copying each password out every time you want to log in somewhere.
The groups I gave above is a compromise between never reusing and having the same password for everything (the worst thing you can do) Obviously you can increase the groups and reduce the reuse. Another thing you can do is alter the password slightly in Group 1 for each login. So, if you log in to Bank A, alter your Group 1 password for Bank A. You could add the street number of your branch, for example. The key here is to alter it enough so that if a password was obtained elsewhere and tried with Bank A, it wouldn't work immediately and would probably give you time to change it.
You could also seperate out prominent targets such as Google Mail, Paypal and Ebay and have different passwords for each one. I should also point out that many financial institutions have random long user ids (such as 12 digits) and Two Factor Authentication. This greatly reduces the risk of a password from one bank allowing instant access into another. This is also a very good reason for never writing your user ids next to your password.
In summary, be aware of the risks, and choose what you are prepared to make the effort to do. Following some method is much better than following none. Here are two important things you must do
1. Only use strong passwords.
2. Never use the same password for important sites, like banks, as you do for any less important site.