So after my blog post, I have received many questions about passwords, how many to use, and what is appropriate. Based on the questions, there are many people who use the same password for everything.
First off, don’t use the same password for everything. Using just one password for every site is a big risk. Having groups of passwords based on the content of the site is a good idea, but even better, is to have a unique password per site. If you are not willing to do so, you should have at least groups of passwords. I am not going to preach about password rotation, password length, and password strength yet (maybe a future post) but will expand upon groups of passwords.
Groups of Passwords
So if you don’t want to use a unique password per site, I would suggest that you setup groups. Suggested Groups are: social sites, hosted email, corporate or work sites, and then banking sites. This seems to be a good separation. If there is a leak of your social site password, it doesn’t affect your work or banking.
Management of your Passwords
So the next obvious question is the management of your passwords. So there is an article on support.mozilla.org about this very subject called Remembering passwords. You can use firefox’s password manager to manage all these new passwords. You can also use Firefox Sync to securely sync your passwords between your devices.
So now you are out of excuses and you can be more secure.
Chris Lyon
Director of Infrastructure Security
I recognise that I should use a different password per site, but I don’t. The main reason is because it would be impossible for me to remember all of the passwords. While I can use a tool like Firefox’s Password Manager (along with Sync) or 1Password, that’s not going to help me if I want to log in to one of these sites away from my computers. I suppose I could keep a keep an encrypted file of all of my passwords on my server, and if I ever need to log in to one of these sites when I am away somewhere, I can hope that I have access to an ssh client and go and look it up. Still a bit inconvenient, though.
For those of you who use password managers to remember all of their site-specific passwords: how do you deal with this situation? A smartphone app that allows me access to my password store?
I changed to using per-site passwords a while ago now, and it does give me comfort; it is only made possible by Firefox’s Password Manager and Firefox Sync.
I keep a list of all my passwords in a txt file, which is really insecure, a trojan horse, or if my laptop was stolen, could easily undermine the whole initiative. So I was wondering if there’s a way to use gnupg to encrypt the txt file, and then when I edit it (say to add another password) then it’ll just encrypt the same file again. I’ve found you can do this with gnupg quite easily, but that it means you have to keep making a new encrypted file, rather than updating the existing one.
Thanks.
@Cameron We do have apps for smartphones. Fennec for the android and Firefox home for the iphone. This will all sync between your desktop and your smartphones.
I have an iPhone. Is there a way I can get Firefox Home to show me the password I use for a given site (I’m guessing not)? It’s not always the case that I have Internet connectivity on my phone, for example (and especially!) if I’m overseas.
Or I might be at a friend’s house and want to use their computer to log in to a site. If they’ve got Firefox, I guess I could create a new profile and associate it with my Sync account, then delete the profile afterwards. If I could get Firefox Home on my phone to show me the password to use, I wouldn’t need to bother with the profile creation.
@Cameron I don’t know the answer to the iphone client, as I don’t have an iphone. As for a friends house, I am pretty sure they are working on that feature.
What might be neat is if Firefox had a feature (kind of like private browsing) where you could start a new session using your Sync account. Then you wouldn’t need to create & delete the profile. When you finish the “personal browsing session”, the sync connection would be forgotten.
Think I’m in the same position as Cameron McCormark. Firefox Sync is fine for what it does, but it doesn’t help when I’m not using one of my “devices”, but someone else’s device. Which is the case all of the time when I’m at work.
LastPass ( http://lastpass.com/ ) seems to be an option that gets recommended – as well as syncing passwords it also has browser-based access with various additional security measures to reduce the risk of your passwords getting stolen in the process. It’s still much more cumbersome than actually knowing your passwords.
I have over 300 passwords that I use with LastPass. LastPass has an advantage beyond something like Firefox Sync in that it is not tied to a particular browser. I can also access my LastPass data on other systems without needing any LastPass plugins installed. Should the LastPass company ever disappear, they have also been very transparent in how the data is encrypted, so conceivably you could write your own client to decrypt or encrypt the data.
I do definitely like that things like Firefox Sync are being offered nowadays by both Mozilla, Ubuntu, and Google. However, such solutions tie you into using a particular browser, and that’s not very cool.
Chris, last year we began the Mozilla Consumer Education project working on researching and learning about what new topics are of most interest to ordinary web users, and furthermore what types/formats of information best resonate with this audience. One was specifically around “passwords” – take a look at my blog post here: http://janefinette.com/post/1675391804/consumer-education-at-mozilla
Richard Milewski wrote and published this information surrounding the creation and use of safe passwords. He broke it down into three areas:
Part 1: covers common mistakes that lead to insecure passwords,
Part 2: shows how to use memorable phrases to make secure easy-to remember passwords,
Part 3: has ways to get your browser to help manage your passwords, and sync them between your browsers on different machines and mobile devices.
There’s also a fun video! You can see a full overview at his blog here: http://richard.milewski.org/archives/734