On Passwords and Privacy

The popular Gawker/Lifehacker network was hacked this week, compromising tens of thousands of passwords.  This news provides an excuse for a couple of paragraphs of boastful geekery in the fascinating area of password management.
I spend a lot of my day roaming the Internet and the various services it has to offer, both for work and personal matters. In many cases, I operate an organisational and personal account (for example, @englishpen and @robertsharp59 on Twitter).  Logging in and out of the various accounts can be a drag, but I’ve recently started using the Sxipper password management tool for Firefox.  Browsers already have the capacity to remember your passwrods of course, but usually only one-per-site.  Sxipper stores all the possible options and let’s me choose.  A Godsend.
This transition has allowed me to become a little more rigourous in managing personal privacy.  Prompted by this salutary tale from Cory Doctorow, I decided that I would create unique passwords for new websites I sign-up for.

I carefully tapped in my password, clicked the login button, and then felt my stomach do a slow flip-flop as I saw the URL that my browser was contacting with the login info: http://twitter.scamsite.com … And that’s when I realized that I’d been phished. And it was bad. Because I’d signed up for Twitter years ago, when Ev Williams, Twitter’s co-founder sent me an invite to the initial beta. I’d used a password that I used for all kinds of sites, back before I started strictly using long, random strings that I couldn’t remember for passwords.  …  What’s more, Twitter isn’t the only place where I used my “low-security” password that has turned into a high-security context, which means that hijackers could conceivably break into lots of interesting places with that information.

The recent Gawker breach only reinforces Cory’s advice to use a different password for each site.  Back in the day, before my laptop was stolen, I would use the same password for all websites, as (I guess) most people continue to do.  It was only after the theft that I began to diversify, and only in recent months I have gone the whole random hog and started to use opaque strings. To do this with ease, I have bookmarked PC Tools Random Password Generator.
JR Rapael at the PC World blog has an interesting article on all this: Gawker Hack Exposes Ridiculous Password Habits.  Apparently “12345” is the most common password, followed closely by “password”, obviously.  If those combinations feel a little too close to home, it would be wise to make some changes to your own online life, ASAP.

2 Replies to “On Passwords and Privacy”

  1. From a close to home non geeker and someone who has no time just at the moment to visit the required site – how on earth do you remember long random strings? and if it is stored somewhere is that not a danger initself K xxxx

  2. If you have Sxipper, that solves half the problem because it remembers your logins for most sites.I turn Sxipper OFF for financial sites like my internet banking. I have to remember the passwords in my head.For the others, I do maintain a spreadsheet with a note of the passwords. This sheet is itself password protected. This is not a military grade encryption, obviously, but is secure enough for my purposes.On the sites themselves, I leave the minimum amount of info possible, so if a) any given site is hacked or b) for some bizarre reason my list of passwords is compromised, then the loss to my identity would be minimal.As my previous blog post (about privacy and security and Wikileaks) said, much of one's privacy is tied up in making details hard enough to come by, that potential theives find the flame is not worth the candle. My regime does (I think) achieve this. Giving yourself 'password' or '12345' as a password does not!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.