Dancho Danchev writes on ZDNET: Survey: 60 percent of users use the same password across more than one of their online accounts: “How often do you change your password? Do you share your passwords with family members, and how confident are you that malicious attackers wouldn’t be able to guess your password? According to a newly published survey results, 60 percent of users use the same password across more than one of their online accounts.”
You have to weigh carefully the pros and cons of a strong or weak password, then apply it intelligently (I know, too damn difficult).
1. All the sites, like ZDNET, which require a login just to keep track of users and control trolling and spam to a certain extent, should be content with weak passwords. I use the same password for all, when possible
2. All sites which involve a certain level of confidentiality or involve financial transactions, should require strong passwords, with a minimum amount of characters
3. All sites requiring maximum security like highly confidential and e-banking sites, should employ high-level security, like one-time code lists, calculator-like code generators or, better, dongles capable of providing a highly secure VPN connection between the remote user’s computer and the site. Authentication at the dongle-level is still a weak spot, but it would come up only if the dongle and the card which it employs + the credentials of the user are all stolen at the same time. Can happen but, with a bit precaution, it’s relatively unlikely.
Compelling users to use very complex passwords and change them frequently, when top level security is not required, is pure idiocy, as it’s guaranteed that the user will NOT remember the password. Which means that he/she will note it down somewhere, exposing the whole system, instantly. Taking a leaf out of Unix administration, where you login with administrative privileges only when you need it, better find a compromise, where you provide a real barrier for highly sensitive information and leave the less sensitive information in an area accessible for every day use with an acceptable combination of security and user friendliness.
Employers can make our lives a misery imposing excessive security requirements, but that’s what we get paid for and all we can do is to harass IT whenever we forget our password – which I did regularly . However, commercial sites would lose customers if they harassed them too much for security.
On a practical level, I would welcome a password manager, which could work on all the platforms I use every day, and keep all the entries in sync: iMac, Mac Book Pro, iPad, iPhone and, occasionally, Windows or Linux PCs. But I haven’t found one yet, so I use the same password on all the sites up to a certain level of security. I am not a genius, I can’t store hundreds of very complex, frequently changing passwords in my memory – and I don’t think many people can.