I'm sick of passwords.

 

I want to be secure:

  • Never reuse a password, month-to-month or site-to-site
  • Use a secure, reliable random password generator
  • Change all my passwords each month
  • Don’t write them down on a post-it note on my monitor

 

I want it hassle-free, so I could:

  • Use the same password.
  • Never change it
  • Make it the name of my pet/son/wife/mistress

 

Some sites place restrictions on passwords, in an attempt to make them more secure.  If I’m doing a good job of selecting my password, then any restriction is a reduction in entropy in my password, actually making it less secure.

 

I’ve seen restrictions on the max length of the password, which is just the worst.

 

I want it something that helps me with my MS corpnet password, my bank’s web site, my Everquest message boards, my ATM PIN, etc. 

 

I need something that identifies me uniquely, and securely.  I also want my privacy, so I don’t want two providers to be able to figure out that my identity with one is the same as with the other. 

 

I want computers to help me with this problem.  What can be done?

 

Smart cards: By providing 2-layer security (the card + a pass code), it’s more secure because it’s harder to compromise both at the same time.  Fails the privacy test, as I have one smart card for all providers.

 

Send them all to my hotmail account: Any time I have a web browser, I have my passwords.  But it’s not secure.

 

Write them down on a piece of paper: Compromised if stolen; lost if washed in the laundry; annoying to type them in, useless if I forget it in my other pair of pants.

 

Carry a pocket PC: I don’t want to carry another piece of equipment that I must maintain, recharge, repair, replace, etc. 

 

I think the PGP Passphrase FAQ is a good read.