Talking to lawyers about passwords is a bit boring. It’s a tired topic that even I’ve probably written about too much. At a session last weekend, a lawyer came up afterwards and asked, “Why would I want to put all my passwords in a password manager. Isn’t that an easier target?” It’s a good question that I don’t think I’ve talked about yet.
The answer is no.
- Whether you create your own passwords (using a site like Wolfram Alpha or other security sites) or have a password manager generate each one, you need to keep track of them. You have two choices. One is to write them all down and keep the paper with you. The other is to use software as a password manager. Eventually biometrics and USB keys may be added but they aren’t nearly universal yet. For what it’s worth, I don’t think it’s worth the effort to try to manually create your own strong passwords.
- You can’t memorize the 18–20 passwords most people have. If you’re like me, you have well beyond the average number.To be able to memorize them, you would need to re-use them rather than have a unique password for each site.
Re-using a password creates a weak link, in which the exposure of one password can lead to access to multiple accounts. Sure, it’s okay to reuse a throwaway password on throwaway accounts (like the comments page on a media web site) but never on one that contains client confidential information.
- If you aren’t going to write them all down, or if you want a quick way to access and use them, a password manager is the way to go. You can make one memorable password for this account. Most password managers that I’m aware of, whether online or offline (I prefer an open source product called KeePass; EFF likes KeePassX), wrap your passwords with encryption. So, yes, on the one hand, they are a single point of attack. On the other, they’re protected against attack.
I prefer the offline option because, if there is a target, it’s now limited to my device. An online password manager service makes a healthy target. No system is entirely safe but this is one time where I feel better with the file off the Internet. I also turn on two factor authentication – where it’s available – to make password changes without my approval that much harder.
So back to the question. As with many things related to technology and productivity, it’s a question of balancing risk. If you don’t use a password manager, then you need a good way to manage your passwords so that you are able to create strong, unique passwords for each site. If you aren’t putting them on paper, a password manager is the most sensible software to put them in.