Here’s a few things you need to know about me first:
1) I listened to IT when they told me not to write down my passwords anywhere. Because you never know who’s going to walk by, find it on your desk, and break into the network.
1a) I apply that same logic to my personal passwords. Because I never know who’s going to come into my home, find that slip of paper, and… you get the idea.
2) I hesistate to use Password Managers. I find it counter-intuitive to create a whole bunch of passwords and document them in one place, protected by… a password. I’ve seen that Star Trek episode.
3) I don’t have the bandwidth to create and memorize a unique password for every system I sign into. Timely recollection of other data, like my wife’s anniversary, will be jeopardized.
It seems that hackers break into our news cycle at least once a week now, and I am amazed at the sort of high-level systems they can get into. Banks. Government. Gaming systems. All by using dictionary attacks to uncover plain-text passwords in the network. Tsk.
When the news that someone had hacked into Sony’s Xbox came out a few monhts ago, the alarms that rose in my head wasn’t that customers’ credit card data was in peril — no, it was that customers’ email accounts were in jeopardy of similarly being hacked. Why? Well, it turns out that a lot of people don’t like memorizing passwords, so they tend to use the same password for multiple accounts. So the password to one’s email account might be the same as the password to one’s Twitter account.
Consider that connection. If a hacker were to break into your Facebook account, they would then have access to your email login AND your email password. It’s a simple step for hackers to test that out, get in, and generally wreak havoc, given what you use your email for.
So I developed a system utilizing Levels of passwords.
Level 1: Highest security.
Bank accounts, email accounts, anything that retains or has access to significant personal data about me. Each of these accounts should have their own password, but I’ll admit to re-using a few passwords over disparate systems. Because of the nature of the systems they protect, they’re quite complicated, nearly random letters and numbers that may have once been uttered by a one-year old child trying to describe the joy of strained peas.
Level 2: Moderate security.
This level is reserved for social networking sites and other systems with info greater than my name and email address. I’ve got three passwords that I rotate through these accounts, none of which resemble a Level 1 password at all. I’ll retire a password when I’ve had it for too long, and add a new one to replace it.
Level 3: Low security.
I use this for those sites that I visit for their content, and don’t retain more than my name and email. I pretty much use the same password throughout. I realize that this is where a savvy hacker would strike, where security’s the weakest, to get access to my Chase Online account, where security should be the strongest(I watch Leverage). I simply make certain that there’s minimal — if any — linking these Level 3 accounts to my Level 1 accounts. I’ll come up with a new Level 3 password now and then(even here not allowing them to be regular words), but often find myself at an impasse when I stop by a site that does not recognize the new password and stolidly insists that I never visit, so it has no clue who I am.
It’s one way of managing our access to all the sites we visit, without putting ourselves at risk or going crazy trying to remember whatever trivial word had popped into our head when we prompted to create yet another unique ID and password.