The news of the password breach at LinkedIn
connects to my pursuit of cloud and security topics this week at HP Discover.
If your password was compromised at LinkedIn, that's bad
news. It's worse news if you use that same password for lots of stuff. Your
other accounts could be compromised too.
Some would argue that a password manager solves the problem,
because it lets you have different passwords everywhere. If your LinkedIn
password is compromised, a password manager contains the impact to LinkedIn. All
you have to remember is a single master password. One password that grants
access to all your accounts? Hmmm. Sure, the actual login password
varies from site to site, but if your master password is compromised, they're
all compromised. One Password to rule them all, One Password to find them, One Password
to bring them all and in the darkness bind them.
Of course, you can make that one master password as long and
complex as you can remember. Oops, there's that memory thing again. A
fundamental problem with any password is that password crackers ride the Moore's
wave (doubling in power every couple of years), but as a species we're not
getting any better at remembering passwords. As individuals we get worse over
time, thanks to age-related memory impairment
(if I remember correctly). A weak master password is easier to break, and a
strong master password is easier to forget.
There's also the question of where your password manager stores its data. You're paralyzed if it's not available. If the app and its data are
on your laptop or your smartphone, you're out of luck if you don't have your
device with you or the battery has died. You're in worse shape if your device
is toast or lost and you don't have a backup.
Is there a cloud answer? A cloud-based password manager is certainly
tempting. But what does the provider do to protect and preserve your data? Are
you paralyzed if the cloud provider is not currently available? What if the
provider goes out of business? Does it really work with the full range of
devices you might find yourself using? These are the kinds of questions that sessions here at HP Discover encourage people to ask about their cloud providers.
My current answer to the password dilemma is a secure password manager that
lets you work safely from any device you might use, and that also lets you keep
both local and cloud copies. I made myself memorize a long, hairy master password, randomly generated at passwordcard.org. But I'm still officially nervous at having one master password that grants access to lots of stuff.