For safety, I never use the same exact password unless it’s the very generic one for services that I don’t care about at all; any service that really keeps information about me, like Amazon and various other hardware (and software) suppliers, have a different password each. I try to stick, whenever I can, with the same username; although sometimes I’m provided an username already (and sometimes, they use my surname, included the accented “ò” letter that ensures funny stuff will happen).
Now, with so many different passwords, it’s almost logical that at some point I’ll forget one; I actually make use of the save password feature in the various OSs/browsers to remember the password for me (on the other hand, I do change some passwords periodically). Sometimes though, when I reset Firefox, change computer, or simply use a new box, I find myself in small trouble since I can’t remember what password I was using on a given site.
This is usually not too bad since almost all sites nowadays provide a “Lost Password” feature. The problem is that such feature is, often enough, written in so many bad ways:
- don’t send me my old password! If you’re able to send me my old password, then you’re already at two failure points: the first is that you have my password saved in clear text in your database (which is bad because if your database is compromised, your user’s passwords are readable), the second is that you sent me an email, most likely through clear text channels, with the password in clear-text;
- don’t just change my password! What if somebody else was asking for my password to be changed to waste my time? Send me a token to change the password, please;
- don’t just send me a permanent new password Even though I’m smart enough to change it right away, make the password a one-time temporary password that requires me to change it right away, pretty please; this way nobody could find it in my mail archive by mistake (the stolen-laptop kind of problem).
While I’m not the kind of paranoid person who would use continuously one-time passwords (well, without considering the banking account), I’m paranoid enough to be doubtful when a service does not provide SSL-based login (okay even my own blog does not do that, but in general I mean for important stuff), and I seriously get scared when a service that remembers – for instance – my credit card, sends me an email with my password in clear-text. Which is why I use different passwords in the first place.
I learnt this the hard way actually, because the ASP web application used for the forum of an ancient gaming site I was involved is stored the passwords in clear-text, on an Access database file that was readable via HTTP if you knew the path, and since that went hacked quite easily (I only started administering that box after this happened), and I was using the same password for lots of services.
I definitely see these issues as well. At least there is a password, even if anybody can find it out. I’ve seen situation like the mailroom at my school where someone can just ask for the contents of some mailbox and the person working will give it to them. There’s no check that the person even goes to the school.
KeepassX has solved many of such problems for me.With it, I keep all sensitive data in cryptoprotected database and creating new “site card” ( site, username, pass, comment,etc) is a snap.Better yet, program has password generation ( with seed input) with defined parameters ( num chars etc)and copying it from card to desired form requires just a few clicks.With it, I have no problem with password keeping, repetitive and weak passwords etc.I definitely reccomend it.