In the course of my daily computing activities I have to remember hundreds of username and password combinations. Literally. Just at work there are two (yes two!) timesheet applications, then there’s my corporate domain credentials, remote access, mobile phone billing portal, etc., each with their own username and password complexity/expiry policies; then there are all the systems at home; and finally the plethora of websites at which I have an account.
There are those who say that writing down credentials is a bad idea, whilst others say that using a single username and password combination is bad practice – these people are absolutely correct as, once compromised, an attacker has access to all the systems that use those credentials but we also need to be pragmatic – how can any user seriously be expected to remember all the usernames and passwords for the multitude of systems that they access? Indeed, many of the credentials I used are stored in my browser’s password manager – I haven’t a clue what my password is and I just open up the page and let my browser auto-complete the fields for me.
If we cast our minds back a few years to the launch of the Microsoft.net Framework, Passport.net was supposed to take away a lot of the hassle for web service authentication and we all know what a failure Passport was (outside Microsoft) – people just didn’t want Microsoft holding the keys to all their systems – InfoCard could well succeed where Passport failed but I have an identity crisis right here, right now!
One of the systems that I access regularly was recently moved to a new server – hence to a new URL and so the stored username and password didn’t work for me. This is where one of the handy system utilities that I wrote about a while back came in useful – I went to the old URL for the application, let the browser auto-complete the details and Nirsoft AsterWin IE was able to scan for the stored password, which I could then manually enter at the new site.
Of course, this advice comes with all the usual caveats when using third party applications to probe for security details… I haven’t checked for any unwanted side effects of using this application and you have been warned!
So, you’re not pinning your hopes on OpenID then?
As I understand it, CardSpace/InfoCard is Microsoft’s implementation of OpenID – it is based on WS-* web services – other operating system vendors (e.g. Apple and Red Hat) are working on comparable (and compatible) solutions and the open source identity selector (OSIS) consortium has been formed to address the technology.
The trouble is, that my problem is right here, in April 2007, not whenever everybody gets around to enabling their applications for OpenID. If that ever happens, it will be great.
I highly recommend KeePass Password Safe, the free, open-source, light-weight and easy-to-use password manager:
* Strong Security
* Auto-Type, Global Auto-Type Hot Key and Drag&Drop
* Intuitive and Secure Windows Clipboard Handling
* Searching and Sorting
* Strong Random Password Generator
http://keepass.sourceforge.net/
my favourite password tip is construct credentials using a set of rules say
username: (if you get to choose) first 3 letters of the app / domain name, followed by a consistent four character string
password :
first 3 letters of the app / domain name, CAP, lc, CAP
followed by 3 consistent numerical digits
a consistent non standard character
and then a consistent 3 character string
if you interchange the numerical string and character string it makes your rule less obvious and means if you mess up the order you can try again within your typical 3 tries also omitting the non standard character on your last go
so credentials for this blog could be
user :marsala
password:MaR197!riA
Can’t claim credit for this idea but can’t remember the source either