Working on LastPass.com for the last few months has given me the chance to ask quite a few people about their current password habits. It’s been eye opening to hear just how many people use the same exact password for any application they use, completely not recognizing or not caring about the risk they’re facing.
The people that do recognize the risk, typically ‘tier’ their passwords, making a strong password for the sites they care about the most, and a lower level password for ones they care about less.
Both of these are pretty flawed approaches because some companies are radically better at authenticating users than others. The most secure companies (like LastPass) use https (encrypted data passing), create a one way hash of your password client side (so your password never leaves your computer), and salt that hash against that for what they store.
Unfortunately, almost no companies are that careful. Many allow you to send your password over a non-encrypted channel to them, then store your exact password unencrypted in their databases. They will even send that password to you over email (which is also insecure), meaning that there’s at least 6 distinct ways your password could fall into a nefarious person’s hands for just that one site (sniffed over the network, taken by an employee at the company, sniffed over the network between the company and your email provider, sniffed over the network between the email provider and you, taken by an employee at your email provider, and stored unencrypted in your email client).
Handling passwords the right way isn’t hard if you have password management software that will create and remember strong passwords for you.