How people deal with password overload today

Working on for the last few months has given me the chance to ask quite a few people about their current password habits. It’s been eye opening to hear just how many people use the same exact password for any application they use, completely not recognizing or not caring about the risk they’re facing.

The people that do recognize the risk, typically ‘tier’ their passwords, making a strong password for the sites they care about the most, and a lower level password for ones they care about less.

Both of these are pretty flawed approaches because some companies are radically better at authenticating users than others. The most secure companies (like LastPass) use https (encrypted data passing), create a one way hash of your password client side (so your password never leaves your computer), and salt that hash against that for what they store.

Unfortunately, almost no companies are that careful. Many allow you to send your password over a non-encrypted channel to them, then store your exact password unencrypted in their databases. They will even send that password to you over email (which is also insecure), meaning that there’s at least 6 distinct ways your password could fall into a nefarious person’s hands for just that one site (sniffed over the network, taken by an employee at the company, sniffed over the network between the company and your email provider, sniffed over the network between the email provider and you, taken by an employee at your email provider, and stored unencrypted in your email client).

Handling passwords the right way isn’t hard if you have password management software that will create and remember strong passwords for you.


  • Aster says:

    Joe: Ah, I see what you mean. Thanks for the reply. Now if somehow you could write software that would help keep passwords secure on all those mom and pop websites that don’t use encryption…you would be set for life! ;P

  • Joe Siegrist says:

    Aster – The assumption I made that makes LastPass safer in those other scenarios is that you use the strong passwords that LastPass creates for you. If you’re having LastPass create a good password for each site, the amount stolen by the other paths is limited to just that 1 site. It’s of no use anywhere else…

    It’s a change of behavior which is always difficult, but with LastPass generating and remembering for you it becomes far more feasible.

    If you are already using a unique password for each site you’re in the extreme minority, but I commend you.

  • Aster says:

    I’m really interested in Lastpass as a timesaver, but I have to ask…how much do you really think that Lastpass will prevent password theft? I can see how it will help in some ways: it’ll defeat keyloggers (with the onscreen keyboard) and sniffer programs that’ll look for unencrypted passwords on my computer. I might be missing something, but won’t Lastpass only really help with one of the six pathways to password theft that you mention?

    For someone like me who’s behind a firewall and hasn’t had a problem with spyware or viruses for…something like 4 years? How will Lastpass keep me safer?