modern (online) life requires having lots and lots of accounts. you need user accounts on all of your computing devices, work related accounts, and accounts for numerous internet services and online shops. as each of these accounts requires a username and a password, you will over time necessarily end up with dozens of such username/passwords pairs, and keeping track of them can be a headache.

as it is obviously impossible to remember all of them by heart, you will need some way to manage the passwords. there are actually two aspects to this: one is how to choose good passwords, the other is how to store them safely so that you can a) look them up if you need, but b) minimize the risk of misuse by others.

a strategy which i used myself for a while, and which i am guessing is rather common, is to use ‘reusable’ passwords. the idea is to have a small amount of passwords for different levels of security that could be used for a variety of services each. so maybe you have one password for your e-mail account, and another one for social media that you would reuse across services like facebook, twitter, linkedin etc., and a third one for various online-shops. this approach is obviously convenient from a practical point of view but very bad from a security point of view. if one of your accounts is ever compromised, all the others that share the same password will be too. for example, if twitter gets hacked, you will need to consider not only your twitter account as hacked, but all your social media accounts, and you will have to manually change passwords on all of them. it also means that any one of those services (e.g. a malevolent insider at the company) could access all your other accounts, as they could successfully use the username/password pair which you provided to them on other sites. bottom line: reusing passwords is a bad idea.

another approach that i believe to be rather common is to store passwords in your e-mail account. often when you sign up to a service, the service will mail you the username/password pair as a confirmation. because of this, the users get more or less accustomed to looking for passwords in their mailboxes, and may be tempted to start storing other passwords there by emailing them to their own accounts. this is convenient from a practical point of view as many people are usually logged into their e-mail account throughout the day anyway and the keyword based search function makes it fast and easy to look up passwords. thanks to the convenient search functionality, it is possible to choose unique and strong passwords for each service (instead of reusable easy-to-remember passwords). however, this approach has some severe security problems and i would not recommend it. one problem is that your e-mail password becomes a single point of failure — if it ever gets compromised, all other accounts will be compromised too. second, e-mail is by nature a very insecure communication channel and provides almost no privacy at all. as the latter is really a crucial point, i want to take some time to illustrate why e-mail is as insecure as it is.

imagine a town square full of people. you are standing on one side and you want to communicate with someone at the other end. so you take a sheet of paper, and you write down the name of the recipient as well as your own name on the top of the sheet and the actual message below it. then you give the paper to the person standing next to you. the message will subsequently be passed along between the persons standing on the square, with each person passing it on to one of their neighbors, depending on what seems most likely to lead to an efficient delivery. if there is a congestion somewhere in the network (e.g. because one individual is temporarily unable to pass on messages), the message will be rerouted through an alternative path. eventually, the message will reach the recipient, and they can return their response to you in the same way.

note that this system of message delivery has a couple of important implications with regards to security:

  • it is not predictable which way the message is going to take, as it depends on the state of the network at the time, and it is therefore not possible to know who might have access to it along the way.
  • as there are no envelopes, there is nothing that stops the people who pass along the message from reading it. the messages are being transported in plain text. this means not only that anyone can read the message, but also that neither the sender nor the recipient will be able to tell whether anyone has read it (let alone who read it).
  • a person who is positioning themselves in a good, central spot may gain access to a lot of messages passing through, and could — without anyone ever noticing it — make copies of all them. (in fact, that’s exactly what the NSA is doing).

it becomes very clear from this illustration that e-mail is by definition insecure. the only reasonable conclusion is this: do not send any sensitive information through e-mail!

(note: it is true that there are increasing attempts to encrypt individual sections of the path that an e-mail travels on. however, as of now, there is no way to guarantee that the e-mail will in fact be encrypted all the way between the sender and the receiver. the only exception is if you have proper end-to-end encryption with a strong encryption mechanism, e.g. PGP, which is however too complicated for practical everyday use.)

it follows without further explanation why storing passwords in an e-mail account is a bad idea.

an alternative that is sometimes recommended is to use a password manager application. this could be a desktop or a smartphone application. the idea is to have a central ‘password vault’, where all the passwords are stored and where you can look them up if you need to. this vault is protected by its own password, which should be extra-strong, obviously. it would appear that this is the best solution mentioned so far: it greatly reduces the burden on your brain, as you have to remember only one password (which grants access to all others), thereby allowing you to assign unique and strong passwords to each one of your services. as a downside, there is once again a single point of failure: if your password vault is ever compromised, all other accounts are compromised too. for example, if you run your password vault app on your android smartphone, there is a risk of being infected by malware, as android is a main target for malware these days. so imagine for a second that someone could manage to infect your device with malware, which could then perhaps plunder your password vault… not a situation that you want to be in. another point to consider is that you will strongly depend on your password vault app, and the device it’s running on. for example, if you keep it on your smartphone, and your smartphone is for some reason unaccessible (empty battery, stolen, lost, hardware failure), you won’t have access to any of your passwords.

so considering this, and keeping in mind what we have recently learned about the far reaching surveillance by secret services etc., it may be worth considering another, more old-fashioned approach: writing down passwords on paper. your ‘password vault’ would in this case not be an app but a physical paper notebook in which you’d write the passwords using a pen. the single most important ‘feature’ of this approach is that it is completely offline, which means no worries whatsoever regarding hacking, NSA spying, malware etc. the solution is reasonably convenient, as all the passwords are kept in one place and can be looked up when they are needed. the passwords can be unique and strong without a need to memorize them all. a notebook is mobile enough that you can bring it along if need be (although it would be better to keep it at a secure place at home, perhaps even in a safe). the downside (and of course there is always one) is that the passwords have to be written in plain text, which means that any unauthorized access to the notebook means that all your accounts are compromised (again: a single point of failure). however, it would pretty much require someone to break into your apartment/house and physically steal the notebook, which is probably a low risk compared to having your computer compromised. also, if there was a burglar in your house you would most likely know about it and be able to react, while having your smartphone or computer compromised may go unnoticed for a long time. such a password notebook would certainly be a sensitive item, and would need to be handled as delicately as your real-life purse and key-chain, both of which should not fall into the wrong hands either.

conclusion: there is no perfect solution, each solution will have to be a compromise between convenience, security and practical considerations. in light of the above, i would say that a ‘password vault’ solution is better than the alternatives, and that some good arguments speak in favour of an ‘offline solution’. avoid sending passwords (or other sensitive information) by e-mail. in any case, it is worth taking some time to think about your password management strategy now, as it may save you some headaches later down the road.

regarding the other point, that is how to choose a good password, i would definitely recommend to use a password generator. i have been using a small unix tool called makepasswd ever since i discovered it. just type this command into a unix/linux console and it will spit out a reasonably strong password, e.g. ‘1dYriCgeR’. so for any new service that you sign up, you use makepasswd to produce a good password and store it in your password vault. this way you don’t have to worry about inventing a password that is easy to remember, as you have the possibility to look it up when you need to. (there are also many online password generators, which i would not recommend to use, as it is not clear whether they are trustworthy and they might have potential security risks of their own. it is much better to produce the password on your local machine.) if you want to continue inventing your own passwords (rather than using a generator), you should absolutely read this XKCD comic.

EFF on emails
c’t zeigt Auswege aus dem Passwort-Dilemma