Password Management
A survey of 1,700 users by RSA looked at password management and had the following disheartening, but not entirely surprising results.
Users are resorting to insecure methods to store passwords because they are being overwhelmed by the number needed to do their jobs:
- 25% keep them on a spreadsheet
- 22% store them on a PDA
- 15% simply write them down and keep them in a "safe place"
More than 25% handle more than 13 different passwords. Another 30% juggle with six to 12 passwords. To make matters worse, most are subject to the recommendation that passwords should be changed every six months, and consist of at least eight characters, of which at least two should be digits and two letters.
Strengthening security measures -- e.g. by insisting on combinations of uppercase and lowercase letters -- simply increases the likelihood that users forget them, resulting in a call to a service desk and password reset request which can cost up to $145 a time.
I use KeePass Password Safe. It's free and open source, has a password generator, locks with a master key and/or key file, and my favorite feature is an autofiller for logins and passwords that's "keylogger proof" which is called by pressing a Ctrl+Alt+A on a webpage that you setup.