Remembering passwords

2020-04-05, by Dmitri Zdorov

Touch ID dialog

My systems and devices are reasonably secure. Each service I use and every website that I sign up for has a unique and complex password. The passwords are stored in an app called 1Password, protected by strong encryption, so I never lose or forget them. In addition, the app lets me create one-time passwords required for two-factor authentication. I try to use it instead of SMS whenever it's possible.

Many passwords for non-critical places are also saved in the browser. My primary browser is Firefox, and I do have a master password there as well. iPhone and iPads are obviously locked and protected by TouchID or FaceID. They have passwords because some operations still require them. I use a 9-digit one. Since I install 1Password virtually on all devices, I do not have to remember passwords or path phrases. Mostly.

Nevertheless, there are some passwords I have to remember, and at the very least, a few that are convenient for me to remember. So that's what I want to tell you about.

I remember the password for my Mac, I use a local one, and I disable access via Apple ID. My password is the same on all my Macs, and I change it on all of them about once a year. My Apple watch can also unlock newer Macs. My new 16" Macbook Pro has TouchID, which is very convenient and fast. However, there are still cases when I still have to manually enter the password, sometimes multiple times per day, so my fingers remember the array of letters, digits, and special symbols better than my brain.

In general, all Macs have encrypted disks, and the system password unlocks them, but there are a few that have a separate disk encryption pass-phrase. It is one of the things I remember. There are recovery passwords, just in case I store them in 1Password, and I don't remember those at all.

I have to unlock the 1Password vault, and while biometric authentication spares me from typing every time, I still have to type it quite a bit. Currently, I use one vault, though I can create several for different goals.

I remember the Firefox master password. Each time the browser is restarted, I must type it again. It's pretty rare; normally, it stays open for days, but between all computers, it's easy to remember. My Sync password is different from the Firefox account password, which I can't remember. Apple Notes allows users to lock (and encrypt) some notes, so I do that, and I do remember that one as well.

All of my mobile devices have a pin code and SIM card passwords that I change and enable regularly. Usually, Apple watches can be unlocked with iPhones. Still, sometimes I unlock mine with a pin that I remember to enter almost every day.

To access my Android devices, I use an easy-to-remember pattern. It's not as secure, but I don't have any sensitive data on my Android devices.

I am surprised that I remember bankcard pin codes. Although they differ from bank to bank, I make sure they are the same for all the cards from the same bank whenever possible. It's a lot to keep in my head alone because I have so many bank accounts.

There is also a pin code for the building entrance door, but only for the building I live in now.

I also use Windows and Linux, but not all the time, so I remember their passwords only when I use them.

Though that seems like a lot, there are only two passwords you need to remember, one to unlock one of the devices and one to unlock an app that keeps them all. For me, it would be 1Password. In practice, that'd be extreme, and being prepared for quite a few things is much more practical.

The trend among big companies is to eliminate passwords altogether and replace them with some form of the verification system, such as sending a link to the email address or phone number on file. The main reason for this shift is that most users do not want to create unique passwords for different services and prefer to use only one or two passwords for everything. The bottom line is that even if the password is strong, the attack can spread throughout the Internet if the attacker steals it from one of the platforms. Thus, a site with poor security can jeopardize even those with advanced security. Furthermore, many people create trivial passwords that are easy to guess. Platforms can protect themselves against such recklessness by requiring non-trivial passwords. Even so, they really can't protect from passwords being the same everywhere. Authentication via SMS or two-factor (2FA) is much better than single-factor (password only). Yet, there are well-known ways to bypass that, such as intercepting the special code sent via SMS, or by tricking and social engineering the support services, or even by using the authorities. The 2FA protection that relies on key generation (both physical and virtual) of the single-use, time-sensitive keys is very secure but not very popular. Hopefully, it will change.

There is a need to strike a balance between safety and ease of use. Users will find the system unattractive if it is very robust yet cumbersome to use. In other words, either they will find a way to not secure it, or they will just avoid it outright. If you have a lock that is not easy to use, chances are that it will be unused or unlocked all the time. We are becoming more accustomed to the need for good security. Thus, the accepted lever of how much we have to use and remember is rising slowly. Now, what seemed impossible a decade ago is considered acceptable.

I started counting how many of those things I remembered, and I was surprised. The memory, however, is a very unreliable mechanism.

Tags: My Setup, Security, Passwords

Most recent
List of all entries