The case for lousy passwords

By  

The problem, as Atwood points out in a more recent post, is that Gawker shouldn't be storing passwords in the first place. But there's nothing you or I can do about that, nor can we really know what's going on behind the scenes with a commenting system. For our own safety, we have to assume poor security on the part of the sites we're visiting.

So when the WSJ or the LA Times report on the "bad habit" of poor passwords that commenters have, maybe they're missing the point. They're using as their sample data the passwords people used on (for example) Kotaku or io9 when they wanted to comment on a video game or a sci fi flick. Just because those passwords are bad, it doesn't mean these people have a bad habit of using poor passwords, and anyway most "good" passwords are only marginally better than bad ones anyway.

So if all this talk about Gawker has you re-thinking your passwords, well that's good I suppose. But for every site you have to log into, think about the value of your data on that site. If this is a site where you're going to be entering real personal data about yourself then by all means please pick a long (and unique to that site) password with a mix of case, numbers and punctuation. We're talking bank accounts, professional sites, online stores or anything that's going to require a credit card. That's still going to be a small percentage of the sites you visit (for most of us).

For sites where you just want to comment on an opinion of some blogger, don't sweat it. Assume that if there's a breach, hackers are going to get your email address and might get your password. Listen to Dan Tynan and me and get yourself a throw-away Gmail or Hotmail account and use that email and a simple password that you can remember. Use a 'stage name' (if you feel the need to; with my name I really don't) and don't enter any of your real personal data when you sign up for the site. If there's a breach, you might need to shut down or abandon that email, but it shouldn't be getting anything but spam and password reset requests anyway. The worst the hackers will be able to do is log into other trivial sites as (the possibly fake, if you chose a pseudonym) you. So what?

Life is too short to be worrying about 24 character passwords for trivial sites. Yes, security is important, but let's not obsess about it when we don't need to. I know people who've given up on good passwords because they tried to come up with something unique and hard to crack for every single site they visit. The frustration of keeping all these random character strings grew until they gave up and started using one or two bad passwords for all sites, and now they have password guilt. That's not good. Choose your battles, pick good passwords for sites where you store personal data, and don't feel the slightest bit bad about using "password" as your Gawker password.

And to all the pundits laughing at the apparent foolishness of people using weak passwords on trivial sites: maybe these users are just more savvy than you are. Are you sure your passwords are really any more crack-proof?

Peter Smith writes about personal technology for ITworld. Follow him on Twitter @pasmith.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Ask a Question