Why I’ve started using a password manager

Ladies and gentlemen, it’s time to face facts – your internet use isn’t safe. I’m not talking about malware, viruses or nasty drive-by websites here (although they might well be a factor in this affair). No, I’m referring to that most humble of things: the password.

Back in the good old days, we had but two passwords to worry about – the first of which logged us into our ISP when we instructed our modem to dial the service. This username and password wasn’t any big deal because it was used only when dialling out. The second username and password was for our account at CIX – a UK version of COSY, which also underpinned The Well in California and Byte’s BIX bulletin board. CIX was (and still is) a great social medium that predated the World Wide Web by several years, let alone lesser upstarts such as Facebook. But I digress.

In the modern internet era it seems to be necessary to log in separately to almost every website

Usernames and passwords used to be simple, but today this is no longer the case. In the modern internet era, where you go e-shopping at a wide range of sites, from Amazon to your local specialist butcher, it seems to be necessary to log in separately to almost every website. This drives me nuts. When I want to purchase something from an e-shop, the only information I should need to hand over is the shopping basket contents, a delivery address, and my relevant credit card information. It’s taking a liberty to force me into registering on a website, to which I often have absolutely no desire to come back to – I went there for one specific purchase and that’s it. I really don’t believe that doing business in this way gives anyone the right to demand that my information be placed on their marketing database.

The same thing happens in real life, too, of course. Go into PC World, make any purchase and ask for a VAT receipt. This immediately makes you a “worth capturing” target, and the sales assistant will start demanding all kinds of information, such as your address, postcode, inside leg measurement and preference in vintage champagne. Their excuse if queried is that this is required for the warranty, but it would be hard to imagine a more blatant misuse of the Sale of Goods Act. It’s tempting to give the company’s own headquarters as your postal address, and the email address of its managing director as the contact mailbox.

Memory issues

Anyway, back to the virtual world. Each website demands its own username and password, although often the username will be an email address, but that doesn’t have to be so. It isn’t too surprising that many of us use the same password for these sites: “Who’s going to know?” goes the thinking. Maybe we’ve been clever and use a few different passwords, but it’s genuinely rare to find anyone using a truly hardened password. There are many reasons for this: first, they’re difficult to remember; second, they can be complicated to type, especially when you’ve included punctuation marks and you find yourself using a non-UK keyboard. Worse still, the passwords that are easiest to remember are also often the easiest to crack: dictionary attacks apply the logic of real words to help guide the crack effort in the right direction.

Maybe we’ve been clever and use a few different passwords, but it’s genuinely rare to find anyone using a truly hardened password

After scouring a dictionary, the cracker will turn to the more obvious social-engineering attacks: name of parent, name of house, name of first-born, first names of first and second children, date of birth coupled to name of dog, and so on. A great deal of this information can be discovered out there on the web, especially if you’re an enthusiastic user of sites such as Facebook. I’ll confess that I’m rarely surprised nowadays at the amount of personal information that some people quite happily scatter across their Facebook pages, then allow it to be visible not only to friends but to friends of friends, thus increasing the browsing population by an almost geometric factor.