Glad I'm not stupid and only have a 'common password' for unimportant websites.
I don't even know my bank password. KeePass is a wonderful thing. Use it.

Is it possible for sites to offer a private/public key registration process? For example, to sign up to a new site I enter a username and paste in my public key which the site stores. Whenever I sign in to the site again it provides a passphrase encrypted with my public key associated with my username, I decrypt it using my private key and type it in, and access the site. The site could change the password everytime I visit, it wouldn't matter because I decrypt it each time. It could probably be made easier with a Firefox plug-in. OK, it's an extra step to sign in, but a small price to pay, especially for banking sites that are really important.

Some of the higher end banks do this with RSA keys. I have a RSA keyfob from paypal for ebay auctions.

This is probably the future. Credit card numbers are too out in the open .

Different passwords AND names on all sites and forums I surf, a random set of numbers criminals could even have problems REPLICATING them by WRITING!
(Mhoehahahaha)

And also only have a few confirmation messages with passwords, some already changed and some not. But most are deleted so the persons searching my emails won't find much.

I write them down and delete all traces that are stored on computer(s).
I do NOT KNOW MY PASSWORDS or ACCOUNT NAMES because I let firefox remember them!

I have 50 or something I think.

My one password for all system is now looking decidedly iffy, having only just realized that the Betanews connection is not encrypted when a fella logs in.

It is exactly this type of situation that I feared several years ago, so I went in search of a password management system: Keypass Get it on fileforum. I have 90 accounts. Most of them I have no idea what the username is, and ALL of them I don't know what the password is.

I highly highly highly recommend this app. Secure your keypass password with a keyfile AND a very very long password, and add some good salt to it. Now you have one password to remember, and a security compromise on any online account does not impact any others.

You of course HAVE to backup this keypass database and keyfile, in multiple locations, because it becomes the most important file you've ever had.

Yes, Keypass is excellent. There's a free version and there's a version that you buy. There is a Keypass and a Keepass. I didn't realize there was a difference, but there is. I have been using Keepass.

http://keepass.info/ and http://www.dobysoft.com/...ucts/keypass/index.html

You can configure Keepass so that when you select an account and double-click on the URL, it automatically navigates to that website and logs you in.

Before I found out about Keepass, I kept all my accounts and passwords in an encrypted text file. I wish there were some automated way to transfer the info from the text file to the Keepass database.

Speaking of backups, I have been burned so many times over the years that I have multiple backups of everything. I have my Keepass database in an many as ten different places. Which reminds me that the database can be copied to multiple machines. On my machines, I have no accounts or passwords in open text files.

This is why I have several different security levels... 5 changing names and passwords for various "security clearances"... my Hotmail/Live password getting out wouldn't really matter except on a few forums.

For the last 5 years I've been using Keepass to store/create virtually all my passwords (I only have about 10-20 or so in my memory), and according to it I currently over 600 (not a typo) username/password combinations. Without a doubt the biggest reason for that is forums, sometimes just reading them you'll need an account, other times searching or downloading attachments will require one, and certainly making a post will as well. But of course there are many other types as well.

There is a software called "Identity Finder" which is free to try for some time - a few weeks back I installed and ran it, I expected the usual collection of visible passwords from the IE store, activation codes for various software etc., but to my surprise and dismay the program which can also check in MS Office type files, archives, unencrypted PDF files, email etc. found MANY more places where my personal information was stored.

Which means that apart from having to have a solid strategy on password creation and storage (after all, a really GOOD password should be near impossible to recall from memory alone) one must also take means to protect the hardware (notebook lost/stolen, computer in repair/maintenance shop, ...) from unwanted data sniffing, as well as storage media - for example, what should I do with the hundreds(!) of DVD and CD on which I recorded my data backups since the early 1990's, many of which hold files with private data, password confirmations by email (often with the password clearly spelled out in the email), etc. etc. etc.? Only burning appears to me to be a quick and final way of disposal. Oh, and did you wipe, not just delete, the data on that 256 MB thumbdrive that you casually discarded after you realised that it is no longer serving any purpose?

My point is, if you have confidential information or access to confidential information stored anywhere - and of course we all have - then phishing protection is certainly one important step, but not the only one.

Back to the original article, I believe that I must have around 16 to 20 vital accounts for which I use one of three current passwords, and at least 2-3 times as many non-vital accounts. And as it has already been mentioned, a breach in only one of them could reveal the access user name/password combination to a host of others.

Some of the older stuff I cannot even remember - I forgot the access to my Rocketmail account long before the service changed hands. Using PGP in the late 90s made me create "good" passwords just to please the interface (which was telling you if your pass phrase was "good" or not) but the immediate lack of convenience meant that I rarely used them (imagine the first two lines of the Ring poem from The Lord of the Rings, in German and using odd capitalisation, interspersed with numbers - I did remember it but the typing killed me).

Some kind of ID theft insurance that would cover financial damages, does it already exist?

Anyway, great article and I feel nduged in the right direction to do some digital housekeeping really soon.

Awhile back I thought it best to start keeping track of my online accounts so I started bookmarking them: 55 plus many I missed bookmarking (including betanews.com, I realized). Realistically, probably 75.

Never keep your passwords as text in your inbox.

It's scary that a reliable company like MS can lose passwords. I use gmail as my main account and if anyone got in I'd lose everything. One day I'll use something like OnePassword, but I just can't motivate myself to do all that complexity.

also keep in mind that so far, MS did not lose any passwords, folks willingly gave their information away to unreliable third-partys

See the other posts about keypass. I admit it was a good 2-3 hours of manually creating accounts and passwords, but after that it is less work to manage passwords, since you can use keyboard shortcuts to paste usernames/passwords into fields. Long-term, you will save time overall.

It would be nice to note that it's ONLY Hotmail accounts... that is, @msn.com, @live.com, and @hotmail.com accounts from A to B. So people like me who have never used Hotmail are in the clear. Of course, that it was passwords obtained through PHISHING is more important. Those of us who don't fall for such schemes can rest easy either way.

It sounds like this was one phisher pasting account info for another phisher. Not a bad way to do it if you're paranoid about a recipient keeping an email with your name on it and getting you busted, I suppose.

Not so fast there bucko ;P
Google, Yahoo, AOL etc have also been phished

know what i did? changed my Windows Live password, yup... thats it, being fairly sure i've never been phished thats all i did and it was about time anyway, been more than a year...
what i didn't do was panic... which seemingly everyone else couldn't do lol
besides... i've made it a point years ago to NEVER keep login/password info from various other accounts saved in my inbox (or archive), that and every single one of my passwords at least is random in characters and pretty much unbreakable

Joe, i have to ask, why did you feel the need to change every password? if your Hotmail were compromised, none of your other accounts should of been... at least with proper management of your accounts, proper taking little effort at all...

my logins etc are saved within my browser and on a couple usb keys, never in an Inbox, never in the cloud, i don't know, it takes me no real effort to manage them, a copypaste here & there, thats it... big deal really

in the end, my changed my Windows Live password and i feel pretty safe ;P i'd never save any details like this in the cloud, thats asking for a bit o trouble

another good tip is to every now and again check your DNS settings, make sure those are never altered or use OpenDNS, though i like 4.2.2.1/2/3/4/5 easy to remember

i'm out, enjoy your paranoia Job ;P gez

I didn't panic. I was prudent, and I saw opportunity for a story from my experience. I changed passwords because my username is same or similar across multiple sites and Hotmail password is same on some of the sites. It wouldn't be rocket science to put them together. Besides, my writing has created a few enemies. Why take any risk, especially when I hadn't changed any passwords for about a year?

artfuldodga: If you keep passwords on disk, I recommend using some type of encryption. I use KeePass Password Safe. which is made for exactly that sort of thing. If a password demands rules that my usual passwords don't meet... and I gotta say, rules like that are annoying and unsecure at best, since it can dramatically reduce the permutations brute forcing requires, and it is more likely that a user will need to write down the password anyway instead of properly committing it to memory. Anyways if I need to make a new password, I can keep it in the Safe so when I inevitably need it again it'll be there. Not to mention I can generate secure and random passwords and just save them in the Safe to begin with.

EX: American Century has a bunch of baloney rules about account security. Although they're getting a LITTLE better, KeePass helps me keep my fake randomly generated Elementary School, Maid of Honor, and Favorite Grandmother's Dog safe and available when I need it.

i use truecrypt file volume, on my usb key ;P ... rest of the key is unencrypted, so i can actually use the thing at friends houses easily, BUT, i've made truecrypt portable and thrown that on the key if i need access to my passwords

i have no idea what any of my passwords are off hand ;)

My Username is AAAAAAA@hotmail and I was on top of the list.

jk

I think you're all overreacting.

And how can you not use something like Roboform?

>Joe, i have to ask, why did you feel the need
>to change every password?

In my case it would be because of how many
of my accounts were confirmed via a hotmail
account.
And rather than start another post:
Guestimating from the thickness of that section
of my address book I've created some 60
accounts that I considered worth trying to
remember, and on this box (which I've been
using for about two months) I've accessed
about 18 of them.
Personal gripe: merchants that won't let me
just buy something and leave-force me to
open an account. It is not unusual for me to
just walk away from my cart at that point.

Roboform is awesome! Used it for a few years now and have hundreds of stored logins. Comes in a portable version which can be executed from a memory stick. The master password which unlocks Roboform is the only password I need to remember.