I have over 190 accounts and logins for which a password or PIN is a part of my access: website tools, online banking, social media, email, internal company tools at Summersault, and so on. I used to pretend that I was maintaining the security of these accounts by having a reasonably strong set of passwords that I re-used across multiple sites, sometimes with variations that I thought made them less likely to be broken into if someone did happen to compromise one of my accounts.
But as I prepared to give a talk in December about email privacy and security issues, and really stepped back to look at my own password management scheme, I realized just how much pretending I'd been doing, and just how vulnerable I was making myself to the increasingly well-equipped and highly-automated attempts at compromising accounts, stealing identities and stealing funds that are being launched every day. I went and tested some of my passwords at the Password Strength Checker, and I was ashamed. The potential impact of this really hit home as I read Mat Honan's personal tale of woe and his follow-up piece Kill the Password in Wired magazine. Add in Passwords Under Assault from ArsTechnica and you'll be shaking in your boots.
So I decided that I was not going to be that guy who goes around telling people about how vulnerable they are with their simplistic password schemes while quietly living a lie in my own password management scheme. I might still be hacked some day, but I would not be found giving some teary-eyed interview to Oprah where I whined about how the pressure of the 190 accounts to manage just got to be too much and how I knew using a simple dictionary word plus a series of sequential numbers was wrong but I still didn't do the right thing.
That's when I found 1Password from AgileBits, a password management tool that alleviates the horrors of password management.
I will admit that I didn't try other password management tools, but I did research the 1Password architecture and approach to security, and found that they had really thought the problem space through well. I wouldn't have to store my unencrypted passwords on any third-party-managed service, the tool was resistant to most kinds of attacks or hacking attempts I might experience, and the AgileBits team behind it seemed to be constantly working on improvements and innovations. And the reviews were great - I was sold, and it was clear I would be better off with this tool than with my existing scheme.
Now that I've used 1Password - and its companion apps on the iPhone and iPad - for over a month, I can say: what a relief!
I no longer have remember multiple passwords. I no longer have to lose time in my day resetting the passwords I've forgotten. I no longer have to resist changing passwords regularly as a part of good security best practices. I no longer have to worry (as much, anyway) about an insecure password being the beginning of a months-long identity theft nightmare. With a single very strong master password and syncing between my laptop, phone and tablet, I have access to my passwords wherever I might be.
I'm especially impressed with the web browser extensions that let me easily and automatically paste in my super-secure passwords to the sites I visit every day without copying/pasting from some other window. On my iOS devices, the 1Password app provides its own modified-Safari browser where you can achieve the same. And even if I'm without my phone/tablet/computer, I can use their flexible web-based 1PasswordAnywhere feature.
So, you get it. I recommend 1Password. More importantly, I recommend some kind of password management tool if you're someone who has any kind of online identity that might include any kind of sensitive communications or information. (See articles above if you need help imagining scenarios where you're vulnerable.) If you're not on a Mac, there's a 1Password version for Windows and KeePass for Windows also seems to get good reviews. There are a number of good options for Linux users.
Even once you're using a password management tool, there's more you should be doing to keep your accounts secure. Make sure your master password is super-secure. Consider using a dedicated email address for password reset link emails. Change your password reset security questions/answers to something no one can guess or research. Use two-factor authentication where possible. Turn on alerts for logins that come from unfamiliar devices. And so on.
What tools and techniques are you using for password management?