All of us are terrible at remembering passwords, causing us to find convenient ways to make logging on to our Twitter, bank, and other online accounts a bit easier and much less secure. Users combat password fatigue by using the same password for all of their accounts, selecting short and weak passwords, or creating bad compliant passwords.
There is a simple way to make sure that your passwords you don’t use often or care about too much a bit more secure than “PoisonRocks1” – like the hair bands of the 80s, just forget about them. Don’t remember those passwords; just reset them each time you need to log in to the account. Before you get alarmed at what I’m proposing, think about it. Most websites will send users a 6 character, randomly generated password upon reset – which is better than 99% of passwords that users pick.
You can even write down all of these reset passwords on a post-it note and carry it in your wallet and just reset the passwords each week or whenever you feel like it. You’ll have a decent password that is constantly changing and not connected to any of your other accounts. (Business managers, you’ll be insulated from outside passwords being stolen and used on your corporate network, although this tactic won’t work in most business environments unless you want your help desk to work on even more password resets.)
There are some websites that will only send you links to reset your own password or send you reset passwords in clear text in an email. In both situations it’s better to create randomly generated passwords using an online generator or using OpenSSL and testing its overall strength. Passwords sent in the clear really shouldn’t be trusted since emails are the digital equivalent of postcards and constantly setting your own password will just cause more password burnout.
For proper security you need real two-factor authentication so that you’re not relying solely on a password (something you know) but something you have as well (like a smart card). Of course, it won’t help you much if you keep losing your token. For your other accounts, try resetting the passwords and see how the online service handles them. Do they have you click a link in an email to follow and retrieve a new, random, and complex password?
Password resets generally rely on email accounts, so you’re only as secure as your email password. I don’t recommend forgetting your passwords and constantly resetting logins to any sensitive accounts, just the ones you don’t care too much about. Besides, if someone does end up stealing your password to some forum or other non-essential account, you’ll be resetting your password anyway.