Better Password Security Through Compartmentalization

Information security incidents are going to happen.

Laptops are going to be lost (or stolen).  Emails containing sensitive data are going to be sent to the wrong recipient.  Systems are going to be infected with malware.

Passwords are going to be compromised.

Usernames and passwords are the proverbial keys to the kingdom.  That combination of two simple data elements is all that stands between your most sensitive data and the people who aren’t authorized to access that data.

Securing your password almost always involves trusting a third party to secure that password for you, and I can promise you that an international bank is going to take more steps to secure their data (and yours) than an Internet startup.  It’s an economic reality.

To prevent your password-protected data (or your online identity) from being compromised, you should consider compartmentalizing your passwords.  To put it another way, the username and password you use for your online banking should be different from the username and password you use to post comments to an online gossip site.

Trying to remember a different password for every site you visit would be overwhelming, but you can remember four (4) passwords, right?  To get to a four password system, however, you first need to group the types of websites that where you maintain accounts.

Here’s one compartmentalization model you might consider:

  • Money – Banking and trading sites.  A compromise would mean financial loss.
  • Shopping – Contains contact info + credit card data.  A compromise here would be less painful than a compromise to your online banking site, but only slightly.
  • Social Media – Personal and private data.  This category includes email and instant messaging accounts.  A compromise could lead to reputation damage.
  • Forums – Disposable data.  Who cares if this password gets compromised?

By using different passwords for each category, you limit how much damage a malicious individual could do by compromising any one of your accounts.  In other words, a compromised forum account that you created four years ago (and forgot about) won’t result in unauthorized withdrawals from your checking account.

Different categories can also mean different password rules.  You might create an online banking password is a 20 character string of random characters that you change every three months, while only creating an 8 character alphanumeric password for your Twitter account.

To further simplify the process, you can use a password manager to help you remember your more complicated passwords.  Here a few of the better-known password managers

Realize that some accounts are more valuable than others, and the steps you take to protect those accounts needs to align with each account’s value.  The security benefit of these additional controls, not to mention the resulting peace of mind, far outweighs the effort required to make these changes.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s