I built passwordsheet.com because I found myself wanting to abandon using the same password across multiple online services and machines. I have twice had two losses due to theft / identify fraud. Once as a counterfit card travelled Queens while I was in Switzerland and on a second occasion somebody captured my password most probably from an unofficial wi-fi signal that I used at a five star airport hotel. They captured my email password, which travelled in plain text for a pop login from my laptop and accessed my e-mail. From their they found other accounts, possibly from my email account. They were able to login to various services with my email address many with the same password and some by using the email account to create a new password. They then used ebay to buy a sequence of laptops with the 'buy now' feature and take money from my bank via the paypal account. An SMS from my banks fraud tracking allowed my to discover the activity and all the money was refunded, in particular by paypal.
For many years I have shared passwords across multiple passwords with financial sites using different passwords to general sites and again another password for less well known sites. This helps as the procedures folllowed at a financial institution will be far more rigerous than at the average site but it still leaves one exposed across the dozens of run of the mill sites where access to the password at any of the sites by a hacker, employer or accidental publication would allow access to all of your sites. Particularly as I know people at several of the sites I feel a little uncomfortable with situations where I don't know if they are storing, encrypting, hashing or logging the passwords in a safe way.
In moving to individual passwords for each site the ability to remember passwords is lost and some method of storing the passwords is necessary. While there are electronic options the portability, simplicity and ease of use of sheet of paper is difficult to beat. The sheet needs to be available but treated with security so keeping it in the wallet or purse offers a good solution.
passwordsheet.com uses code which executes on your machine in your browser. What this means is that the site creates a sheet of password values with us knowing what your passwords are. The passwords are only on your machine and on your printed sheet. You do have to manage the physical security of the piece of paper as when you loose your wallet you will loose your passwords. Needing to reissue all your passwords, most likely from your email account. For this reason I would suggest that for your primary email account as well as your bank account and employers access you commit the password to memory rather than using a password on the printed sheet. These remembered passwords have to based around all the mnemonic techniques and tricks with words that result in the most common 1000 passwords being able to open a large proportion of accounts. The overall security of the process is a trade-off and if your bank insists on symbols the memory task has further chalenges so depending on your memory and password rules at those key sites. Remember that an unscrupulous office workers or disgruntled parterns are likely to look for notes of passwords so the physical security is a challenge however these attacks are less frequent than online attacks by unknown third parties for most people.
To use passwordsheet.com just print the first page of the printout onto paper and use a new password for each site recording the name of the site. The passwords all use a combination upper case and lower case numbers as well as numbers. They deliberately contain one of each. The exact password rules vary from site to site and system to system but as long as they permit eight character passwords you should be successful. The lower half of the page includes a symbol in the password. If you find that a site needs a password use passwords from the lower half of the page. If the password uses a symbol which the site finds unacceptable either take note of the symbols accepted. If they tell you!. If not then move down four or five rows as there are different alphabets of symbols used by different rows of the sheet in order to accomodate more and less popular lists of acceptable symbols.
Above all print the page and use it to set new passwords going forward. Stop using names of family members, co-workers, pets, keyboard patterns, phone numbers and birthdays. In many cases your facebook friends could all guess these and can be easily identified by those running files of passwords against a website. Never use the same password twice for different accounts. When you have used all the passwords on the sheet print a new sheet. Replace existing passwords when you find them on an old sheet. You don't want to continue with the same password for an account beyond 180 days. There should be some renewal going on and the starting of a new sheet is a good way to trigger this. Never cycle or re-use passwords, particularly from a written list and remember to keep your sheet private. This isn't a post it note for the side of your screen!! It's far better off and more mobile in your wallet.
Enjoy your privacy, security and safety online and if you wish to send me a noteI can be reached at office AT brunettemail.com
All the Best,
Owen.
