Image via WikipediaMy employer is performing the annual round of security training over the next couple of weeks and everyone received an email announcement today about it containing the following advice:

To help protect your personal financial information, you should have a different and unique password for all online services that you use. Remember, the best passwords use a combination of upper and lower case letters and numbers. An easy way to create and remember a unique password is think of a catchy phrase, and then use letters and numbers from the phrase to create your password.

While most would think that’s great advice, my immediate thought was “that’s insane! I have accounts on more than 100 services on the web! How can I possibly remember unique passwords for each one??”

I am a ravenous beta web application junkie, and I probably use at least 10 web services (email, rss, bookmarking, etc.) on a daily basis which all require passwords. And of course there are passwords that I use at work to access various systems, account passwords on the home computers and network, account credentials for my sidework clients (who depend on me to keep up with them!) and many more I’m sure I’m not thinking of right now.

I replied to the email and asked for suggestions of how to apply the advice in my situation. The response: try a password manager. But I’ve looked at those before and there’s a flaw - they can only store and retrieve your passwords on the computer you install them on. It’s not as if I only would only access passworded accounts from one computer. I have a computer at home (actually 4 to choose from at this point!), a computer at work, a Pocket PC phone, and a wi-fi enabled iPodTouch (when I borrow from the hubby), not to mention I do occasionally go places with computers I don’t own like my family’s houses. If I install a password manager on one computer then how am I suppose to use it on any of the others? Passing this on as a reply to the reply got no response.

My applied solution to the password overload problem has not been elegant. I hadn’t planned this method but it’s what I’ve fallen into. I basically have about 4 “levels” of passwords with about 10 total variations. That’s about as many as my brain can keep up with. Whenever I sign up for something I ask myself a few questions and pick a password:

Level 4

• Attributes: Short, very simple
• Variations: 1
• Typical scenario: usually on a beta service signup
• Questions answered “No”: Do I trust this service to keep my password? Will I ever use this service more than a couple of times?

Level 3

• Attributes: Longer, still simple
• Variations: 1
• Typical scenario: on services I’m likely to use more than once or were highly recommended so I “trust” them.
• Questions answered “No”: Will it be the end of the world if someone figures out my password and logs in as me?

Level 2

• Attributes: Longer, with complicated numbers, symbols, capitalization
• Variations: 3: chars with number, no symbols; chars with number and symbol; chars with number, symbol and capital
• Typical scenario: a service that requires me to use passwords that meet their criteria
• Questions answered “No”: Will this dang thing let me sign up already with level 4 or 3 passwords?

Level 1

• Attributes: Relatively unique, using the whole “sentence as a password” thing to make something really strong.
• Variations: about 5
• Typical scenario: work credentials or a service that could expose my financial or other sensitive data
• Question answered “Yes”: Would it be devastating for someone to get access to this info?

But there’s still all the services that insist that you change your password every cycle (especially at work). I’m guilty of putting a number at the end and incrementing those so I don’t have to remember something new.

There has to be a better way to deal with all this stuff. I’ve thought about keeping a list online somewhere but that seems inherently vulnerable. And, no, OpenID can’t fix this for me. So how do you manage account/password hell?