A Fool and Her Password are Easily Parted

I’ve just spent a couple of days away at the JISC conference in Liverpool. The event was really useful (I particularly enjoyed the session by JISC Digital Media and co on Using digital media to improve teaching and learning) and there were plenty of oppurtunities to network (with colleagues I already knew (physically and virtually) and people I hadn’t met before). Our session on Amplified events went well and Chris Sexton has written a nice post that sums up the main discussion points. Brian Kelly has also produced a Storify story about the session.

However I know that in years to come it’s not the conference or the talks that will stick in my mind but my journey home. Liverpool to Chippenham isn’t a straight route and there is quite a lot of changing trains, finding seats, lugging bags about. By the time I got off the train in Bristol I was feeling pretty tired and looking forward to getting home and climbing into my bed. It was then that I realised that I’d left one of my bags on the train.

I went up to Liverpool on the Sunday and so had taken a couple of days clothing and essentials, my various bits of ‘on the road’ technology (such as laptop, chargers, headphones and the like) and my usual handbag stuff – keys, money, phone etc. – all this equated to 3 bags of stuff. I realised I’d left my laptop bag on the train. The thing was this wasn’t just a laptop bag containing a laptop (which would have been bad enough) but it was a laptop bag containing my laptop, my note pad and my other work papers. As I realised my mistake and I started mentally going through the contents of my bag I suddenly realised that there was something in there that I wanted to lose even less than my laptop and what was on the laptop…

I don’t have that great a memory, there is quite a lot going on in my life and I resolve this by being methodical in the way I approach things. My way to stay organised is to be very systematic and write particular things down in particular places. I also back many of these things up just in case (experience has taught me to do this) e.g I now back up contacts by 1) writing them down in an address book 2) having them on my phone 3) synching them with Yahoo. I am also methodical in the way I remember passwords. I write them all down and have a copy of them that I store in a particular place at home. Unfortunately having a back up wasn’t really the issue here. The fact was that my laptop along with a written out list of about 250 user names and their corresponding passwords was now in an abandoned bag heading to Cardiff. There were passwords for all sorts of services from Twitter to Facebook, Paypal to Ebay, Skype to O2 – and many of these accounts had credit card details attached. I was doomed! Anyone who found the list could hack into my identity and quite possibly spend a lot of money on my behalf. Cancelling my credit cards might stop this but someone could still make my life very miserable by ‘being me’ and using my accounts.

Needless to say I was pretty upset and feeling mighty cross at my stupidity.

After a lot of running around like a headless chicken, a lot of lamenting down the phone to my team leader and a fair amount of pleading with the Bristol station to see if they could get in touch with the train I eventually resigned myself to the fact that there was nothing I could do there and then and I got on a train home. By the time I arrived home I’d already constructed a plan of my next steps – cancelling my cards, running through my ‘at home’ password list and changing the passwords on the most sensitive accounts, banging my head against the wall! However I was saved the effort, luck was on my side and as I walked in the door my husband told me that a train manager had found my bag and was taking it back to Bristol. My husband very kindly drove over to Bristol to get it for me.

So the end result is a big gold star for south Western Trains and their staff, a big gold star for my husband and a big black mark for me, my bag handling and my unacceptable way of storing passwords.

Needless to say I realise I’ve had a lucky escape, I’ve been saved the cost of a laptop and goodness knows what else. I can now clearly see the error of my ways and am on a mission to come up with a better solution for dealing with my ever growing number of logins and passwords.

When I get some time I’m going to take a look at some passwords managers. So far I’ve come accross:

Any recommendations much appreciated. I’d also be interested in any other methods people use to store their passwords.

I realise that I’ve been a fool but hopefully telling my tale may inspire others to be less foolish. Hey I’m here to help!
😉

13 thoughts on “A Fool and Her Password are Easily Parted

  1. Hi Marieke,

    First off: very relieved for you that this ended happily (or at least not as catastrophically as it could have done!). We’ve all lost things in this way, and it often takes a “near-miss” to wake us up and realise that our “procedures” need a bit of sorting-out…

    I have a large number of passwords (even though an increasing number of services allow login via Twitter, Facebook, OpenID, etc.), so an encrypted password manager is a must for me. Personally, I use the KeePass family (KeePass Password Safe, and its Linux/Mac counterpart KeePassX) – mainly because it is cross-platform, and the different app versions use the same database format.

    The “clincher” for me with KeePass, is that I use Dropbox, and store my KeePass database (encrypted, remember) in my Dropbox folder. You can tell KeePass where the d/b file is located, and it will remember the location; Dropbox synchronises the file across all the linked computers, so my Linux netbook and the home Mac have the same password database at any time.

    Anyway, see what works for you – glad you “dodged the bullet”, and hopefully you’ll come out of this better prepared for the next time (which won’t happen, obviously😉 )…

    Tim

  2. I use the “knowledge in the world” technique for passwords. Click on “forgot your password?” and get a new one there and then. Very secure! Did you change all your passwords just in case?

  3. I haven’t changed all my passwords just in case (would take hours) but have changed the most risky ones. I was thinking another approach might be to use the same password for all services but make it really difficult (stream of random numbers and random letters) – though the Lifehacker post suggests not to do this. My husband uses the same password for everywhere but varies the spelling and use of random characters.

  4. The trick is to obfuscate and code – find little schemes to code your passwords. Hide them with the cunning of an Indiana Jones movie. Code a pin as a telephone number in your ‘phone book. Use passwords that are chapter names in a book, or tracks on an album, verses in a song, lines of poetry. Code them also, the old trick of 0=o, 5=s, or the old SHELL OIL calculator trick, concatenate words in the manner we used to create 8 character file names (the days of MSDOS).

    If you can’t be bothered with all that there is http://lastpass.com/ LastPass – which is hyper secure (various schemes for security).

    Problem with obfuscating and coding is if you need to change passwords regularly it’s a pain (I do). Problem with LastPass is the little sods are ultimately online (even behind several layers of security), you have to be able to trust this. I’ve not found a solution yet that answers both these problems.

  5. You can use a combination of using the site name (as the link in the first post suggests) or a login name to generate a password using a mentally maintained coding/encryption procedure – that way you don’t have to write down any passwords. In practise as well I’ve found this with a strong encryption scheme robust enough to handle people snooping over your shoulder while you login (the randomness of the characters makes it difficult to follow, esp. if you include plenty of symbols). Programmers e.g. typically have lots of tricks to do with ASCII codes, hexadecimal notation, checksums, etc. up their sleeves to do this.

  6. And finally!

    Alternatively you can do as I do every time my mobile ‘phone provider asks me for my password, and say I haven’t the foggiest, I’ve got password and pin number overload, I haven’t a clue what my password is😉 They generally find a way round.

  7. What a tale of woe, followed by a fantastic outcome!
    My answer is to use the same username and password where it really doesn’t matter too much (Grows on You – the gardening forum for example)
    Everything else has the three initials of a member of my family with their date of birth interposed thus: a01b09c12

    My reminders, which ARE written down, therefore look like this
    Twitter @careersinfo uncle alf
    Facebook my googlemail auntie joan

    OK so a member of the family could hack it if they really wanted to but …

    As for credit/debit card info I use Lloyds TSB which, for all its failings about which I’ve ranted on the web for months now, uses clicksafe which has an additional password requirement.

    I tried a password manager but kept forgetting how to get into it!

  8. Glad for a happy outcome. I’ve been challenged by “your problem” for some time. My solution – a password protected Word document residing in a private folder in dropbox. Probably not ultra-secure, but it has the obvious benefit of being able to use.

    I will however now follow-up some of these very useful links and may change my strategy.

    Role on the day when OpenID is pervasive! I was only musing the other day about just how much of “stuff” now depends to a much greater degree than it ever did upon online access – my Nectar, YourPoints, O2, VirginMedia etc etc Accounts – these are not the obvious candidates for “needing to remember” but if you forget, or don’t use becuase you can’t be bothered to chase your ID details up, then life begins to shrink a little. The digital devide applies to the digital literate in a very different sense, doesn’t it?

    Anyway, thanks for the post – well written and some very usefyl information. What else can one ask for?

  9. Thanks David. I have to come clean that I haven’t actually done anything about my passwords yet. I’ve looked at a number of online tools (I personally feel that I need something that is available ‘from anywhere’ so KeePass doesn’t really suit) but all seem to cost, especially if you want something also accessible from a phone. I’m reluctant to pay so I’m now considering other options. I’m thinking that your method might be a possibility. Maybe even a Google doc is a possibility as long as the security is set up properly?

    I’ll keep thinking about it.

Comments are closed.