Passwords are broken unless we’re all geniuses?

In the last week we’ve had passwords leaked from LinkedIn, Last.fm, and eHarmony, meaning that 100s of millions of people are being told by friends, family, and eventually, after a few days, by the companies themselves, that they should change their passwords.

LinkedIn’s blog post on the matter (with the laughably late title “Taking Steps to protect our members”) has the following tips for password security:

  1. Make sure you update your password on LinkedIn (and any site that you visit on the Web) at least once every few months
  2. Do not use the same password for multiple sites or accounts
  3. Create a strong password for your account, one that includes letters, numbers, and other characters

Unless we’re all geniuses, how do they expect us to follow their advice? Let’s get this right:

  1. Change every password you use on the Internet, every 3-6 months. Hmm, I struggle to remember my password at work when I change it every 6 weeks, I don’t fancy doing it on every website I use (and every app on my phone). What about the sites I stop using?
  2. Don’t use the same password, so that when you’re changing your password, you have to come up with 10 or more new ones at once!
  3. Make the password (or rather, dozens if not hundreds of passwords you’ve just come up with) impossible to remember in the first place…

I read the LinkedIn post and think it’s incredible they are posting that advice with a straight face, without recommending a password manager like LastPass, 1Password, or KeePass.

Personally I recommend LastPass (I even pay for it!), but reality is no service is secure as long as it relies on passwords, and it seems the best you can hope for is that you’ll continue to dodge the bullets of hacked passwords until someone comes up with a better solution, and remember that no matter what, you’ll end up using a service which gets hacked.