I now use different passwords for each important task i need to do, and i generate the passwords based on an algorithm that i can remember, based on the website.

This produces unique strong passwords that can’t be easily exposed, and if i do get hacked, it will be only on one account.

That is true and its a pity that Computer Science is not taught early. Fora graduate who is not in the scientific, technological or mathematical fields, computer science is a lot more useful than calculus.

Meili’s Runescape Blog – The Runescape Wilderness

Something that may help with security at your college is if you login from a different machine than normal it asks you a security question to make sure it’s you. I know my credit card company does that, it is annoying, but I imagine it cuts down on the trouble.

If you are relying solely on a password to authenticate users, those passwords have to be changed at some interval to ensure they haven’t been compromised. Choosing that interval carefully is important, but will be different depending on the community being served and the assets that need to be protected.

It’s certainly true that once a keylogger has been installed, it would be able to pick up any new passwords entered while it’s running. It’s not the best example, but the point was that in combination with a good anti-malware suite, that threat can be mitigated. (because the anti-malware software should detect and disable the keylogger and in many cases block it from being reintroduced) The traditional keylogger isn’t the only threat to your passwords. Your web browser is a very useful, but highly vulnerable platform that is capable of running untrusted code from any number of sources without your knowledge or express consent. (the recent Twitter XSS vulnerability is a good example)

Putting things in the cloud isn’t a silver bullet either. The cloud is a black box. You don’t control the security of what’s running in the cloud and you have no way of verifying that the company providing the cloud services is actually secure. Once your data is in the cloud, you just have to trust that it’s being properly protected.

Imaging tools are a great benefit and time-saver, but regular re-imaging as a solution to malware is equivalent to treating the symptoms while ignoring the underlying problem. If your system is compromised, re-imaging the system is just going to reset it to a still vulnerable, but uninfected state. Proper application of a good, working and up-to-date anti-malware suite and keeping your OS/application software up-to-date will block the known vulnerabilities before they can be exploited.

Still, the main point of all this was user authentication. My main point is that passwords alone may no longer be sufficient to protect anything of value. Standard length passwords are too easy to crack and strong passwords are often too difficult to remember. Changing them frequently mitigates some problems with compromised passwords, but also exacerbates the issue above.

To handle keeping track of your password, you can, for example, embed the four digit year or a HEX version of it in your strong password without loss of strength and change only that part each year and still pass the new password test IT throws down.

I find the key-logger argument a poor one, as once a key-logger is installed on your machine, you are basically toast: the key-logger can also detect your new password. If a key-logger is installed it is likely other spy-ware is installed as well.

One big benefit of the cloud is that each client machine becomes “thinner”, it can be more easily be re-imaged as a routine maintenance task, thus removing stale, alien, dangerous and polluted entities.