Re: Disposable passwords for disposable accounts
>In reality, you only really need a 2 tier password system, and re-use should be fine in both.
I think you will find that a 4 tier approach pretty much covers it:
Tier 1: Sites that require "registration"/sales contact details to enable you to get at stuff. These as other have noted should be treated to your junk details.
Tier 2: The majority of the internet, where money isn't involved and it's only the reputation of "wibble wobble" at stake, although you may be exposing some 'personal' information eg. an active email address and your geo location. I suspect that these are the sites that the MS report is mainly referring to.
Tier 3: Work, Shopping (eg. ebay, Amazon) and other sites where either monies or services that directly impact your lifestyle (eg. utilitiy companies) are involved. Hence these sites will contain real and live details about you. These sites really need individual passwords that get changed periodically, however even here a level of themed reuse/overlap isn't totally out of order. These are the important sites that the MS report refers to.
Tier 4: Critical sites: Bank, HMRC, Credit reference/identity protection service.
These sites should only need your email address to send you 'reminders', but do tend to have demanding access criteria using two tier login that may involve bank cards, phone and pin keypads. Because of the demands of these sites, unless they are used alot, people don't tend to remember the access details and so only access them from home or other location where they have all the necessary paraphernalia to hand.
Obviously, it is up to the user to decide which tier to place a site and to determine an appropriate id and password strategy they will adopt for each tier.
Biting the hand that feeds IT
