Forgot your password?
typodupeerror
Security

Selectively Reusing Bad Passwords Is Not a Bad Idea, Researchers Say 280

Posted by Unknown Lamer
from the brain-full-try-again-later dept.
An anonymous reader tipped us to news that Microsoft researchers have determined that reuse of the same password for low security services is safer than generating a unique password for each service. Quoting El Reg: Redmond researchers Dinei Florencio and Cormac Herley, together with Paul C. van Oorschot of Carleton University, Canada ... argue that password reuse on low risk websites is necessary in order for users to be able to remember unique and high entropy codes chosen for important sites. Users should therefore slap the same simple passwords across free websites that don't hold important information and save the tough and unique ones for banking websites and other repositories of high-value information. "The rapid decline of [password complexity as recall difficulty] increases suggests that, far from being unallowable, password re-use is a necessary and sensible tool in managing a portfolio," the trio wrote. "Re-use appears unavoidable if [complexity] must remain above some minimum and effort below some maximum." Not only do they recommend reusing passwords, but reusing bad passwords for low risks sites to minimize recall difficulty.
This discussion has been archived. No new comments can be posted.

Selectively Reusing Bad Passwords Is Not a Bad Idea, Researchers Say

Comments Filter:
  • This makes sense. (Score:3, Insightful)

    by Anonymous Coward on Wednesday July 16, 2014 @10:50AM (#47466617)

    My intuition says that most people do this. Though, I could be wrong.

    • Re:This makes sense. (Score:5, Interesting)

      by Anonymous Coward on Wednesday July 16, 2014 @11:18AM (#47466905)

      The point of password reuse is to use an algorithm that you can remember but not someone can guess.

      This is not my password but it's an example of how I create one:
      If I visit a site and it's name is GoogleSucks.com, I will use my "easy" word + the first syllable of the site + a padding word that I use on all sites, Depending on how asinine the password requirements are, the beginning or end of the password will be padded with numbers and symbols, but always the same ones.
      So Googlesucks.com might be turkeyGootrucking8
      and another site like a bank site that I want higher entrophy on will use a different algorithm, so BOA might end up a hard non-englisht word + the passing word, then the company's initials + needed password entrophy, so BOA would end up with namastetruckingBOA8

      So when I use sites that want to remember my shipping address or credit card (I never save my credit card number, I don't care how "safe" your site is) I use the harder credentials. I just want to post a comment on the many HuffPo type of sites, easy password all the time. So while each password for each site is unique, effectively the easy password is reused but padded with something unique to the site so that even if the password was stolen it's unusable for any other site.

      • by ultranova (717540)

        This is not my password but it's an example of how I create one:

        And this is why the algorithm method won't work: people can't keep their mouths shut. Letting everyone know how clever you are is a drive that's almost impossible to resist, because it simultaneously helps your group and demonstrates your value to it, so it's selected for double strength. Consequently, the only way to have secure passwords is to generate them randomly and just write them down. Heck, just generate them for the user and tell th

        • Hmmm, let me think about this. Which is safer?

          A. Have a system similar to what an anonymous person online described, and never have to write down or save a password for sensitive sites; or

          B. Have my computer remember all my passwords, and still have to write them all down for when I am out of the house.

          I know what I consider to be more secure. How about others?

        • If a bank lets you use ONLY a password to access your accounts it is clear that they do not care much about theft. The rest of their security will be similarly crappy. I would trust them with my mortgage. Not my savings or payment accounts.

          My bank requires me to log in with a unique single use code. That code is generated by a "random reader". To generate a code I need to put my PIN card in that reader and enter the PIN.
          After I have logged in I still need to sign my transactions. Also with a single use code

    • Re:This makes sense. (Score:5, Interesting)

      by vtcodger (957785) on Wednesday July 16, 2014 @11:34AM (#47467081)

      My intuition says that most people do this. Though, I could be wrong.

      Well, some of us try to do it. We are, regrettably, impeded by whacked out sysadmins who insist we must use THEIR idea of a strong password -- which always seems to be different from anyone else's idea of a strong password, and/or that we need to change passwords periodically, and/or that we can't reuse passwords.

      I sometimes seems that there is an inverse relationship between the actual need for security and the system administrator's perception of the need for security.

      But other than the fact that users often have to contend with the idosyncracies of sociopaths who feel that anything that is easy to use is clearly flawed, this seems a pretty good idea. If it gets the attention it deserves, perhaps it might be one small first step toward straightening out the incredible mess that is computer security.

      • Re:This makes sense. (Score:4, Informative)

        by SQLGuru (980662) on Wednesday July 16, 2014 @11:59AM (#47467331) Journal

        Yep. This has been my strategy for many years. I rank sites by how much I care whether they are compromised. For low ranked sites, they get one of several easy passwords (depending on how important THEY think their passwords are). For critical sites (i.e. banking info) they get a unique strong password conforming to the password rules.

      • Re:This makes sense. (Score:5, Interesting)

        by knarfling (735361) on Wednesday July 16, 2014 @12:26PM (#47467541) Journal

        I see that someone has had problems with a sysadmin.

        Try to remember that not all sysadmins are BOFH. Some actually agree with you on the need for complex passwords and how often they should be changed. Many of them, however, have to follow outdated and impractical guides forced upon them by government standards in order to comply with HIPA, SOX, or PCI.

        There are a couple of things that bother me, though. The first is pattern re-use. P@$$word521 does meet the complexity requirements of many systems. But when you use P@$$word125, P@$$word251, P@$$word215 and then tell everyone that you use P@$$word with the same three numbers and just rotate the numbers, it is not much better than a post-it under the keyboard. Complex passwords do not have to be difficult to remember. Just because someone has difficulty coming up with good passwords does not mean that a hard-to-remember password is actually complex.

        The second thing that bothers me is when a sysadmin will force a password policy on you, but won't use it himself. I know one admin that forced a password change every 90 days for all accounts except his. When he left the company, his password history was completely blank. He had used the same password for years. While I think passwords could live longer than 90 days and twice a year would be sufficient for many passwords, if a change is required, it should be required for all users including the sysadmin.

        Just my little rant.

      • by gman003 (1693318)

        We are, regrettably, impeded by whacked out sysadmins who insist we must use THEIR idea of a strong password -- which always seems to be different from anyone else's idea of a strong password, and/or that we need to change passwords periodically, and/or that we can't reuse passwords.

        I sometimes seems that there is an inverse relationship between the actual need for security and the system administrator's perception of the need for security.

        This.

        I tried to do something basically like this - I have three password strengths, one for low-security throwaway stuff, another for regular stuff (with suffixing so one compromised site won't affect others unless I am specifically targeted), and a max-security one.

        Guess which one I use for banking. It's the mid-tier one, MINUS the special characters and suffix. They have an upper length limit that keeps my max-security password from being used for the one thing it really should have been used for.

        The only

        • by knarfling (735361)

          We are, regrettably, impeded by whacked out sysadmins who insist we must use THEIR idea of a strong password -- which always seems to be different from anyone else's idea of a strong password, and/or that we need to change passwords periodically, and/or that we can't reuse passwords.

          I sometimes seems that there is an inverse relationship between the actual need for security and the system administrator's perception of the need for security.

          This.

          I tried to do something basically like this - I have three password strengths, one for low-security throwaway stuff, another for regular stuff (with suffixing so one compromised site won't affect others unless I am specifically targeted), and a max-security one.

          Guess which one I use for banking. It's the mid-tier one, MINUS the special characters and suffix. They have an upper length limit that keeps my max-security password from being used for the one thing it really should have been used for.

          The only thing that max-security password secures now is root access to my BSD box (and I have sudo set up with nopw, so I never even use that). Everything else is secured by something that really isn't secure enough.

          So in other words, nothing has your max security. if you left your screen open and unattended for a moment, a person wouldn't even need your password to crack your BSD box. I hope your BSD box doesn't have anything important on it. The nopw option of sudo should NEVER be used. It is like putting a huge un-pickable lock on your door and then never locking it because it is too inconvenient to pull your keys out. If you use sudo (which I do use often and I believe it is useful, convenient and CAN be secure), y

  • by dskoll (99328) on Wednesday July 16, 2014 @10:50AM (#47466621)

    That is just so stupid. Use a password-keeper and use strong passwords everywhere. Then you only need (1) physical access to your password keeper and (2) to remember one strong passphrase.

    • by dskoll (99328) on Wednesday July 16, 2014 @10:54AM (#47466653)

      Following up on myself: That research paper is awesome! Never before have I seen the use of partial differential equations to justify unequivocal bullshit. Amazing! They must've really worked hard on that.

    • by cdrudge (68377)

      So what is this ideal password keeper? And how to do you access it whenever and wherever you're located?

      • by dskoll (99328)

        I use something called TkPasman, which runs on my Linux desktop. I don't use a mobile device much to surf the web, and never to log into any sites I care about because it's just too painful.

        I could access it in a pinch by tunneling X over SSH back to my main computer, and I have done so in the past. Another thing I do is sync the password database to the handful of Linux desktops I use on a regular basis.

        The password manager keepassx is available for Mac OS, Windows and Linux and you can sync the data

        • And what if you have a house fire, break in, or accident?

          • by dskoll (99328)

            I have two off-site backups: One to an encfs partition in my office and one to an encfs partition in a colocated server 200km away. Next question?

        • by Fred Mitchell (3717323) on Wednesday July 16, 2014 @11:26AM (#47466995) Homepage
          A simpler approach is to have a few high-entropy passwords and append a value at the end that is unique to each website using some self-created rule for it that is easy for you to remember. I would speak on how I do this but I won't for obvious reasons. :p

          A great way to remember your passwords is to use them often. The more the better.

          What kills me is that different sites have different password restrictions that infuriates me. Some force you to use "special characters", others forbid it. Some force you to use a combination of letters and numbers, and many force you to use at least one uppercase letter and one lowercase letter. Some even restrict how long your password can be!!!!

          This wrecks havoc with my high-entropy passwords that now becomes useless or needing to be altered, as in capitalizing a letter that I totally forget about later...

          • What kills me is that different sites have different password restrictions that infuriates me.

            Yeah, that. Though I basically do what the article says and have "weak" passwords for things like Slashdot, and stronger ones for things involving money. I'd like to be able to use my strongest password everywhere, but many places don't support that many characters. yes it's longer than "correct horse battery staple"

            Obligatory XKCD:

            http://xkcd.com/936/ [xkcd.com]

      • by Russ1642 (1087959)

        I've used one for years. I primarily use it on my phone but it's backed up and synchronized across all my devices. I use a VERY long password but I can type it very quickly. I can quickly log into anything, even if it has been a year since I've logged in. I can also store important personal items such as insurance and health information.

      • by CrimsonAvenger (580665) on Wednesday July 16, 2014 @11:09AM (#47466819)

        I doubt it's ideal, but I use PasswordSafe and carry it on a USB stick.

        And in the end, there are only about three computers I ever access it from.

      • by Geeky (90998)

        I use KeePass and synchronise the file so I have access to it on all my devices including my phone. There are clients for just about every platform.

      • by sexconker (1179573) on Wednesday July 16, 2014 @12:04PM (#47467359)

        So what is this ideal password keeper? And how to do you access it whenever and wherever you're located?

        KeePass. It has strong encryption options, it isn't tied to any site or service, the (encrypted) database can be synced however you want (such as with Dropbox) and used on any devices you want (including phones), it's got all sorts of options for generating passwords, automatically typing them, automatically expiring them, etc., and it's fairly light weight.

        • by Dynedain (141758)

          I love KeePass, but the community needs some help...

          There's a myriad of client apps for it, but the 1.7 vs 2.X database formats fragments the market.

          2.X requires Mono if you want to run it on Linux or OSX.

          I wish they had a central dev team with first-class OSX, Windows, and Linux versions like VLC or Transmission.

    • Re: (Score:3, Insightful)

      by sideslash (1865434)

      That is just so stupid. Use a password-keeper and use strong passwords everywhere. Then you only need (1) physical access to your password keeper and (2) to remember one strong passphrase.

      I didn't RTA, but when you say it's stupid not to always use a strong password, aren't you making an unwarranted assumption? There are some sites where it truly doesn't matter. On such sites I will never send any sensitive data, and all I want is to get past the annoying login to get to something I care about. You know, like the bugmenot cases. If you take the time to create such accounts for yourself with an insecure(!) and memorable password, there's nothing wrong with that.

      • Re: (Score:3, Insightful)

        by dskoll (99328)

        There are some sites where it truly doesn't matter.

        I don't believe that. You may think it doesn't matter, but when it comes to identity theft, any little crumb of information may be useful to an attacker. And if you use the same weak password across a whole slew of supposedly "unimportant" sites, an attacker may be able to piece together a lot of information about you... enough to surprise you with cell phone bills you didn't sign up for, credit cards in your name, etc.

    • Re: (Score:2, Insightful)

      by reanjr (588767)

      Yeah, because single point of failure is exactly how you want to perform security.

    • by jbmartin6 (1232050) on Wednesday July 16, 2014 @11:23AM (#47466959)
      This isn't stupid at all, it is something missing from a lot of security advice: a hint of reality. The amount of effort any person will put towards security, or any other goal, is finite. Therefore it is useful to put at least some thought into how that limited effort can be used for the maximum benefit. For the most part, I don't care what my gawker password is or all the other silly little logons. I use the same simple password for all of them because there is zero risk to me if they are compromised, other than someone else can now post with the screen name I picked (and don't care about) To suggest that I should lug around a password safe and log into it every time I need to use one of these zero risk logons is to suggest that I squander my limited security effort. It is far better to conserve that effort for things that are actually important.
    • That is just so stupid. Use a password-keeper and use strong passwords everywhere. Then you only need (1) physical access to your password keeper and (2) to remember one strong passphrase.

      Well, in the Microsoft Universe it was good advice. The rest of us are ten years past that point, though, and are using password managers.

      I only have to remember one password - the rather long one I've used to protect my OS X login keychain. Well, and my login password... so I guess that's two.

    • Re: (Score:2, Insightful)

      by AudioEfex (637163)

      You trust one of those absurd "password keepers" and think that making a risk assessment on low-danger websites where no harm could come even if someone did by remote chance try to break into your account is stupid?

      If you are one of the password zealots, using one of those "hey stuff all your passwords into one convenient app!" programs is simply the dumbest thing you can do. It's akin to taking every object you own with any value, including all your cash, important papers, SS card, etc. out of your saf

      • by dskoll (99328) on Wednesday July 16, 2014 @12:04PM (#47467357)

        But I sure as fuck am not going to put ALL of them into ANY app or single program - there are backdoors built into routers these days, you expect some start-up (or even established) "password keeper" doesn't have that possibility? I am concerned for your common sense.

        Woah, woah, woah, chill out!

        I have the complete source code for my password manager. And guess what... I've even read the source code!

        It uses "openssl bf" to encrypt (that's the Blowfish cipher). In spite of all the warnings about OpenSSL holes, I don't believe anyone's yet found a problem with its Blowfish implementation, and though Blowfish is old and there may be weak keys, I don't believe it has serious vulnerabilities especially when only used to encrypt small files.

    • I use a password manager for the bad practice of high password complexity. Passwords like 'mj%9F!17' that should have never been created because they're crap, and impossible to remember.

      For my important stuff--like my password safe password--I use passwords like "crazy_dutch_flying_candybar". It really doesn't make a difference if you use underscores, spaces, or concatenation; just use the same always so you never have to remember how you formatted it. Most systems accept underscores, and concatenation

    • by Charliemopps (1157495) on Wednesday July 16, 2014 @11:48AM (#47467223)

      That is just so stupid. Use a password-keeper and use strong passwords everywhere. Then you only need (1) physical access to your password keeper and (2) to remember one strong passphrase.

      Whats dumb is giving the same advice over and over, building your security policy around those people following that advice all despite 30yrs of evidence that proves they wont follow the advice

      Security is as much about psycology as procedure. I worked at AT&T a little over 10yrs ago and one day they announced that the password requirements to one of their systems would be changed to now require a 29 letter phrase, including at least 3 spaces, capitals, lower case, numbers and special characters. The end result? A utopia of highly secure, un-crackable system to be proud of? No... the whole company had their passwords written on post-it notes stuck to their monitor within a week.

      • by TonyJohn (69266)
        Hmm. 29 letters you say? How's about: "AT&T have 0 secret passwords."
      • by dskoll (99328)

        Actually, writing down your password is a good idea as long as you keep it in your wallet. People understand how to protect their wallets. Posting it in a public place is probably not such a good idea.

    • by steak (145650)

      and once that one strong password has been obtained by neerdowells they have access to everything.

    • Re: (Score:3, Insightful)

      by Rob the Bold (788862)

      That is just so stupid. Use a password-keeper and use strong passwords everywhere. Then you only need (1) physical access to your password keeper and (2) to remember one strong passphrase.

      Why? Not everything requires that much security. And not everything needs so much security as to require you to bring your password list -- locked in a password keeper though it may be -- with you at all times and subject to possible loss or theft. Not to mention the hassle of carrying it around and tying a lengthy passphrase to do low-risk things.

      At my bank, I've noticed that things are locked up with different degrees of security based (I assume) on the perceived risks vs. usability. The paper towels in t

  • Bah (Score:5, Insightful)

    by Nimey (114278) on Wednesday July 16, 2014 @10:51AM (#47466625) Homepage Journal

    Using a password manager with one strong master password + randomly-generated passwords unique to each website is better.

    That said, the linked paper is long and math-heavy, so I rate it likely the submitter (and the "editor") misunderstood something.

    • by dskoll (99328)

      The linked paper did mention password managers in passing, but dismissed them as being vulnerable to client-side malware which could compromise all your passwords. That assumption is true if you're running your password manager on a Windows system, I suppose, which is likely the only thing the "Redmond researchers" are even aware of. But if you keep your password manager on a separate device or run it under a secure sandbox in a secure OS, you're much better off than the paper implies.

      • Re: (Score:2, Insightful)

        by Anonymous Coward

        If you're using a secure sandbox to run a secure OS to store your secure passwords, you're so far, far, far removed from the average user that you don't matter.

      • Re:Bah (Score:5, Interesting)

        by TheCarp (96830) <sjc@noSPAM.carpanet.net> on Wednesday July 16, 2014 @11:18AM (#47466903) Homepage

        I have to say, I REALLY like password manager someone was working on that was based on, I think, a rasberry pi, where it would actually act as a USB HID to enter the password, and keeps your encrypted passwords on its physical hardware device.

        Still susceptable to keyloggers and other malware but...1) they can only get the passwords as you use them and 2) they will NEVER see your master password since it never even gets entered into the machine, but only to the password keeper device.

        Now THAT is how to do passwords right.

        • You can buy a YubiKey [yubico.com] to do this today without any finicking with a Raspberry Pi. There are a few modes depending on the devices you buy. First is what you say -- it can emulate a keyboard, and input a password for you whenever you press a button on the device. It can also perform HOTP/TOTP authentication, and some of them can act as a legitimate security token that integrates with your platform's crypto.
      • by tlhIngan (30335)

        The linked paper did mention password managers in passing, but dismissed them as being vulnerable to client-side malware which could compromise all your passwords. That assumption is true if you're running your password manager on a Windows system, I suppose, which is likely the only thing the "Redmond researchers" are even aware of. But if you keep your password manager on a separate device or run it under a secure sandbox in a secure OS, you're much better off than the paper implies.

        Yeah, if you keep your

      • Client-side malware is easy. Just write dancing pigs for Linux, and package it for Listaller.
    • Re:Bah (Score:4, Insightful)

      by Sqr(twg) (2126054) on Wednesday July 16, 2014 @11:32AM (#47467053)

      Using a password manager with one strong master password + randomly-generated passwords unique to each website is better.

      ...if, and only if, the password manager is completely secure in itself.

      If the terminal used to access the password manager is compromised, then the attacker gets the master password and thus access to all keys - not just the one that was requested.

      In other words, you might have used an insecure computer to log on to slashdot, and the attacker now has your bank login credentials.

    • Meh, then you still need to have access to that password manager on any computer you want to visit that site with.

  • No duh (Score:4, Insightful)

    by gurps_npc (621217) on Wednesday July 16, 2014 @10:53AM (#47466643) Homepage
    When some site, like say slashdot, uses passwords not for real security, but instead to identify it's users, then only an idiot wastes their memory creating a 'good password' for it.

    Better to use the same crappy password for web sites that do involve real financial risk.

    Of course, if you use that same password for a bank account, or anything that knows a credit card number, SS#, or similar information, you need to have your head examined.

    • by Nethead (1563)

      I'm using the same crappy password on slashdot that I got the account with.

    • But what if someone steals your Slashdot account, then you get a job interview and one of the interview questions is, "You called me a faggot on Slashdot back in 2002. How has this affected your career?"
  • by djupedal (584558) on Wednesday July 16, 2014 @10:54AM (#47466659)
    In other news, researchers in Europe have discovered there is more risk to your data when taking password advice from MS than ever before.
    • Really? The way I read it is there is a group of free websites that don't require any personal information so don't volunteer any, keep an extra spam catching email account to sign up with, and don't sweat the small stuff.

  • Just bad, every site has different rules, at least one I use restricts the length to something daft like 10 chars. The should at minimum print the requirements (must have uppercase, digits etc) next to the password box, because as soon as I get into the reset-password screen for the umpteenth time and read those requirements I remember which password I used on that site.

    Doesn't change the fact that requiring users to somehow remember or securely store a bunch of random gibberish to do anything on any websit

  • by medv4380 (1604309) on Wednesday July 16, 2014 @11:02AM (#47466737)
    The advocacy for Password Managers and Password Keepers is just utter BS. If some nothing website insists that I have to make an account just to post one little comment, and I might come back 5 years later to post again then they're getting generic username plus generic password. I'm not waisting my time making some uber powerful password, and utilizing something just to remember it. Even then the OpenID solution would have been great but every once in a while I'm presented with the option of logging in with my Google ID and giving some organization full access to my contact list, or full access to my google drive. Screw them, and I'll just create generic account just for their site though their old interface just so they can't read my contacts or documents. If they're so worried that people are using BS passwords on their site that spammers keep hacking to post then maybe they should accept better business practices.
    • by Average (648)

      The thing is, I'm already having to use a password manager to keep track of my valuable passwords. With what, easily a dozen banking-ish relationships (cards, mortgage, retirement, etc) alone. That battle on complexity was lost long ago (ymmv).

      Thus, if I've already resorted to a password manager for my valuable life, adding an entry to that vault for even the most trivial sites (and creating a random password) is easier than remembering a throwaway name/pass for even 30 seconds.

      It's not that "you need a p

      • by medv4380 (1604309)
        I don't actually have to remember hundreds of different throwaway usernames and passwords. It's One username/password combo for hundreds of websites. Makes it easy when 5 years later you forget you made an account for the site and it says sorry that username already exists. Which since it's a stupid nonsense username that only I would use I just go login and put it with the password that it should be. Any spammer that hacks that one account has access to hundreds of sites to post as me, and you know what. I
      • by Ardyvee (2447206)

        What about the remember your password function on your browser? Do you, would you use that?

        Note: I consider this to be on a different category than password managers since (by my experience) anybody capable of logging-in on the machine has access to the account.

    • I'm not waisting my time making some uber powerful password, and utilizing something just to remember it.

      There are tools that make this trivially easy, you know.

    • by bmo (77928)

      Lastpass fills in both the "new password" and "confirm new password" automagically after you've generated a secure password. This makes passwords for trivial sites even more trivial to use.

      I cannot even imagine what I would have had to do when I had to re-set all my passwords one night and /didn't/ have a password manager to type all that shit in for me, including the "new password" and "confirm new password" fields. It would have taken half a day, but instead it only took one hour. And all that stuff is

    • by wvmarle (1070040)

      I have three bank accounts, two PayPal accounts and a credit card account. That's six highly sensitive logins.

      Then I have my local computer (remote ssh login) and a remote cloud server (remote ssh login). Also requiring decent passwords. That's eight already. Plus one generic password for slashdot and all the other forums.

      So that's nine passwords to remember. Well, I may be able to manage that.

      Now the second part: remember which password belongs to which service, without making your passwords something like

  • So complex (Score:4, Funny)

    by Impy the Impiuos Imp (442658) on Wednesday July 16, 2014 @11:05AM (#47466767) Journal

    So re-use low complexity passwords for unimportant sites and use high-complexity unique passwords for important sites.

    Got it. Low for my bank account, high for World of Warcraft.

    • You could even refer to something low-complexity as a "PIN", and something of high complexity as a "password". I imagine you're already doing that for your bank and game respectively.
  • I apply ROT-13 encryption on my passwords TWICE, and write down the resulting string in a post it note and paste it to the *underside* of the key board. Ha, ha, I am really safe. I can use this technique on all the sites, high value... low value... no value... INBD.
  • Absolutely (Score:4, Insightful)

    by swillden (191260) <shawn-ds@willden.org> on Wednesday July 16, 2014 @11:06AM (#47466783) Homepage Journal

    I've always done this. I have one short, low-entropy password which I use on ALL low-risk web sites. For example, it's the one I use on slashdot. I don't really care if anyone gets in and starts posting stuff as me. In fact it might be a good thing, since it would give me some plausible deniability for the stupid things I sometimes say :-)

    For important sites (e.g. financial), I use long, randomly-generated passwords and manage them in a password manager, which itself is protected with a very strong password. But for everything else, that's too much effort and serves no purpose. And for my "crown jewels" account -- my e-mail account, which if hacked would provide the intruder with the ability to reset most all of my other passwords -- I use a strong password and have two-factor authentication enabled.

  • by erice (13380) on Wednesday July 16, 2014 @11:10AM (#47466825) Homepage

    This is why it is infrurriating when low importance sites require high complexity passwords. They create unnecessary exposure for the limited pool of high complexity passwords I can remember. Meanwhile, the bank will take anything.

    • Yeah, this one is the worst. These low-complexity sites started to have more rules. Things like minimum 8 chars, mix of case, at least one number and one letter...

      Now, for all these low priority sites, I have to remember permutations of my password.

    • by wvmarle (1070040)

      At least one of my banks complained of a too long password when I used an 8-character password. I had to shorten it to no more than 6 characters.

      Some forums don't even accept that short passwords.

    • Meanwhile, the bank will take anything.

      Really? I'm so used to "6-8 characters, no symbols, etc.". You'd think these things would be regulated.

  • by MindPrison (864299) on Wednesday July 16, 2014 @11:15AM (#47466875) Journal
    Selectively Reusing Bad Passwords Is Not a Bad Idea, Researchers Say

    This article has been approved by the NSA!
  • HAHA WUT? (Score:3, Interesting)

    by bmo (77928) on Wednesday July 16, 2014 @11:15AM (#47466877)

    Microsoft researchers have determined that reuse of the same password for low security services is safer than generating a unique password for each service.

    This has to be a fucking joke. It has to be. bmo looks at calendar. Huh, it's not April 1.

    And what, exactly, is a "low security service?" The only "low security service" I can possibly think of is stuff like Mailinator where you don't even use a password.

    Remember when the entire Youporn chat login credentials file was leaked? You know, the one with real names, aliases, emails, and passwords in cleartext? Remember? Nearly every single password was usable on Facebook and the same password was reused in email.

    People had fun with that. I was in /g/ when it happened. I laughed at the results.

    Yahoo lost control of my fucking credentials twice showing logins from Romania and Sweden. I no longer use Yahoo Mail as a result, except as a throw-away, and the last time pushed me over the edge into using a password manager that holds -unique to every site- passwords that I can't even remember myself at 25 characters of complete ASCII gibberish. And you know what? It's easier on top of being more secure.

    Lose control over your login credentials at one place, and the rest is vulnerable if you recycle them elsewhere. Password re-use over multiple sites is fucking bad. Anecdotes aren't data but I don't care about your calculations because my reality trumps your poorly researched paper.

    --
    BMO

    • by Lazere (2809091)
      My slashdot password does not need to be high entropy. I can probably use the same password for a soylentnews account. While it's true that if one gets compromised, they both do, guess what? I don't care. Nope. Not one bit. Facebook's different, email's different, my bank is different. What do I care if my pointless accounts get compromised? If you're using these types of accounts on computers you don't control, it makes sense to have easy to remember passwords and keep the high-entropy passwords for the ac
      • by bmo (77928)

        Using a password manager makes it just as easy to have secure passwords as it is to have easy to remember passwords that you recycle everywhere.

        And it fills them in for you, automagically, when you have to do the "new password" and "confirm new password" fields on a new site.

        People complaining that password managers are complex never used one.

        --
        BMO

    • > And what, exactly, is a "low security service?"

      Slashdot gets my low-security password. If someone gets my Slashdot password and posts as me, I don't much care. I REUSE the same low-security password on Yelp, so if you hack Slashdot, you can post a restaurant review with my name. Whoop-tee-doo.

      • by bmo (77928)

        So then tell me what your slashdot password is if it's that trivial.

        I can be trusted. I have a 5 digit UID!

        --
        BMO

  • One major issue I can see with this is the sheer number of websites that have arbitrary password restrictions: capitals, special characters, numbers, etc. The worst ones are those that require multiples of each, so that there is no way you can make something easy to remember - and then expect you to come up with another password in two weeks.

    Until website operators realize that putting arbitrary restrictions on passwords doesn't help them to be any more memorable (and likely not any more secure), I can't se

  • Using weak passwords for cases when a password at all is unnecessary should be the norm as a defense against phishing, even by a company you presently trust. Mandatory complexity increases are probably being used already to undermine password variety. When a password has to be one thing different each time (another capital letter, another numeral, another punctuation mark) a service of dubious character could very quickly spot patterns that could be used improperly.
  • My weak passwords aren't actually weak but they're relatively simple, I use them for forums etc, my email has a STRONG password because it's the keys to the kingdom of all my accounts, and if I used online banking that would have a strong password as well.

    Something that helps to make a simple password unique and stronger yet memorable is to come up with a way to mix in something from each site. For example you could postfix them with the dominant color on the site, for Slashdot that would be green.

  • The problem is that once you allow a hacker to penetrate a low value service it could give a hacker the threads needed to start unravelling through social hacking.

    If I were some kind of hacker (don't have the time) it would be through the least secure systems and social hacking that I would start. I personally would think that attacking a core server that is most likely locked down solidly and is sat on by an army of paranoid administrators. I would much prefer if someone simply gave me the keys to the s
  • that it's trivially easy to create an easy to remember hard password.

    Example:
    First girlfriend was Sally Mendoza
    You lived on 123 Main st

    naiM321azodneM_yllaS_A

    the A is for rotation.

    There are may patterns you could use.
    Use the first line of a poem and the birth year of your mom.
    In_Xanadu_did_Kubla_Khan_44
    or do it backwards.
    even
    P4ssw0rds_wh0s3_g0t_t1me_f0r_that

    • Create passwords? Remember them? That's what pseudo-random number generators and encryption are for. I haven't got time nor a lax enough attitude towards password management to think I'm better than encryption.

  • The problem with crazily-complex passwords is that if you can't remember them you write them down, and, at a stroke, have compromised security. One of the worst I've encountered is the U.S. Customs eAPIS [dhs.gov] web site, for sending advance information when you want to fly a private plane or sail a private boat to the U.S.

    The other issue is that you risk locking out legitimate access.

    My bank does the password plus security question thing. My security questions (you can make up your own) are more than a little

  • Its very easy.

    I use lines of poetry or songs.

    An example of something I might do would be to take this line:

    To be or not to be, that is the question.

    And I turn that into this:
    2bon2btitQ

    Anything that could be phonetically interpreted as a number is written as a number. All words are lower case except nouns.

    Therefore, all I have to do to remember that password, is to remember "to be or not to be, that is the question" and I remember that password.

    Another one might be

    "Mary had a little lamb who's fleece was whi

  • What's the next clue?

    password reuse on low risk websites is necessary in order for users to be able to remember unique and high entropy codes

    Really? Wow, you had to do a study to "prove" what any dingbat(including myself) has known for years, using that rarefied skill called "Common Sense".

  • Why would anyone need to "remember" anything other than a handful of passphrases? Let computers remember the 99%. That's the point of them.

"In matters of principle, stand like a rock; in matters of taste, swim with the current." -- Thomas Jefferson

Working...