Selectively Reusing Bad Passwords Is Not a Bad Idea, Researchers Say 280
An anonymous reader tipped us to news that Microsoft researchers have determined that reuse of the same password for low security services is safer than generating a unique password for each service. Quoting El Reg: Redmond researchers Dinei Florencio and Cormac Herley, together with Paul C. van Oorschot of Carleton University, Canada ... argue that password reuse on low risk websites is necessary in order for users to be able to remember unique and high entropy codes chosen for important sites. Users should therefore slap the same simple passwords across free websites that don't hold important information and save the tough and unique ones for banking websites and other repositories of high-value information. "The rapid decline of [password complexity as recall difficulty] increases suggests that, far from being unallowable, password re-use is a necessary and sensible tool in managing a portfolio," the trio wrote. "Re-use appears unavoidable if [complexity] must remain above some minimum and effort below some maximum."
Not only do they recommend reusing passwords, but reusing bad passwords for low risks sites to minimize recall difficulty.
Re:Dumb dumb dumb advice... (Score:4, Informative)
I doubt it's ideal, but I use PasswordSafe and carry it on a USB stick.
And in the end, there are only about three computers I ever access it from.
Re:Dumb dumb dumb advice... (Score:5, Informative)
That is just so stupid. Use a password-keeper and use strong passwords everywhere. Then you only need (1) physical access to your password keeper and (2) to remember one strong passphrase.
Whats dumb is giving the same advice over and over, building your security policy around those people following that advice all despite 30yrs of evidence that proves they wont follow the advice
Security is as much about psycology as procedure. I worked at AT&T a little over 10yrs ago and one day they announced that the password requirements to one of their systems would be changed to now require a 29 letter phrase, including at least 3 spaces, capitals, lower case, numbers and special characters. The end result? A utopia of highly secure, un-crackable system to be proud of? No... the whole company had their passwords written on post-it notes stuck to their monitor within a week.
Re:This makes sense. (Score:4, Informative)
Yep. This has been my strategy for many years. I rank sites by how much I care whether they are compromised. For low ranked sites, they get one of several easy passwords (depending on how important THEY think their passwords are). For critical sites (i.e. banking info) they get a unique strong password conforming to the password rules.
Re:Dumb dumb dumb advice... (Score:5, Informative)
So what is this ideal password keeper? And how to do you access it whenever and wherever you're located?
KeePass. It has strong encryption options, it isn't tied to any site or service, the (encrypted) database can be synced however you want (such as with Dropbox) and used on any devices you want (including phones), it's got all sorts of options for generating passwords, automatically typing them, automatically expiring them, etc., and it's fairly light weight.