Forgot your password?
typodupeerror
Security

Selectively Reusing Bad Passwords Is Not a Bad Idea, Researchers Say 280

Posted by Unknown Lamer
from the brain-full-try-again-later dept.
An anonymous reader tipped us to news that Microsoft researchers have determined that reuse of the same password for low security services is safer than generating a unique password for each service. Quoting El Reg: Redmond researchers Dinei Florencio and Cormac Herley, together with Paul C. van Oorschot of Carleton University, Canada ... argue that password reuse on low risk websites is necessary in order for users to be able to remember unique and high entropy codes chosen for important sites. Users should therefore slap the same simple passwords across free websites that don't hold important information and save the tough and unique ones for banking websites and other repositories of high-value information. "The rapid decline of [password complexity as recall difficulty] increases suggests that, far from being unallowable, password re-use is a necessary and sensible tool in managing a portfolio," the trio wrote. "Re-use appears unavoidable if [complexity] must remain above some minimum and effort below some maximum." Not only do they recommend reusing passwords, but reusing bad passwords for low risks sites to minimize recall difficulty.
This discussion has been archived. No new comments can be posted.

Selectively Reusing Bad Passwords Is Not a Bad Idea, Researchers Say

Comments Filter:
  • This makes sense. (Score:3, Insightful)

    by Anonymous Coward on Wednesday July 16, 2014 @09:50AM (#47466617)

    My intuition says that most people do this. Though, I could be wrong.

  • by dskoll (99328) on Wednesday July 16, 2014 @09:50AM (#47466621)

    That is just so stupid. Use a password-keeper and use strong passwords everywhere. Then you only need (1) physical access to your password keeper and (2) to remember one strong passphrase.

  • Bah (Score:5, Insightful)

    by Nimey (114278) on Wednesday July 16, 2014 @09:51AM (#47466625) Homepage Journal

    Using a password manager with one strong master password + randomly-generated passwords unique to each website is better.

    That said, the linked paper is long and math-heavy, so I rate it likely the submitter (and the "editor") misunderstood something.

  • No duh (Score:4, Insightful)

    by gurps_npc (621217) on Wednesday July 16, 2014 @09:53AM (#47466643) Homepage
    When some site, like say slashdot, uses passwords not for real security, but instead to identify it's users, then only an idiot wastes their memory creating a 'good password' for it.

    Better to use the same crappy password for web sites that do involve real financial risk.

    Of course, if you use that same password for a bank account, or anything that knows a credit card number, SS#, or similar information, you need to have your head examined.

  • Re:Bah (Score:2, Insightful)

    by Anonymous Coward on Wednesday July 16, 2014 @10:06AM (#47466773)

    If you're using a secure sandbox to run a secure OS to store your secure passwords, you're so far, far, far removed from the average user that you don't matter.

  • Absolutely (Score:4, Insightful)

    by swillden (191260) <shawn-ds@willden.org> on Wednesday July 16, 2014 @10:06AM (#47466783) Homepage Journal

    I've always done this. I have one short, low-entropy password which I use on ALL low-risk web sites. For example, it's the one I use on slashdot. I don't really care if anyone gets in and starts posting stuff as me. In fact it might be a good thing, since it would give me some plausible deniability for the stupid things I sometimes say :-)

    For important sites (e.g. financial), I use long, randomly-generated passwords and manage them in a password manager, which itself is protected with a very strong password. But for everything else, that's too much effort and serves no purpose. And for my "crown jewels" account -- my e-mail account, which if hacked would provide the intruder with the ability to reset most all of my other passwords -- I use a strong password and have two-factor authentication enabled.

  • by sideslash (1865434) on Wednesday July 16, 2014 @10:09AM (#47466821)

    That is just so stupid. Use a password-keeper and use strong passwords everywhere. Then you only need (1) physical access to your password keeper and (2) to remember one strong passphrase.

    I didn't RTA, but when you say it's stupid not to always use a strong password, aren't you making an unwarranted assumption? There are some sites where it truly doesn't matter. On such sites I will never send any sensitive data, and all I want is to get past the annoying login to get to something I care about. You know, like the bugmenot cases. If you take the time to create such accounts for yourself with an insecure(!) and memorable password, there's nothing wrong with that.

  • by reanjr (588767) on Wednesday July 16, 2014 @10:13AM (#47466857) Homepage

    Yeah, because single point of failure is exactly how you want to perform security.

  • by jbmartin6 (1232050) on Wednesday July 16, 2014 @10:23AM (#47466959)
    This isn't stupid at all, it is something missing from a lot of security advice: a hint of reality. The amount of effort any person will put towards security, or any other goal, is finite. Therefore it is useful to put at least some thought into how that limited effort can be used for the maximum benefit. For the most part, I don't care what my gawker password is or all the other silly little logons. I use the same simple password for all of them because there is zero risk to me if they are compromised, other than someone else can now post with the screen name I picked (and don't care about) To suggest that I should lug around a password safe and log into it every time I need to use one of these zero risk logons is to suggest that I squander my limited security effort. It is far better to conserve that effort for things that are actually important.
  • by Fred Mitchell (3717323) on Wednesday July 16, 2014 @10:26AM (#47466995) Homepage
    A simpler approach is to have a few high-entropy passwords and append a value at the end that is unique to each website using some self-created rule for it that is easy for you to remember. I would speak on how I do this but I won't for obvious reasons. :p

    A great way to remember your passwords is to use them often. The more the better.

    What kills me is that different sites have different password restrictions that infuriates me. Some force you to use "special characters", others forbid it. Some force you to use a combination of letters and numbers, and many force you to use at least one uppercase letter and one lowercase letter. Some even restrict how long your password can be!!!!

    This wrecks havoc with my high-entropy passwords that now becomes useless or needing to be altered, as in capitalizing a letter that I totally forget about later...

  • Re:Bah (Score:4, Insightful)

    by Sqr(twg) (2126054) on Wednesday July 16, 2014 @10:32AM (#47467053)

    Using a password manager with one strong master password + randomly-generated passwords unique to each website is better.

    ...if, and only if, the password manager is completely secure in itself.

    If the terminal used to access the password manager is compromised, then the attacker gets the master password and thus access to all keys - not just the one that was requested.

    In other words, you might have used an insecure computer to log on to slashdot, and the attacker now has your bank login credentials.

  • by AudioEfex (637163) on Wednesday July 16, 2014 @10:43AM (#47467185)

    You trust one of those absurd "password keepers" and think that making a risk assessment on low-danger websites where no harm could come even if someone did by remote chance try to break into your account is stupid?

    If you are one of the password zealots, using one of those "hey stuff all your passwords into one convenient app!" programs is simply the dumbest thing you can do. It's akin to taking every object you own with any value, including all your cash, important papers, SS card, etc. out of your safe or safety deposit and just leaving them in a cardboard box, putting it in one storage shed outside your home, and "securing" it with an off-brand padlock on it you got 2 for 1 at the dollar store. If someone does break into it, by breaking just one lock, you've just given them everything you own of any value.

    Now THAT is stupid.

    Particularly the phone app based ones - most of which backup to "the cloud" - please, seriously. They are all written by unknown companies that I'm sorry, I'm not willing to trust the most essential data I have to, much less allow them to back up. But even if you disable that (then when you drop your phone and it busts you are fucked), or use a desktop version (lot of good that does on the go), they still make no sense whatsoever. Even if it's a "known" brand - still absolutely frigging retarded. It's amazing how many folks see the promise of encryption and think it's safe - unless you are decompiling the source code, you have no idea you can even trust that. But even if it is truly encrypted - have you never heard of the very time-tested wisdom against putting all your eggs in one basket?

    It makes perfect sense to reuse the same password, or very close, for stupid sites where there really is little risk to begin with. Every fucking thing you do on the Internet requires a login these days - "Oh noes! Someone hacked into my Pollstar.com account, that doesn't even have my real name attached, and signed me up for concert date notifications for Taylor Swift to my dummy email account!"

    You need your strongest password for your email (which is the key to many site password resets), and hopefully you are smart enough to have multiple throw-away email addresses for low-priority stuff (which you can conveniently forward, or, as I do, just have multiple accounts on your phone or tablet device). Next you need to have decently strong passwords for your financial sites, depending on what they are. But beyond that - even for things like your cable company - not much someone can do, even if they break into it, that can't be undone, aside from pay my bill for me (and if anyone wants to do that, shoot me a message, I'll send you the damn password). My payment info is saved, but it's ********** out, someone can't glean the number from logging in as you. Someone can play a trick and upgrade your service I guess? I'm sure the world's foremost hackers are right on that one.

    Like everything, there is a middle ground. You just need to make a reasonable risk assessment by site. I basically have three tiers - one, strongest for email/financial, two, semi-reused for things like paying my cable bill or light subscription maintenance, etc., and three, reused for stupid sites that shouldn't require a login anyway, or where the data is completely inconsequential (the aforementioned Pollstar, etc).

    But I sure as fuck am not going to put ALL of them into ANY app or single program - there are backdoors built into routers these days, you expect some start-up (or even established) "password keeper" doesn't have that possibility? I am concerned for your common sense.

  • by dskoll (99328) on Wednesday July 16, 2014 @11:04AM (#47467357)

    But I sure as fuck am not going to put ALL of them into ANY app or single program - there are backdoors built into routers these days, you expect some start-up (or even established) "password keeper" doesn't have that possibility? I am concerned for your common sense.

    Woah, woah, woah, chill out!

    I have the complete source code for my password manager. And guess what... I've even read the source code!

    It uses "openssl bf" to encrypt (that's the Blowfish cipher). In spite of all the warnings about OpenSSL holes, I don't believe anyone's yet found a problem with its Blowfish implementation, and though Blowfish is old and there may be weak keys, I don't believe it has serious vulnerabilities especially when only used to encrypt small files.

  • by dskoll (99328) on Wednesday July 16, 2014 @11:06AM (#47467369)

    There are some sites where it truly doesn't matter.

    I don't believe that. You may think it doesn't matter, but when it comes to identity theft, any little crumb of information may be useful to an attacker. And if you use the same weak password across a whole slew of supposedly "unimportant" sites, an attacker may be able to piece together a lot of information about you... enough to surprise you with cell phone bills you didn't sign up for, credit cards in your name, etc.

  • by bmo (77928) on Wednesday July 16, 2014 @11:43AM (#47467697)

    have you never heard of the very time-tested wisdom against putting all your eggs in one basket?

    Have you ever heard of backups? For someone supposedly technically astute, you seem to have dropped that idea on the floor. I'll pick it up for you.

    --
    BMO

  • by Rob the Bold (788862) on Wednesday July 16, 2014 @11:44AM (#47467705)

    That is just so stupid. Use a password-keeper and use strong passwords everywhere. Then you only need (1) physical access to your password keeper and (2) to remember one strong passphrase.

    Why? Not everything requires that much security. And not everything needs so much security as to require you to bring your password list -- locked in a password keeper though it may be -- with you at all times and subject to possible loss or theft. Not to mention the hassle of carrying it around and tying a lengthy passphrase to do low-risk things.

    At my bank, I've noticed that things are locked up with different degrees of security based (I assume) on the perceived risks vs. usability. The paper towels in the bathroom are locked up with a "key" that anyone could grab off the janitor's cart if they really wanted to. Or pick the lock easily. Or just physically bust open the plastic dispenser to get to the sweet, sweet wipes inside. The tellers all have cash drawers that they lock with a key that they keep with them. The vault is locked with a multi-layered security system far more secure than the tellers' drawers. Now why might that be? Why not put the paper towels in the vault and bring two officers with you to the vault/restroom so you can be issued a single towel to dry your hands after washing them? It would greatly reduce towel waste and theft, right? Why not give each janitor a unique key, so you know who has filled the dispenser at audit time like with the cash drawers?

    Similarly with low-risk logins, convenience can outweigh security. I don't necessarily need to protect a login to paywalled New York Times articles with the same diligence that I guard my bank login. Why would I create a strong password for that, keep it in keepass (or whatever), enter a passphrase in my phone or tablet or notebook to retrieve it when I could just sit down and enter my relatively weak default password with much less hassle? I guess if the Gray Lady was hacked, she might reveal a password/username combination that would allow ne'er-do-wells to also access my high-quality streaming on the PBS website. Oh well. It's not really a risk to me on the order of giving away the money in my bank account.

"Consistency requires you to be as ignorant today as you were a year ago." -- Bernard Berenson

Working...