Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security IT

Even Password Manager Subscribers Reuse Passwords, Study Finds (pcmag.com) 61

An anonymous reader shares a report: It's not exactly breaking news that people reuse passwords, but you might expect password manager subscribers to avoid the practice. You'd be wrong, according to a new study. Dashlane's downer of a report draws on saved logins analyzed on-device by Dashlane's software across "millions" of individual and business accounts. It finds dismally high percentages of password reuse worldwide. The US and Canada rank the worst of every region Dashlane tracked, with 48% of passwords in individual password vaults being reused. Another 15% rate as compromised, meaning those passwords have shown up in data breaches.

Combined with other security data points, the US and Canada land at a security score of 72.6 out of 100 in Dashlane's report, the lowest of all 14 regions covered in the study. The report, along with the Password Health score that Dashlane's software computes for individual users, emphasizes the longstanding problem of password reuse because that practice leaves its practitioners so vulnerable to getting hacked.Â

This discussion has been archived. No new comments can be posted.

Even Password Manager Subscribers Reuse Passwords, Study Finds

Comments Filter:
  • No Good Solutions (Score:5, Insightful)

    by nealric ( 3647765 ) on Thursday October 03, 2024 @02:30PM (#64837545)

    If you don't have a password manager (or some master password document), then nobody who exists in the modern digital age can avoid password reuse absent savant-level memory. The number of different websites and other sundry accounts people encounter often numbers in the hundreds.

    Password managers are proposed solution, but most folks don't really want to dependent on a password manager every time they want to login to Slashdot. The fact of the matter is, most online logins are relatively low risk if they are hacked. If a botnet wants to post as me on Slashdot, that's annoying but it's not going to ruin my life. So folks with a password manager may use it for their online banking but stick to a few standbys for things like internet forums. It's not the end of the world.

    • I suppose the real threat there is the temptation to cross the streams, and use your non-secure password for something that turns out to need a secure, unique password, or on something that allows teh Hax0rs to gain access to your secure, unique password.
      • I meant to say A secure, unique password, not THE secure, unique password. Of course. As if I only had one! Ridiculous. Heh. Heh heh.
      • by PPH ( 736903 )

        Simple solution: I have two dogs.

      • So perhaps the real danger is that, with so many sources of information and so many potentially risky logins, it's fatally easy to overlook something and get hacked. We don't feel we can afford to spend a third of our time on security.

    • Re: (Score:2, Interesting)

      Unless you have a shared password you salt with some thing about each realm

      • Re:No Good Solutions (Score:4, Informative)

        by fph il quozientatore ( 971015 ) on Thursday October 03, 2024 @04:25PM (#64837919)
        Is this any more secure than reusing a password? If a breach determines that my Slashot password is hunter2slashdot, then guess what my Reddit password is?
        • Re: (Score:2, Funny)

          by Anonymous Coward

          My guess is *******reddit.

        • Yes
          Lets say your password, along with a million others is leaked in some security breach.
          Who's going to be adding this logic into their automated tools to try and get into other accounts?

          • by unrtst ( 777550 )

            Who's going to be adding this logic into their automated tools to try and get into other accounts?

            I would, if I were doing such a task.

            FWIW, they already do a lot of smart stuff rather than direct brute forcing passwords. If they get some breach data, you had better believe they're doing this sort of thing as well (and if not, they're idiots, and I doubt that's the case). It's simple enough to put into some bullet points, and there are much better/more sophisticated ways to do this:

            * sort list by (username | email); IE: do a round of each, and one sorted by both
            * for each, slurp in all the entries for l

    • by AmiMoJo ( 196126 )

      I prefer the password manager. It fills in the password for me, and the username. Saves me typing it, and means it's strong. I can change it as often as I like without worrying about forgetting it.

      If I ever wanted to log in somewhere that doesn't have my password manager on the machine, I have it on my phone.

      • Many people these days access sites/apps with passwords from half a dozen different devices. Also, despite password managers insisting there is no way the stored passwords can be compromised, from time to time you hear about people compromising them because you are dependent on the password manager (a third party out of your control) to follow best practices.

        • by AmiMoJo ( 196126 )

          So don't use a third party, keep control of it yourself.

          And what is the alternative? Reuse passwords because you can't remember dozens of different ones? Then you are just reliant on multiple third parties not getting hacked.

    • Actually the reason I have some reused passwords in my manager is just because they predate my use of a password manager. While I could go through and reset them all to be unique passwords that's a real pain and so I only did that for important sites.

      So, while you are right that I do not care about low risk sites, I do use my password manager for everything and its the effort to change passwords that is the reason not everything is unique.
    • Trash sites (Score:4, Interesting)

      by Spazmania ( 174582 ) on Friday October 04, 2024 @07:36AM (#64839095) Homepage

      I sign up for a lot of trash sites where if they didn't require a login I would never have created one in the first place.

      Why should I bother with a unique password for these sites when I literally do not care if someone steals the credentials?

  • Reused passwords are from the times before you start using the password manager.

    Changing those passwords is a hassle. They stay unchanged and reused.
    • by kqs ( 1038910 ) on Thursday October 03, 2024 @02:51PM (#64837605)

      This. But also, even after using a password manager, there are some sites where I just don't care if it is compromised; I'd rather not have an account at all if it were an option. Plus, I've found a number of mobile sites and apps which don't play nice with password managers and disallow pasting on login screens. So yeah, I still have a few duplicate passwords, and I'm happy with my life choices.

      Passwords in general are a bad solution to the problem of security. Make 2FA easier to use and to update. Care about security more than profits (Apple!). But stop making me update my passwords every 90 days, or requiring complex passwords (a letter, a number, a symbol, a Japanese kanji character, and an emoji). No more security theater.

      • Passwords in general are a bad solution to the problem of security

        I agree but I've read articles about people trying to solve the password problem for decades now, pretty sure people were getting annoyed with online passwords by the late 90's as I recall.

        There just isn't a great solution out there with how fragmented the internet has become, none of the actors that feasibly could provide a web-wide-SSO at this point are no-one anyone wants with that responsibility (USG, Microsoft, Google, Meta).

        So passwords managers I think are "not great but preferable to the alternative

        • by unrtst ( 777550 )

          There just isn't a great solution out there with how fragmented the internet has become, none of the actors that feasibly could provide a web-wide-SSO at this point are no-one anyone wants with that responsibility (USG, Microsoft, Google, Meta).

          So passwords managers I think are "not great but preferable to the alternatives" type thing.

          Not that this solves anything, but flip that outlook. Because of the fragmentation, we all have to use multiple means of managing passwords:
          * For some subset of sites, you use the same dumb password because they don't matter and you want to be able to just type it.
          * For some other subset of sites, you use the "login with Facebook" or "login with Google" or whatever. You can even do a few sets of those, and then you just need to remember a couple passwords to cover tons of sites.
          * For some other subset of si

    • I'll get around to it eventually.

    • False. Plenty of people use password managers to handle out of sync passwords, or passwords that don't meet their complexity requirements.

      What's your default password: ey7kay? Great. Now you need a password manager to remember which sites you used ey7kayKK to enforce the 8 digit + capital recommendation, or the Ey7kay&k to enforce those which require a special character. God forbid you have a password requirement that is a minimum of 15 characters to fuck you up even more.

      I know lots of people who use p

  • I use a password manager (RoboForm), with upwards of 400 credentials saved. Do I ever reuse passwords? Yes, sometimes. For applications that I consider important from a security standpoint, I use complex and unique passwords. For things I care less about, I may use simpler passwords which might be repeated. This is especially true for applications where I may need to enter the password manually, or on my phone keyboard. I'm aware of the risks of password reuse, and I accept those risks where I see fit.
    • Exactly this, probably most of the "guilty" users here are reusing passwords on low risk and/or throwaway accounts.
    • I use a password manager (RoboForm), with upwards of 400 credentials saved. Do I ever reuse passwords? Yes, sometimes. For applications that I consider important from a security standpoint, I use complex and unique passwords. For things I care less about, I may use simpler passwords which might be repeated. This is especially true for applications where I may need to enter the password manually, or on my phone keyboard. I'm aware of the risks of password reuse, and I accept those risks where I see fit.

      Yeah, I reuse passwords in places I don't really care if someone hacks my account. For places that are important to me, I use a password seed based on the site that I'll remember to create a semi-random password. Haven't needed a password manager so far.

    • I'm an IT professional, so no, I don't reuse passwords for anything that matters. I do occasionally sign up for a newsletter, app or whatever with a crappy password if the Dashlane integration isn't working (which it doesn't always).

      The other thing is Dashlane gets its own messages wrong. It says my 20 character fully random password that I use at Google is "reused" - but that's because it's got the same one in the database 6 times (with different URLs on it). Same goes for AWS, and a few other big sites. A

  • When literally every site requires a login & password, there are some not worthy of a unique password. I don't care if you login to a job portal and start applying for jobs in my name
  • by dark.nebulae ( 3950923 ) on Thursday October 03, 2024 @02:56PM (#64837623)

    It's easy to think "Oh, I don't need a special password for a stupid Domino's account, it's only pizza..."

    But your account leaks personal info about you (namely your address and where you've sent pizzas before), and if you have a stored credit card with them, you might find a charge where you've sent a large number of pizzas to some party you were never going to be invited to...

    Password reuse often happens when the perception of risk is low, but I think that is a reflection that those that reuse passwords underestimate real risks involved.

    • Here the problem is not really about e-using passwords, but about storing credit cards online.
      • I've had this happen. My password was secure, but there was an authentication bypass flaw on the web site and my credit card was used for a fraudulent purchase.

  • As a matter of course, I have gotten to the point that opening up Bitwarden's password generator is just second nature whenever I need a password. I only adjust it if I'm forced to do so for some reason.

    And, to that last point - I think some website admins are at least partially at fault here. Even now, it is unfortunately not uncommon to find websites which still follow 2005-era password practices, combined with some absurdly-short maximum password length. It takes a special kind of idiot to doggedly limit

  • by Firethorn ( 177587 ) on Thursday October 03, 2024 @03:04PM (#64837645) Homepage Journal

    I wonder how many false alerts there might be. When I was in university, I had a single password that the manager complained was shared across around a dozen sites- it didn't recognize that they were all university sites that shared the same logon and password, centrally controlled, I couldn't have differ3nt passwords for them if I wanted to.

    My bank, credit cards, loan, utilities, and such all get different secure passwords. Slashdot and such I care less about.

  • Does it matter? (Score:4, Interesting)

    by Murdoch5 ( 1563847 ) on Thursday October 03, 2024 @03:12PM (#64837669) Homepage
    How many accounts are sensitive enough to protect with a custom high security password? I use ProtonPass, and I'm rather pedantic about password security, but even I reuse a few passwords on low sensitivity systems. If it stores my credit card information, or, sensitive information about me, I'll protect it, but outside of that, and you'll probably get an old favourite (not one of my passwords).

    Passwords don't have to be unique, and demanding every password is unique, causes more of an issue because people pick bad passwords, even if they use a password manager. When you need a good custom password, either use the max length allowed, or just go 128+ alphanumeric symbolic characters, and have the password manager generate it.
  • I wonder if this is a question of timing. I know people who adopt password managers after they already have reused passwords. They dutifully enter all those reused passwords into the app. Then, they use random generation for future passwords, but the old ones stick around due to inertia.

  • by xanthos ( 73578 ) <xanthos&toke,com> on Thursday October 03, 2024 @03:31PM (#64837741)
    Nice to know that a company specializing in credential management is taking the time to compile, analyze and report on the data they have been entrusted with from millions of individual and business accounts. Gives me the warm fuzzies.
    • Exactly. If they salted every entry, then they won't be able to tell password reuse.
      Maybe they store everything in plain text, because it's easier for the Jupiter Notebooks this way?

  • That's because for a ton of websites people would have preferred to use them anonymously but cannot as they are forced to sign up thus they (re)use simple stupid passwords.

  • If theyâ(TM)re relying on those health reports for this, as it seems they are, then I donâ(TM)t trust this. I have a fair number of sites that are on separate domains yet use single logons. E.g., a health insurance provider and its captive pharmacy. My password manager complains about these, but itâ(TM)s as designed. It also happens following mergers, while the old site is still supported.
  • Many of my oft-reused passwords have also appeared in data breaches.

    So what?

    There are sites that manage a lot of valuable or sensitive information for me, sites that manage none, and sites at varying levels in between. And for the sites that just don't matter at all, I use one of my "low-security" passwords, because I really just don't care. My slashdot password is one of these, actually. If someone hijacks my /. account and locks me out, fine. Might get me to stop wasting time here.

    These days, the

  • 48% tells us nothing because there is nothing to compare it against. Presuming a goal of measuring if a password manager improves behavior would be to compare the rate for passwords created within the past year vs passwords that the users imported when they first began using a password manager.

    They also need to correct for websites that share a password database such as Disney/Hulu and most corporate AD environments. They also ought to remove the local Starbucks WiFi password from their "compromised" list

  • Not all duplicate passwords are really duplicates. I have at least two cases where a single site has two distinct domain names and they are totally interchangeable. One is just two letters and the other is much longer. So, every time I run the checker in my vault, it lists these as dups.

    When I was working, this was especially true for many internal and external systems that were like this. Many were anycast systems which had the anycast name (used in most cases) and a system specific name used when someone

  • Every website wants you to have an account these days. I couldn't care less if someone "hacks" my access to a newspaper that I am not even paying for or something similar. Maybe re-used passwords are a symptom of something else entirely.
  • It's worth a monthly fee not to use a portable app and a thumb drive? I use unique passwords I don't know for everything but KeePass and root, but I let my browser store and sync the ones where a breach of security doesn't concern me much.
  • No need to reuse passwords. There is single sign-on.
    • There isn't. My bank doesn't accept SSO. My government does not accept SSO. My employer does accept SSO but only one, particular SSO. That is somewhat equivalent to accepting no SSO at all. SSO is a pipe dream, it does not exist in practice.
  • by stanjo74 ( 922718 ) on Thursday October 03, 2024 @06:57PM (#64838301)

    PMs should salt every entry. They should not be able to tell if I'm reusing passwords. Being able to look at the database and tell password reuse, is an attack vector when the database inevitably leaks. If they collected the stats on the device, then this device is too chatty for my taste.

  • How many of them are throwaway free New York Times and Medium accounts?

  • I actually expect people that use password managers are more likely to reuse passwords. Many of them are people hunting for lazy solutions not for security.

If you didn't have to work so hard, you'd have more time to be depressed.

Working...