Even Password Manager Subscribers Reuse Passwords, Study Finds

An anonymous reader shares a report: It's not exactly breaking news that people reuse passwords, but you might expect password manager subscribers to avoid the practice. You'd be wrong, according to a new study. Dashlane's downer of a report draws on saved logins analyzed on-device by Dashlane's software across "millions" of individual and business accounts. It finds dismally high percentages of password reuse worldwide. The US and Canada rank the worst of every region Dashlane tracked, with 48% of passwords in individual password vaults being reused. Another 15% rate as compromised, meaning those passwords have shown up in data breaches.

Combined with other security data points, the US and Canada land at a security score of 72.6 out of 100 in Dashlane's report, the lowest of all 14 regions covered in the study. The report, along with the Password Health score that Dashlane's software computes for individual users, emphasizes the longstanding problem of password reuse because that practice leaves its practitioners so vulnerable to getting hacked.Â

No Good Solutions

[nealric]

If you don't have a password manager (or some master password document), then nobody who exists in the modern digital age can avoid password reuse absent savant-level memory. The number of different websites and other sundry accounts people encounter often numbers in the hundreds.

Password managers are proposed solution, but most folks don't really want to dependent on a password manager every time they want to login to Slashdot. The fact of the matter is, most online logins are relatively low risk if they are hacked. If a botnet wants to post as me on Slashdot, that's annoying but it's not going to ruin my life. So folks with a password manager may use it for their online banking but stick to a few standbys for things like internet forums. It's not the end of the world.

Re:

[Pseudonymous Powers]

I suppose the real threat there is the temptation to cross the streams, and use your non-secure password for something that turns out to need a secure, unique password, or on something that allows teh Hax0rs to gain access to your secure, unique password.

Re:

[Pseudonymous Powers]

I meant to say A secure, unique password, not THE secure, unique password. Of course. As if I only had one! Ridiculous. Heh. Heh heh.

Re:

[PPH]

Simple solution: I have two dogs.

Re:

[viperidaenz]

Which dog is the secure dog?

Re:

[PPH]

Which dog is the secure dog?

The mean one. Wait until you get bit and then enter that as your bank password.

Re:

[Mal-2]

So you own both By-Tor and the Snow Dog?

Re:

[Archtech]

So perhaps the real danger is that, with so many sources of information and so many potentially risky logins, it's fatally easy to overlook something and get hacked. We don't feel we can afford to spend a third of our time on security.

Re:

[viperidaenz]

Unless you have a shared password you salt with some thing about each realm

Re:No Good Solutions

[fph il quozientatore]

Is this any more secure than reusing a password? If a breach determines that my Slashot password is hunter2slashdot, then guess what my Reddit password is?

Re:

[Anonymous Coward]

My guess is *******reddit.

Re:

[viperidaenz]

Yes
Lets say your password, along with a million others is leaked in some security breach.
Who's going to be adding this logic into their automated tools to try and get into other accounts?

Re:

[unrtst]

Who's going to be adding this logic into their automated tools to try and get into other accounts?

I would, if I were doing such a task.

FWIW, they already do a lot of smart stuff rather than direct brute forcing passwords. If they get some breach data, you had better believe they're doing this sort of thing as well (and if not, they're idiots, and I doubt that's the case). It's simple enough to put into some bullet points, and there are much better/more sophisticated ways to do this:

* sort list by (username | email); IE: do a round of each, and one sorted by both
* for each, slurp in all the entries for l

Re:

[AmiMoJo]

I prefer the password manager. It fills in the password for me, and the username. Saves me typing it, and means it's strong. I can change it as often as I like without worrying about forgetting it.

If I ever wanted to log in somewhere that doesn't have my password manager on the machine, I have it on my phone.

Re:

[nealric]

Many people these days access sites/apps with passwords from half a dozen different devices. Also, despite password managers insisting there is no way the stored passwords can be compromised, from time to time you hear about people compromising them because you are dependent on the password manager (a third party out of your control) to follow best practices.

Re:

[AmiMoJo]

So don't use a third party, keep control of it yourself.

And what is the alternative? Reuse passwords because you can't remember dozens of different ones? Then you are just reliant on multiple third parties not getting hacked.

Manager Easy, Reseting Passwords the Pain

[Roger W Moore]

Actually the reason I have some reused passwords in my manager is just because they predate my use of a password manager. While I could go through and reset them all to be unique passwords that's a real pain and so I only did that for important sites.

So, while you are right that I do not care about low risk sites, I do use my password manager for everything and its the effort to change passwords that is the reason not everything is unique.

Trash sites

[Spazmania]

I sign up for a lot of trash sites where if they didn't require a login I would never have created one in the first place.

Why should I bother with a unique password for these sites when I literally do not care if someone steals the credentials?

those are old passwords

[dawg1234]

Reused passwords are from the times before you start using the password manager.

Changing those passwords is a hassle. They stay unchanged and reused.

Re:those are old passwords

[kqs]

This. But also, even after using a password manager, there are some sites where I just don't care if it is compromised; I'd rather not have an account at all if it were an option. Plus, I've found a number of mobile sites and apps which don't play nice with password managers and disallow pasting on login screens. So yeah, I still have a few duplicate passwords, and I'm happy with my life choices.

Passwords in general are a bad solution to the problem of security. Make 2FA easier to use and to update. Care about security more than profits (Apple!). But stop making me update my passwords every 90 days, or requiring complex passwords (a letter, a number, a symbol, a Japanese kanji character, and an emoji). No more security theater.

Re:

[jacks smirking reven]

Passwords in general are a bad solution to the problem of security

I agree but I've read articles about people trying to solve the password problem for decades now, pretty sure people were getting annoyed with online passwords by the late 90's as I recall.

There just isn't a great solution out there with how fragmented the internet has become, none of the actors that feasibly could provide a web-wide-SSO at this point are no-one anyone wants with that responsibility (USG, Microsoft, Google, Meta).

So passwords managers I think are "not great but preferable to the alternative

Re:

[unrtst]

There just isn't a great solution out there with how fragmented the internet has become, none of the actors that feasibly could provide a web-wide-SSO at this point are no-one anyone wants with that responsibility (USG, Microsoft, Google, Meta).

So passwords managers I think are "not great but preferable to the alternatives" type thing.

Not that this solves anything, but flip that outlook. Because of the fragmentation, we all have to use multiple means of managing passwords:
* For some subset of sites, you use the same dumb password because they don't matter and you want to be able to just type it.
* For some other subset of sites, you use the "login with Facebook" or "login with Google" or whatever. You can even do a few sets of those, and then you just need to remember a couple passwords to cover tons of sites.
* For some other subset of si

Re:

[omnichad]

I'll get around to it eventually.

Re:

[thegarbz]

False. Plenty of people use password managers to handle out of sync passwords, or passwords that don't meet their complexity requirements.

What's your default password: ey7kay? Great. Now you need a password manager to remember which sites you used ey7kayKK to enforce the 8 digit + capital recommendation, or the Ey7kay&k to enforce those which require a special character. God forbid you have a password requirement that is a minimum of 15 characters to fuck you up even more.

I know lots of people who use p

Not all passwords are equally important

[nuckfuts]

I use a password manager (RoboForm), with upwards of 400 credentials saved. Do I ever reuse passwords? Yes, sometimes. For applications that I consider important from a security standpoint, I use complex and unique passwords. For things I care less about, I may use simpler passwords which might be repeated. This is especially true for applications where I may need to enter the password manually, or on my phone keyboard. I'm aware of the risks of password reuse, and I accept those risks where I see fit.

Re:

[jbmartin6]

Exactly this, probably most of the "guilty" users here are reusing passwords on low risk and/or throwaway accounts.

Re:

[Drethon]

I use a password manager (RoboForm), with upwards of 400 credentials saved. Do I ever reuse passwords? Yes, sometimes. For applications that I consider important from a security standpoint, I use complex and unique passwords. For things I care less about, I may use simpler passwords which might be repeated. This is especially true for applications where I may need to enter the password manually, or on my phone keyboard. I'm aware of the risks of password reuse, and I accept those risks where I see fit.

Yeah, I reuse passwords in places I don't really care if someone hacks my account. For places that are important to me, I use a password seed based on the site that I'll remember to create a semi-random password. Haven't needed a password manager so far.

Re:

[coofercat]

I'm an IT professional, so no, I don't reuse passwords for anything that matters. I do occasionally sign up for a newsletter, app or whatever with a crappy password if the Dashlane integration isn't working (which it doesn't always).

The other thing is Dashlane gets its own messages wrong. It says my 20 character fully random password that I use at Google is "reused" - but that's because it's got the same one in the database 6 times (with different URLs on it). Same goes for AWS, and a few other big sites. A

Re:

[jbmartin6]

No, the software should do what its users want.

Re:Shouldn't be possible.

[ToddDTaft]

Password managers should 100% refuse to remember the same password for multiple domains. The fact that they don't do this already is pathetic.

It's not that simple.

There are a variety of organizations that use the same authentication system for multiple domains. Disney is one of the well-known companies to do this.

Some password managers have a notion of equivalent domains which let you deal with simple cases of this; however, the configuration of these is usually more complex than just adding a new password. It's not something that most readers of this site would find difficult to do, but it's more than you could expect some non-technical users to do. Some password managers even come with some "well known" equivalent domains by default, but I've never seen one that has a list that I haven't needed to edit, even for logins to well-known large organizations. And, of course, this doesn't even begin to deal with the mess that exists in a lot of large intranets where there are multiple authentication schemes that aren't fully synchronized and knowing which one to use can vary by URL (and not just the hostname part).

Re:

[thegreatemu]

Bitwarden is fantastic for this. Create a password for your Disney account, then go try to log in to Hulu. Since you don't have credentials saved for Hulu, the default search won't find anything. So do a manual search, click on the Disney credential, and you'll get a popup that asks if you want to save the new domain to this credential. Easy peasy, no technical acumen required.

Re:

[wonky_admin]

Last I checked, Bitwarden didn't allow administrative control of domain equivalence though unfortunately. So if you're using it in an org/enterprise, you'll have to ask your thousands of users to each set that up. (And god forbid the list of equivalent domains ever changes) I'd really love to find a password manager that has administrative control (or at least influence) of equivalence lists, that plays well with subdomains. (so you can make internalsite.company.com equivalent to company.okta.com and ne

Re:

[thegarbz]

A password manager is a database. It's not a login for a system. The passwords exist on other systems. A password manager that refuses to remember your login simply because it is used elsewhere is a useless password manager, that login and password are already in place at that domain, the password manager has no say in it.

Also not everything needs a unique password. Slashdot? Reddit? Yeah I have the same password for both and I don't give a flying fuck about either account. They aren't important to me. Many

Only deserving sites get unique passwords

[bubblyceiling]

When literally every site requires a login & password, there are some not worthy of a unique password. I don't care if you login to a job portal and start applying for jobs in my name

Underestimating Risks...

[dark.nebulae]

It's easy to think "Oh, I don't need a special password for a stupid Domino's account, it's only pizza..."

But your account leaks personal info about you (namely your address and where you've sent pizzas before), and if you have a stored credit card with them, you might find a charge where you've sent a large number of pizzas to some party you were never going to be invited to...

Password reuse often happens when the perception of risk is low, but I think that is a reflection that those that reuse passwords underestimate real risks involved.

Re:

[Cochonou]

Here the problem is not really about e-using passwords, but about storing credit cards online.

Re:

[omnichad]

I've had this happen. My password was secure, but there was an authentication bypass flaw on the web site and my credit card was used for a fraudulent purchase.

It's not hard, just takes some self-training

[93 Escort Wagon]

As a matter of course, I have gotten to the point that opening up Bitwarden's password generator is just second nature whenever I need a password. I only adjust it if I'm forced to do so for some reason.

And, to that last point - I think some website admins are at least partially at fault here. Even now, it is unfortunately not uncommon to find websites which still follow 2005-era password practices, combined with some absurdly-short maximum password length. It takes a special kind of idiot to doggedly limit

False alerts possible?

[Firethorn]

I wonder how many false alerts there might be. When I was in university, I had a single password that the manager complained was shared across around a dozen sites- it didn't recognize that they were all university sites that shared the same logon and password, centrally controlled, I couldn't have differ3nt passwords for them if I wanted to.

My bank, credit cards, loan, utilities, and such all get different secure passwords. Slashdot and such I care less about.

Does it matter?

[Murdoch5]

How many accounts are sensitive enough to protect with a custom high security password? I use ProtonPass, and I'm rather pedantic about password security, but even I reuse a few passwords on low sensitivity systems. If it stores my credit card information, or, sensitive information about me, I'll protect it, but outside of that, and you'll probably get an old favourite (not one of my passwords).

Passwords don't have to be unique, and demanding every password is unique, causes more of an issue because people pick bad passwords, even if they use a password manager. When you need a good custom password, either use the max length allowed, or just go 128+ alphanumeric symbolic characters, and have the password manager generate it.

A question of timing?

[maiden_taiwan]

I wonder if this is a question of timing. I know people who adopt password managers after they already have reused passwords. They dutifully enter all those reused passwords into the app. Then, they use random generation for future passwords, but the old ones stick around due to inertia.

Thank you Dashlane!

[xanthos]

Nice to know that a company specializing in credential management is taking the time to compile, analyze and report on the data they have been entrusted with from millions of individual and business accounts. Gives me the warm fuzzies.

Re:

[stanjo74]

Exactly. If they salted every entry, then they won't be able to tell password reuse.
Maybe they store everything in plain text, because it's easier for the Jupiter Notebooks this way?

Explanation

[Artem S. Tashkinov]

That's because for a ton of websites people would have preferred to use them anonymously but cannot as they are forced to sign up thus they (re)use simple stupid passwords.

Iâ(TM)m dubious

[Flexagon]

If theyâ(TM)re relying on those health reports for this, as it seems they are, then I donâ(TM)t trust this. I have a fair number of sites that are on separate domains yet use single logons. E.g., a health insurance provider and its captive pharmacy. My password manager complains about these, but itâ(TM)s as designed. It also happens following mergers, while the old site is still supported.

I reuse passwords, a lot

[swillden]

Many of my oft-reused passwords have also appeared in data breaches.

So what?

There are sites that manage a lot of valuable or sensitive information for me, sites that manage none, and sites at varying levels in between. And for the sites that just don't matter at all, I use one of my "low-security" passwords, because I really just don't care. My slashdot password is one of these, actually. If someone hijacks my /. account and locks me out, fine. Might get me to stop wasting time here.

These days, the

What does it mean?

[denbesten]

48% tells us nothing because there is nothing to compare it against. Presuming a goal of measuring if a password manager improves behavior would be to compare the rate for passwords created within the past year vs passwords that the users imported when they first began using a password manager.

They also need to correct for websites that share a password database such as Disney/Hulu and most corporate AD environments. They also ought to remove the local Starbucks WiFi password from their "compromised" list

Some dups are essential

[kevmeister]

Not all duplicate passwords are really duplicates. I have at least two cases where a single site has two distinct domain names and they are totally interchangeable. One is just two letters and the other is much longer. So, every time I run the checker in my vault, it lists these as dups.

When I was working, this was especially true for many internal and external systems that were like this. Many were anycast systems which had the anycast name (used in most cases) and a system specific name used when someone

Stupid Passwords for Stupid Things

[laughingskeptic]

Every website wants you to have an account these days. I couldn't care less if someone "hacks" my access to a newspaper that I am not even paying for or something similar. Maybe re-used passwords are a symptom of something else entirely.

Password manager subscriber?

[John.Banister]

It's worth a monthly fee not to use a portable app and a thumb drive? I use unique passwords I don't know for everything but KeePass and root, but I let my browser store and sync the ones where a breach of security doesn't concern me much.

single sign-on

[fedor]

No need to reuse passwords. There is single sign-on.

Re: single sign-on

[glum64]

There isn't. My bank doesn't accept SSO. My government does not accept SSO. My employer does accept SSO but only one, particular SSO. That is somewhat equivalent to accepting no SSO at all. SSO is a pipe dream, it does not exist in practice.

They are not supposed to know that!

[stanjo74]

PMs should salt every entry. They should not be able to tell if I'm reusing passwords. Being able to look at the database and tell password reuse, is an attack vector when the database inevitably leaks. If they collected the stats on the device, then this device is too chatty for my taste.

How many of them

[ceoyoyo]

How many of them are throwaway free New York Times and Medium accounts?

false conclusion

[bloodhawk]

I actually expect people that use password managers are more likely to reuse passwords. Many of them are people hunting for lazy solutions not for security.