75% Use Same Password For Social Media & Email

wiredmikey writes "Over 250,000 user names, email addresses, and passwords used for social networking sites can easily be found online. A study of the data collected showed that 75 percent of social networking username and password samples collected online were identical to those used for email accounts. The password data was gathered from blogs, torrents, online collaboration services and other sources. It was found that 43 percent of the data was leaked from online collaboration tools while 21 percent of data was leaked from blog postings. Meanwhile, torrents and users of other social hubs were responsible for leaking 10 percent and 18 percent of user data respectively...."

Passwords

[geek]

As long as passwords remain the central method of authentication, this will continue.

Re:Passwords

[Abstrackt]

My password is IAMGAY. That way, even if it got found out I can be confident no one will want to use it, because that would mean they are gay.

What if they are gay? ;)

Your comment reminds me of the best password policy I've ever heard: offensive gibberish. If someone's password is suitably embarrassing odds are quite good that they won't share it with anyone.

Re:Passwords

[jDeepbeep]

So... being gay is both offensive and embarrassing?

Re:Use Password Hasher

And if you ever need to sign in from a computer that doesn't have firefox, and that extension, installed.....you are stuck.

Problem is lack of importance

[sarbonn]

The problem is that a lot of people don't perceive email or social networking sites to be all that important, yet EVERYONE wants you to create a password for practically everything you do. I don't need a password to sign onto a site to look at stereo equipment, yet they force you to create one on some of those sites. On gaming sites where all I do is talk about games, I don't need 50,000 passwords for the different ones cause I don't care if someone steals my password there.

I don't care that I don't have all that much concern for facebook's password. If someone takes my account, it would be unfortunate, but is it really the end of the world?

Places where it might cause me economic misfortunate, well, those I care about, but everyone out there thinks that their site is so important for passwords.

Some places, it's important. Others, not so much.

Re:Problem is lack of importance

[jim_v2000]

That's why I use three different passwords. One is for sites I don't care about...like registering for a forum that I only need once. The second is for things that I'd like to be more secure, like forums I visit often, Facebook, my person blog, etc. The third is for critical things like email, online banking, shopping sites like Newegg and Amazon, etc.

Re:"Leaked"?

[BergZ]

It's pretty amazing just how much of the world is based on trust isn't it?

The danger of too many password requirements

[Kepesk]

Hah, my worst enemy is a system where a password has to have:
- at least two uppercase letters
- at least two lowercase letters
- at least two numbers
- at least two symbols
- at least 12 characters
- no characters that repeat
- nothing that's in your personal records
- nothing from the dictionary that's over three characters
- nothing from a FOREIGN dictionary that's over three characters
- at least three characters different from your last 10 passwords

No joke, I used a system for years that had those exact password requirements. Worse yet, I had to SUPPORT this system. Sometimes it would take a half hour for me to help someone figure out a new password.

There is a danger in creating a password system with two many requirements, because I know very few people who used that system who didn't have their password on a sticky note on their monitor.

Re:Use Password Hasher

[tool462]

In Tinfoil Hat Land, if you don't have FF installed, then it's likely not a computer you control*, and if it's a computer you don't control, then should you really be entering your password**?

* It must be a machine at work, friend or family member's house, public terminal like a coffee shop, public library, etc.
** If it's not your computer, you don't know who that computer has "been with". There could be key-loggers, cookie-trackers, syphilis. Who knows!?

Re:"Leaked"?

[ConceptJunkie]

It's pretty amazing just how much of the world is based on trust isn't it?

And it's equally tragic that it can't.

I don't think it's so much that people automatically trust each other, although that's certainly the case sometimes, it's more like it never occurs to too many people, unfortunately, that what they divulge could cause problems in the wrong hands.

For many years now, when someone asks me for information, my first thought is not to give the information, but to consider why I don't want to give it to that person. And I don't consider myself particularly paranoid with respect to what I share.

It gets tiring after awhile. Modern life in the 21st century requires a level of vigilance regarding information that probably never existed outside of the military, national security apparatus, law enforcement or some elements of business before a couple decades ago.

"Loose lips sink ships" was a common saying during World War II, but nowadays everyone must practice that level of vigilance over their own information all the time merely to be safe from criminals.

firefox has that hash function

[circletimessquare]

but there's no reason why you can't have your own hash function in your head

take a root password, say "penguin"

say you are creating a password for slashdot

so your password for slashdot is "penguinslashdot"

but for gmail its "penguingmail"

this is an extremely simplistic algorithm. i'm just using it as an example to show you: remember a PASSWORD GENERATING ALGORITHM, not a password. then you have a unique password for every site, but you don't have to remember 500 different passwords

a REAL algorithm could be something like "the first letter of my root password plus the third letter of the website name's ascii character value plus 3 divided by my home phone number as a kid plus the second letter of my root password plus... etc"

or whatever

the actual password used for each site can be quite variable and the algorithm can still be hard to guess even with a hacker who knows three or four such passwords

the point is: you don't need to remember a password, you need to remember a password creating ALGORITHM, in your head, that only you know, which is infinitely more secure, but no harder to remember

Re:Yup, Probably true

[happyslayer]

Same basic process, though different criteria for me:

• Junk sites (one-time login for news, quick downloads, register-to-see, tech mailing lists) get the same low-end password. If I can't foresee any information that I care about going to that site, then it gets a basic throwaway. (I also misspell registration details so i have an idea if advertisers are getting that info).
• Slashdot, forums, etc: Also low-grade. Sorry, but if someone gets their rocks off posting crap as me, I can live with it. I've got enough First Life points to keep me busy.
• Personal email: Since I don't trust the email systems that are in the hands of others, I don't put anything on there I care about. (If someone wants to know that I'm asking my prof how to fix some code, more power to them--it'll bore them to tears.) Hence, it gets a medium-grade password.
• Online stores: Medium grade for one-time purchases, high-grade for repeat business.
• Own email system, bank, etc: High grade password, randomized (at least to the rest of the world) that it passes the basic dictionary-attack. For example, I somehow remember old phone numbers and bank accounts from 20 years ago (none of which are in use); add a couple of 1337-speak letters and you're in business.

Like the parent, it's really a matter of compartmentalization and damage control. If you don't own the system, it's not completely trustworthy. If it's your system, it's only modestly trustworthy. If you're doing something criminal/embarassing/stupid, it's better to leave all notes at the bottom of the Marianas trench.

Re:"Leaked"?

[socz]

And today we know *way* too much, in way too much detail, ...

That sounds like an argument for why porn should NOT be put on bluray and in HD!

Re:Same password

[SQLGuru]

I use a set of passwords for varying levels of trust.

Highly secure passwords (usually site specific and follow good password rules) for banking, email, computer accounts, etc.
Medium secure passwords (usually follow good password rules but passwords may be used for more than one site) for trusted shopping sites (i.e. Amazon, etc.)
Medium-Low secure passwords (may not follow good password rules but still reasonably secure against dictionary attacks) for social media and for one-off shopping sites.
Low secure passwords (probably only stops low-motivated hackers, passwords re-used at multiple sites) for throw-away registrations and communities that have very little tie to my personal information

It's really more for convenience than security, but in areas where I need the security, I'll put up with the hassle.