75% Use Same Password For Social Media & Email

wiredmikey writes "Over 250,000 user names, email addresses, and passwords used for social networking sites can easily be found online. A study of the data collected showed that 75 percent of social networking username and password samples collected online were identical to those used for email accounts. The password data was gathered from blogs, torrents, online collaboration services and other sources. It was found that 43 percent of the data was leaked from online collaboration tools while 21 percent of data was leaked from blog postings. Meanwhile, torrents and users of other social hubs were responsible for leaking 10 percent and 18 percent of user data respectively...."

"Leaked"?

[Pojut]

So wait...how exactly did they get hold of passwords?

Re:"Leaked"?

[KnightBlade]

While I was studying Info. Sec. at my univ, my professor at the time told the class about this research they had about passwords. They were going around gathering statistics by asking random people questions about their passwords- length, number of special characters, if they used the same passwords, the number of times they changed them and so on. He said what amazed him was that one in every 5-6 people would just tell them their password and ask is that good enough?

Yup, Probably true

[IndustrialComplex]

I'll give a bit of a hint here, I do the same thing, just with a slight variation:

Mostly-Trusted media sites get the same password (obviously vastly different user names)
Slashdot, Fark, Broadband Reports, etc

Then I have my pseudo-trusted sites with their own password group:
Demonoid, imageshack, probably others.

Non-trusted sites get a random junk password each access = reset password
ie: low accountability not tied to a company name with 2-3 visits/year

My email gets its own password of 10+ characters

Work gets its own password of whatever the hell rules they implement this week. Tech support has to deal with LOTS of reset requests since I don't write it down, but they have a different password for every freaking service and every freaking service has a different password lifetime setting.

So aside from work, I really only have 3 passwords or so, but it helps break up the damage should one be compromised. Compartmentalized is probably the best description.

It gets even worse... even different passwords

[rsborg]

... don't necessarily help.

Facebook's founder knows the importance of social media:

Mark used his site, TheFacebook.com, to look up members of the site who identified themselves as members of the Crimson. Then he examined a log of failed logins to see if any of the Crimson members had ever entered an incorrect password into TheFacebook.com. If the cases in which they had entered failed logins, Mark tried to use them to access the Crimson members' Harvard email accounts. He successfully accessed two of them.

So in this case, the victims didn't even have the same password, but accidentally used the email password for Facebook. Combined with a malicious site (which Facebook was for them) this can lead to leaked passwords.

The best solution to this is to use a password manager like 1password, roboform or KeepassX. I find 1password useful because it matches my password with the domain, preventing inadvertent entries. It's also a boon if you are developing with dozens of test and staging sites which change passwords often.

Re:Use Password Hasher

[BJ_Covert_Action]

So I guess Chrome, Opera, Iron, Seamonkey, and dozens of other web browsers are completely insecure?

I know IE6 is a nightmare. I don't really pay attention to IE7 or IE8 because I don't use them. I know Chrome involves some privacy issues, and I suppose there is something that has to do with selective script management. From what I hear, however, Opera and Iron are supposed to be pretty damn secure. Also, SeaMonkey is supposed to be pretty decent. I can't talk about Safari because, like IE, I really don't care about it at all.

Of course, you prefixed your post with "In Tinfoil Hat Land..." so I suppose you were being somewhat sarcastic. But I am curious, do you really think FF is the only secure browser out there?

Re:The danger of too many password requirements

[Abstrackt]

I like Bruce Schneier's take on this problem:

"Simply, people can no longer remember passwords good enough to reliably defend against dictionary attacks, and are much more secure if they choose a password too complicated to remember and then write it down. We're all good at securing small pieces of paper. I recommend that people write their passwords down on a small piece of paper, and keep it with their other valuable small pieces of paper: in their wallet."