Slashdot Mirror

← Back to Stories (view on slashdot.org)

Selectively Reusing Bad Passwords Is Not a Bad Idea, Researchers Say

Posted by Unknown on from the brain-full-try-again-later dept.

An anonymous reader tipped us to news that Microsoft researchers have determined that reuse of the same password for low security services is safer than generating a unique password for each service. Quoting El Reg: Redmond researchers Dinei Florencio and Cormac Herley, together with Paul C. van Oorschot of Carleton University, Canada ... argue that password reuse on low risk websites is necessary in order for users to be able to remember unique and high entropy codes chosen for important sites. Users should therefore slap the same simple passwords across free websites that don't hold important information and save the tough and unique ones for banking websites and other repositories of high-value information. "The rapid decline of [password complexity as recall difficulty] increases suggests that, far from being unallowable, password re-use is a necessary and sensible tool in managing a portfolio," the trio wrote. "Re-use appears unavoidable if [complexity] must remain above some minimum and effort below some maximum." Not only do they recommend reusing passwords, but reusing bad passwords for low risks sites to minimize recall difficulty.

10 of 280 comments (clear)

  1. This makes sense. by Anonymous Coward · · Score: 3, Insightful

    My intuition says that most people do this. Though, I could be wrong.

  2. Dumb dumb dumb advice... by dskoll · · Score: 4, Insightful

    That is just so stupid. Use a password-keeper and use strong passwords everywhere. Then you only need (1) physical access to your password keeper and (2) to remember one strong passphrase.

    1. Re:Dumb dumb dumb advice... by sideslash · · Score: 3, Insightful

      That is just so stupid. Use a password-keeper and use strong passwords everywhere. Then you only need (1) physical access to your password keeper and (2) to remember one strong passphrase.

      I didn't RTA, but when you say it's stupid not to always use a strong password, aren't you making an unwarranted assumption? There are some sites where it truly doesn't matter. On such sites I will never send any sensitive data, and all I want is to get past the annoying login to get to something I care about. You know, like the bugmenot cases. If you take the time to create such accounts for yourself with an insecure(!) and memorable password, there's nothing wrong with that.

    2. Re:Dumb dumb dumb advice... by jbmartin6 · · Score: 4, Insightful

      This isn't stupid at all, it is something missing from a lot of security advice: a hint of reality. The amount of effort any person will put towards security, or any other goal, is finite. Therefore it is useful to put at least some thought into how that limited effort can be used for the maximum benefit. For the most part, I don't care what my gawker password is or all the other silly little logons. I use the same simple password for all of them because there is zero risk to me if they are compromised, other than someone else can now post with the screen name I picked (and don't care about) To suggest that I should lug around a password safe and log into it every time I need to use one of these zero risk logons is to suggest that I squander my limited security effort. It is far better to conserve that effort for things that are actually important.

      --
      This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
    3. Re:Dumb dumb dumb advice... by dskoll · · Score: 3, Insightful

      But I sure as fuck am not going to put ALL of them into ANY app or single program - there are backdoors built into routers these days, you expect some start-up (or even established) "password keeper" doesn't have that possibility? I am concerned for your common sense.

      Woah, woah, woah, chill out!

      I have the complete source code for my password manager. And guess what... I've even read the source code!

      It uses "openssl bf" to encrypt (that's the Blowfish cipher). In spite of all the warnings about OpenSSL holes, I don't believe anyone's yet found a problem with its Blowfish implementation, and though Blowfish is old and there may be weak keys, I don't believe it has serious vulnerabilities especially when only used to encrypt small files.

  3. Bah by Nimey · · Score: 4, Insightful

    Using a password manager with one strong master password + randomly-generated passwords unique to each website is better.

    That said, the linked paper is long and math-heavy, so I rate it likely the submitter (and the "editor") misunderstood something.

    --
    Hail Eris, full of mischief...

    E pluribus sanguinem
    1. Re:Bah by Sqr(twg) · · Score: 3, Insightful

      Using a password manager with one strong master password + randomly-generated passwords unique to each website is better.

      ...if, and only if, the password manager is completely secure in itself.

      If the terminal used to access the password manager is compromised, then the attacker gets the master password and thus access to all keys - not just the one that was requested.

      In other words, you might have used an insecure computer to log on to slashdot, and the attacker now has your bank login credentials.

  4. No duh by gurps_npc · · Score: 3, Insightful
    When some site, like say slashdot, uses passwords not for real security, but instead to identify it's users, then only an idiot wastes their memory creating a 'good password' for it.

    Better to use the same crappy password for web sites that do involve real financial risk.

    Of course, if you use that same password for a bank account, or anything that knows a credit card number, SS#, or similar information, you need to have your head examined.

    --
    excitingthingstodo.blogspot.com
  5. Absolutely by swillden · · Score: 3, Insightful

    I've always done this. I have one short, low-entropy password which I use on ALL low-risk web sites. For example, it's the one I use on slashdot. I don't really care if anyone gets in and starts posting stuff as me. In fact it might be a good thing, since it would give me some plausible deniability for the stupid things I sometimes say :-)

    For important sites (e.g. financial), I use long, randomly-generated passwords and manage them in a password manager, which itself is protected with a very strong password. But for everything else, that's too much effort and serves no purpose. And for my "crown jewels" account -- my e-mail account, which if hacked would provide the intruder with the ability to reset most all of my other passwords -- I use a strong password and have two-factor authentication enabled.

    --
    Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
  6. Simpler approach... by flajann3290 · · Score: 4, Insightful
    A simpler approach is to have a few high-entropy passwords and append a value at the end that is unique to each website using some self-created rule for it that is easy for you to remember. I would speak on how I do this but I won't for obvious reasons. :p

    A great way to remember your passwords is to use them often. The more the better.

    What kills me is that different sites have different password restrictions that infuriates me. Some force you to use "special characters", others forbid it. Some force you to use a combination of letters and numbers, and many force you to use at least one uppercase letter and one lowercase letter. Some even restrict how long your password can be!!!!

    This wrecks havoc with my high-entropy passwords that now becomes useless or needing to be altered, as in capitalizing a letter that I totally forget about later...