Slashdot Mirror

← Back to Stories (view on slashdot.org)

Selectively Reusing Bad Passwords Is Not a Bad Idea, Researchers Say

Posted by Unknown on from the brain-full-try-again-later dept.

An anonymous reader tipped us to news that Microsoft researchers have determined that reuse of the same password for low security services is safer than generating a unique password for each service. Quoting El Reg: Redmond researchers Dinei Florencio and Cormac Herley, together with Paul C. van Oorschot of Carleton University, Canada ... argue that password reuse on low risk websites is necessary in order for users to be able to remember unique and high entropy codes chosen for important sites. Users should therefore slap the same simple passwords across free websites that don't hold important information and save the tough and unique ones for banking websites and other repositories of high-value information. "The rapid decline of [password complexity as recall difficulty] increases suggests that, far from being unallowable, password re-use is a necessary and sensible tool in managing a portfolio," the trio wrote. "Re-use appears unavoidable if [complexity] must remain above some minimum and effort below some maximum." Not only do they recommend reusing passwords, but reusing bad passwords for low risks sites to minimize recall difficulty.

49 of 280 comments (clear)

  1. This makes sense. by Anonymous Coward · · Score: 3, Insightful

    My intuition says that most people do this. Though, I could be wrong.

    1. Re:This makes sense. by Anonymous Coward · · Score: 5, Interesting

      The point of password reuse is to use an algorithm that you can remember but not someone can guess.

      This is not my password but it's an example of how I create one:
      If I visit a site and it's name is GoogleSucks.com, I will use my "easy" word + the first syllable of the site + a padding word that I use on all sites, Depending on how asinine the password requirements are, the beginning or end of the password will be padded with numbers and symbols, but always the same ones.
      So Googlesucks.com might be turkeyGootrucking8
      and another site like a bank site that I want higher entrophy on will use a different algorithm, so BOA might end up a hard non-englisht word + the passing word, then the company's initials + needed password entrophy, so BOA would end up with namastetruckingBOA8

      So when I use sites that want to remember my shipping address or credit card (I never save my credit card number, I don't care how "safe" your site is) I use the harder credentials. I just want to post a comment on the many HuffPo type of sites, easy password all the time. So while each password for each site is unique, effectively the easy password is reused but padded with something unique to the site so that even if the password was stolen it's unusable for any other site.

    2. Re:This makes sense. by vtcodger · · Score: 4, Interesting

      My intuition says that most people do this. Though, I could be wrong.

      Well, some of us try to do it. We are, regrettably, impeded by whacked out sysadmins who insist we must use THEIR idea of a strong password -- which always seems to be different from anyone else's idea of a strong password, and/or that we need to change passwords periodically, and/or that we can't reuse passwords.

      I sometimes seems that there is an inverse relationship between the actual need for security and the system administrator's perception of the need for security.

      But other than the fact that users often have to contend with the idosyncracies of sociopaths who feel that anything that is easy to use is clearly flawed, this seems a pretty good idea. If it gets the attention it deserves, perhaps it might be one small first step toward straightening out the incredible mess that is computer security.

      --
      You can't see ANYTHING from a car, You've got to get out of the goddamned contraption and walk...Edward Abbey
    3. Re:This makes sense. by SQLGuru · · Score: 3, Informative

      Yep. This has been my strategy for many years. I rank sites by how much I care whether they are compromised. For low ranked sites, they get one of several easy passwords (depending on how important THEY think their passwords are). For critical sites (i.e. banking info) they get a unique strong password conforming to the password rules.

    4. Re:This makes sense. by knarfling · · Score: 4, Interesting

      I see that someone has had problems with a sysadmin.

      Try to remember that not all sysadmins are BOFH. Some actually agree with you on the need for complex passwords and how often they should be changed. Many of them, however, have to follow outdated and impractical guides forced upon them by government standards in order to comply with HIPA, SOX, or PCI.

      There are a couple of things that bother me, though. The first is pattern re-use. P@$$word521 does meet the complexity requirements of many systems. But when you use P@$$word125, P@$$word251, P@$$word215 and then tell everyone that you use P@$$word with the same three numbers and just rotate the numbers, it is not much better than a post-it under the keyboard. Complex passwords do not have to be difficult to remember. Just because someone has difficulty coming up with good passwords does not mean that a hard-to-remember password is actually complex.

      The second thing that bothers me is when a sysadmin will force a password policy on you, but won't use it himself. I know one admin that forced a password change every 90 days for all accounts except his. When he left the company, his password history was completely blank. He had used the same password for years. While I think passwords could live longer than 90 days and twice a year would be sufficient for many passwords, if a change is required, it should be required for all users including the sysadmin.

      Just my little rant.

      --
      Great civilizations have lived and died on false theories. Don't mess up mine with a few facts.
    5. Re:This makes sense. by gman003 · · Score: 2

      We are, regrettably, impeded by whacked out sysadmins who insist we must use THEIR idea of a strong password -- which always seems to be different from anyone else's idea of a strong password, and/or that we need to change passwords periodically, and/or that we can't reuse passwords.

      I sometimes seems that there is an inverse relationship between the actual need for security and the system administrator's perception of the need for security.

      This.

      I tried to do something basically like this - I have three password strengths, one for low-security throwaway stuff, another for regular stuff (with suffixing so one compromised site won't affect others unless I am specifically targeted), and a max-security one.

      Guess which one I use for banking. It's the mid-tier one, MINUS the special characters and suffix. They have an upper length limit that keeps my max-security password from being used for the one thing it really should have been used for.

      The only thing that max-security password secures now is root access to my BSD box (and I have sudo set up with nopw, so I never even use that). Everything else is secured by something that really isn't secure enough.

    6. Re:This makes sense. by knarfling · · Score: 2

      We are, regrettably, impeded by whacked out sysadmins who insist we must use THEIR idea of a strong password -- which always seems to be different from anyone else's idea of a strong password, and/or that we need to change passwords periodically, and/or that we can't reuse passwords.

      I sometimes seems that there is an inverse relationship between the actual need for security and the system administrator's perception of the need for security.

      This.

      I tried to do something basically like this - I have three password strengths, one for low-security throwaway stuff, another for regular stuff (with suffixing so one compromised site won't affect others unless I am specifically targeted), and a max-security one.

      Guess which one I use for banking. It's the mid-tier one, MINUS the special characters and suffix. They have an upper length limit that keeps my max-security password from being used for the one thing it really should have been used for.

      The only thing that max-security password secures now is root access to my BSD box (and I have sudo set up with nopw, so I never even use that). Everything else is secured by something that really isn't secure enough.

      So in other words, nothing has your max security. if you left your screen open and unattended for a moment, a person wouldn't even need your password to crack your BSD box. I hope your BSD box doesn't have anything important on it. The nopw option of sudo should NEVER be used. It is like putting a huge un-pickable lock on your door and then never locking it because it is too inconvenient to pull your keys out. If you use sudo (which I do use often and I believe it is useful, convenient and CAN be secure), you should make sure your password is complex and you need to type it in when you use sudo. Otherwise, you are reducing your security. Yes, sudo can be restricted by host, but most people do not do that, and what happens when that host dies?

      I understand that good passwords can be difficult, but they don't have to be. Once I learned how to create good passwords, it became very easy. Even my low security passwords are fairly complex and will pass most complexity requirements. My work password, which has to be changed every 90 days, is usually between 14-20 characters long, has multiple complex characters, and is easy to remember. Although work allows rotation after 6 passwords, I have not re-used a password in six years. My biggest issue is not remembering the password, it is fat-fingering such a long password. The longer it is, the more likely there will be a fat-finger at some point.

      --
      Great civilizations have lived and died on false theories. Don't mess up mine with a few facts.
    7. Re:This makes sense. by Talderas · · Score: 2

      Having helped ease my company from using very generic user accounts and passwords that everyone in the company knew to user unique logins and passwords I can provide some insight as to some of the reasons beyond security.

      Part of the problem I've had with trying to break users of the habit of sharing their username/password with others (managers are the ones telling them to do this) is convincing them that 1. applications are available regardless of the logged in account and 2. if there are files or documents that legitimately need to be shared among the workgroup then they should be housed on the network drives and not on the personal network drive or local machine. Having a password policy to require password changes every 90 days is one of the ways to help encourage them to discontinue this practice. I've attempted to be diplomatic and explain why they don't need to do it, but it hasn't sunk in yet. I've talked numerous times and finally I had them just log in as themselves on another machine to prove to them that what I was saying was true. Now that group talks about the sharing of accounts and passwords more sarcastically, when the manager is not around, so there's at least some improvement.

      We're starting to come under more strict auditing these days so a lot of these password and user account related changes are in order to comply with things the audit might turn up and flag as a problem (there are negative consequences if there's too many flags from the audit). Additionally, the changing of password and not sharing user accounts is not just a company security issues but an individual user security issue as well. Since we do all our logging based on user account, that's who usually gets slapped with disciplinary action if something bad happens. Regardless of that, if passwords are used on websites that are externally accessible to their home computer, they could get compromised and the data available to the Internet is available at large. A periodic password reset limits the scope of when a compromised account is a danger since if the account was compromised and they have a valid username/password it won't flag bad attempts (unless you do some sort of IP tracking). The same thing occurs internally. If a user shared their credential information with another user, because say they were on vacation, then the periodic password resets ensure that other user doesn't have valid credentials for the first user after a period of time.

      I've actually gotten a lot better response from users regarding passwords when I use that latter arguement about accountability. It shifts the focus from what's good for the company to what's best for the user. It gives them a stake and enfranchises them with security and consequently they tend to be more receptive towards it as a whole. When you leave them with the impression that security is about the company, they don't care as much and will do whatever they can to make their lives easier.

      --
      "Lack of speed can be overcome. In the worst case by patience." --Znork
    8. Re:This makes sense. by ultranova · · Score: 2

      This is not my password but it's an example of how I create one:

      And this is why the algorithm method won't work: people can't keep their mouths shut. Letting everyone know how clever you are is a drive that's almost impossible to resist, because it simultaneously helps your group and demonstrates your value to it, so it's selected for double strength. Consequently, the only way to have secure passwords is to generate them randomly and just write them down. Heck, just generate them for the user and tell them to use "save password" option on the browser - it's safe unless the machine gets infected, in which case it's gonna leak anyway.

      and another site like a bank site that I want higher entrophy on will use a different algorithm

      If a bank lets its customers pick their own passwords, that should be your cue that the bank thinks it won't be on the hook for any online thefts. After all, a lot of those passwords will be "password".

      --

      Forget magic. Any technology distinguishable from divine power is insufficiently advanced.

    9. Re:This makes sense. by I'm+New+Around+Here · · Score: 2

      Hmmm, let me think about this. Which is safer?

      A. Have a system similar to what an anonymous person online described, and never have to write down or save a password for sensitive sites; or

      B. Have my computer remember all my passwords, and still have to write them all down for when I am out of the house.

      I know what I consider to be more secure. How about others?

      --
      If you think I voted for Trump because of this post, you're wrong. I voted for Dr. Jill Stein of the Green Party. Again.
    10. Re:This makes sense. by swillden · · Score: 2

      Yep, as opposed to the morons that use password keepers and safes where all you have to observe is One password and then you have everything.

      One password which is never sent anywhere from their device, plus you also have to get their device.

      I don't think that word "moron" means what you think it means.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    11. Re:This makes sense. by Neil+Boekend · · Score: 2

      If a bank lets you use ONLY a password to access your accounts it is clear that they do not care much about theft. The rest of their security will be similarly crappy. I would trust them with my mortgage. Not my savings or payment accounts.

      My bank requires me to log in with a unique single use code. That code is generated by a "random reader". To generate a code I need to put my PIN card in that reader and enter the PIN.
      After I have logged in I still need to sign my transactions. Also with a single use code generated by my random reader. This signing code requires me to enter a single use code that is generated by the bank and displayed on the signing page. Each signing event needs a different code, each code generates a different signing code to enter on the signing page (to prevent some man in the middle attacks.). Next I need to enter the total amount on my random reader (to prevent large problems in other man in the middle attacks).
      For large amounts I also need to enter the bank account number in my random reader (to prevent large problems in other man in the middle attacks).

      The app is slightly less secure once activated, but you need to sign (with the process described above) to activate your account number on that phone. If you never do that there are no phones that can access your account via the app. You can only pay to known bank accounts with the app. Only those you have already paid to (with the extensive signing procedure).

      I like my bank. They have actually spend time to secure transactions. They have found ways to secure it without much hassle (the random reader is easy).
      Maybe that is because they are on the hook if they can not prove that I authorized the transaction myself.

      --
      Well, I might have a way, but it only works on a semi spherical planet in a vacuum.
  2. Dumb dumb dumb advice... by dskoll · · Score: 4, Insightful

    That is just so stupid. Use a password-keeper and use strong passwords everywhere. Then you only need (1) physical access to your password keeper and (2) to remember one strong passphrase.

    1. Re:Dumb dumb dumb advice... by dskoll · · Score: 3, Funny

      Following up on myself: That research paper is awesome! Never before have I seen the use of partial differential equations to justify unequivocal bullshit. Amazing! They must've really worked hard on that.

    2. Re:Dumb dumb dumb advice... by cdrudge · · Score: 2

      So what is this ideal password keeper? And how to do you access it whenever and wherever you're located?

    3. Re:Dumb dumb dumb advice... by retchdog · · Score: 4, Funny

      Never before have I seen the use of partial differential equations to justify unequivocal bullshit.

      Haven't read many research papers, have you? ;-)

      --
      "They were pure niggers." – Noam Chomsky
    4. Re:Dumb dumb dumb advice... by Bacon+Bits · · Score: 2

      And what if you have a house fire, break in, or accident?

      --
      The road to tyranny has always been paved with claims of necessity.
    5. Re:Dumb dumb dumb advice... by CrimsonAvenger · · Score: 3, Informative

      I doubt it's ideal, but I use PasswordSafe and carry it on a USB stick.

      And in the end, there are only about three computers I ever access it from.

      --

      "I do not agree with what you say, but I will defend to the death your right to say it"
    6. Re:Dumb dumb dumb advice... by sideslash · · Score: 3, Insightful

      That is just so stupid. Use a password-keeper and use strong passwords everywhere. Then you only need (1) physical access to your password keeper and (2) to remember one strong passphrase.

      I didn't RTA, but when you say it's stupid not to always use a strong password, aren't you making an unwarranted assumption? There are some sites where it truly doesn't matter. On such sites I will never send any sensitive data, and all I want is to get past the annoying login to get to something I care about. You know, like the bugmenot cases. If you take the time to create such accounts for yourself with an insecure(!) and memorable password, there's nothing wrong with that.

    7. Re:Dumb dumb dumb advice... by jbmartin6 · · Score: 4, Insightful

      This isn't stupid at all, it is something missing from a lot of security advice: a hint of reality. The amount of effort any person will put towards security, or any other goal, is finite. Therefore it is useful to put at least some thought into how that limited effort can be used for the maximum benefit. For the most part, I don't care what my gawker password is or all the other silly little logons. I use the same simple password for all of them because there is zero risk to me if they are compromised, other than someone else can now post with the screen name I picked (and don't care about) To suggest that I should lug around a password safe and log into it every time I need to use one of these zero risk logons is to suggest that I squander my limited security effort. It is far better to conserve that effort for things that are actually important.

      --
      This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
    8. Re:Dumb dumb dumb advice... by 93+Escort+Wagon · · Score: 2

      Intelligent people regularly back up their data - including their password key stores.

      --
      #DeleteChrome
    9. Re:Dumb dumb dumb advice... by Geeky · · Score: 2

      I use KeePass and synchronise the file so I have access to it on all my devices including my phone. There are clients for just about every platform.

      --
      Sigs are so 1990s. No way would I be seen dead with one.
    10. Re:Dumb dumb dumb advice... by AudioEfex · · Score: 2, Insightful

      You trust one of those absurd "password keepers" and think that making a risk assessment on low-danger websites where no harm could come even if someone did by remote chance try to break into your account is stupid?

      If you are one of the password zealots, using one of those "hey stuff all your passwords into one convenient app!" programs is simply the dumbest thing you can do. It's akin to taking every object you own with any value, including all your cash, important papers, SS card, etc. out of your safe or safety deposit and just leaving them in a cardboard box, putting it in one storage shed outside your home, and "securing" it with an off-brand padlock on it you got 2 for 1 at the dollar store. If someone does break into it, by breaking just one lock, you've just given them everything you own of any value.

      Now THAT is stupid.

      Particularly the phone app based ones - most of which backup to "the cloud" - please, seriously. They are all written by unknown companies that I'm sorry, I'm not willing to trust the most essential data I have to, much less allow them to back up. But even if you disable that (then when you drop your phone and it busts you are fucked), or use a desktop version (lot of good that does on the go), they still make no sense whatsoever. Even if it's a "known" brand - still absolutely frigging retarded. It's amazing how many folks see the promise of encryption and think it's safe - unless you are decompiling the source code, you have no idea you can even trust that. But even if it is truly encrypted - have you never heard of the very time-tested wisdom against putting all your eggs in one basket?

      It makes perfect sense to reuse the same password, or very close, for stupid sites where there really is little risk to begin with. Every fucking thing you do on the Internet requires a login these days - "Oh noes! Someone hacked into my Pollstar.com account, that doesn't even have my real name attached, and signed me up for concert date notifications for Taylor Swift to my dummy email account!"

      You need your strongest password for your email (which is the key to many site password resets), and hopefully you are smart enough to have multiple throw-away email addresses for low-priority stuff (which you can conveniently forward, or, as I do, just have multiple accounts on your phone or tablet device). Next you need to have decently strong passwords for your financial sites, depending on what they are. But beyond that - even for things like your cable company - not much someone can do, even if they break into it, that can't be undone, aside from pay my bill for me (and if anyone wants to do that, shoot me a message, I'll send you the damn password). My payment info is saved, but it's ********** out, someone can't glean the number from logging in as you. Someone can play a trick and upgrade your service I guess? I'm sure the world's foremost hackers are right on that one.

      Like everything, there is a middle ground. You just need to make a reasonable risk assessment by site. I basically have three tiers - one, strongest for email/financial, two, semi-reused for things like paying my cable bill or light subscription maintenance, etc., and three, reused for stupid sites that shouldn't require a login anyway, or where the data is completely inconsequential (the aforementioned Pollstar, etc).

      But I sure as fuck am not going to put ALL of them into ANY app or single program - there are backdoors built into routers these days, you expect some start-up (or even established) "password keeper" doesn't have that possibility? I am concerned for your common sense.

    11. Re:Dumb dumb dumb advice... by Charliemopps · · Score: 4, Informative

      That is just so stupid. Use a password-keeper and use strong passwords everywhere. Then you only need (1) physical access to your password keeper and (2) to remember one strong passphrase.

      Whats dumb is giving the same advice over and over, building your security policy around those people following that advice all despite 30yrs of evidence that proves they wont follow the advice

      Security is as much about psycology as procedure. I worked at AT&T a little over 10yrs ago and one day they announced that the password requirements to one of their systems would be changed to now require a 29 letter phrase, including at least 3 spaces, capitals, lower case, numbers and special characters. The end result? A utopia of highly secure, un-crackable system to be proud of? No... the whole company had their passwords written on post-it notes stuck to their monitor within a week.

    12. Re:Dumb dumb dumb advice... by dskoll · · Score: 2

      I have two off-site backups: One to an encfs partition in my office and one to an encfs partition in a colocated server 200km away. Next question?

    13. Re:Dumb dumb dumb advice... by dskoll · · Score: 3, Insightful

      But I sure as fuck am not going to put ALL of them into ANY app or single program - there are backdoors built into routers these days, you expect some start-up (or even established) "password keeper" doesn't have that possibility? I am concerned for your common sense.

      Woah, woah, woah, chill out!

      I have the complete source code for my password manager. And guess what... I've even read the source code!

      It uses "openssl bf" to encrypt (that's the Blowfish cipher). In spite of all the warnings about OpenSSL holes, I don't believe anyone's yet found a problem with its Blowfish implementation, and though Blowfish is old and there may be weak keys, I don't believe it has serious vulnerabilities especially when only used to encrypt small files.

    14. Re:Dumb dumb dumb advice... by sexconker · · Score: 4, Informative

      So what is this ideal password keeper? And how to do you access it whenever and wherever you're located?

      KeePass. It has strong encryption options, it isn't tied to any site or service, the (encrypted) database can be synced however you want (such as with Dropbox) and used on any devices you want (including phones), it's got all sorts of options for generating passwords, automatically typing them, automatically expiring them, etc., and it's fairly light weight.

    15. Re:Dumb dumb dumb advice... by dskoll · · Score: 2, Insightful

      There are some sites where it truly doesn't matter.

      I don't believe that. You may think it doesn't matter, but when it comes to identity theft, any little crumb of information may be useful to an attacker. And if you use the same weak password across a whole slew of supposedly "unimportant" sites, an attacker may be able to piece together a lot of information about you... enough to surprise you with cell phone bills you didn't sign up for, credit cards in your name, etc.

    16. Re:Dumb dumb dumb advice... by Dynedain · · Score: 2

      I love KeePass, but the community needs some help...

      There's a myriad of client apps for it, but the 1.7 vs 2.X database formats fragments the market.

      2.X requires Mono if you want to run it on Linux or OSX.

      I wish they had a central dev team with first-class OSX, Windows, and Linux versions like VLC or Transmission.

      --
      I'm out of my mind right now, but feel free to leave a message.....
    17. Re:Dumb dumb dumb advice... by bmo · · Score: 2, Insightful

      have you never heard of the very time-tested wisdom against putting all your eggs in one basket?

      Have you ever heard of backups? For someone supposedly technically astute, you seem to have dropped that idea on the floor. I'll pick it up for you.

      --
      BMO

    18. Re:Dumb dumb dumb advice... by Rob+the+Bold · · Score: 2, Insightful

      That is just so stupid. Use a password-keeper and use strong passwords everywhere. Then you only need (1) physical access to your password keeper and (2) to remember one strong passphrase.

      Why? Not everything requires that much security. And not everything needs so much security as to require you to bring your password list -- locked in a password keeper though it may be -- with you at all times and subject to possible loss or theft. Not to mention the hassle of carrying it around and tying a lengthy passphrase to do low-risk things.

      At my bank, I've noticed that things are locked up with different degrees of security based (I assume) on the perceived risks vs. usability. The paper towels in the bathroom are locked up with a "key" that anyone could grab off the janitor's cart if they really wanted to. Or pick the lock easily. Or just physically bust open the plastic dispenser to get to the sweet, sweet wipes inside. The tellers all have cash drawers that they lock with a key that they keep with them. The vault is locked with a multi-layered security system far more secure than the tellers' drawers. Now why might that be? Why not put the paper towels in the vault and bring two officers with you to the vault/restroom so you can be issued a single towel to dry your hands after washing them? It would greatly reduce towel waste and theft, right? Why not give each janitor a unique key, so you know who has filled the dispenser at audit time like with the cash drawers?

      Similarly with low-risk logins, convenience can outweigh security. I don't necessarily need to protect a login to paywalled New York Times articles with the same diligence that I guard my bank login. Why would I create a strong password for that, keep it in keepass (or whatever), enter a passphrase in my phone or tablet or notebook to retrieve it when I could just sit down and enter my relatively weak default password with much less hassle? I guess if the Gray Lady was hacked, she might reveal a password/username combination that would allow ne'er-do-wells to also access my high-quality streaming on the PBS website. Oh well. It's not really a risk to me on the order of giving away the money in my bank account.

      --
      I am not a crackpot.
  3. Bah by Nimey · · Score: 4, Insightful

    Using a password manager with one strong master password + randomly-generated passwords unique to each website is better.

    That said, the linked paper is long and math-heavy, so I rate it likely the submitter (and the "editor") misunderstood something.

    --
    Hail Eris, full of mischief...

    E pluribus sanguinem
    1. Re:Bah by dskoll · · Score: 2

      The linked paper did mention password managers in passing, but dismissed them as being vulnerable to client-side malware which could compromise all your passwords. That assumption is true if you're running your password manager on a Windows system, I suppose, which is likely the only thing the "Redmond researchers" are even aware of. But if you keep your password manager on a separate device or run it under a secure sandbox in a secure OS, you're much better off than the paper implies.

    2. Re:Bah by Anonymous Coward · · Score: 2, Insightful

      If you're using a secure sandbox to run a secure OS to store your secure passwords, you're so far, far, far removed from the average user that you don't matter.

    3. Re:Bah by TheCarp · · Score: 4, Interesting

      I have to say, I REALLY like password manager someone was working on that was based on, I think, a rasberry pi, where it would actually act as a USB HID to enter the password, and keeps your encrypted passwords on its physical hardware device.

      Still susceptable to keyloggers and other malware but...1) they can only get the passwords as you use them and 2) they will NEVER see your master password since it never even gets entered into the machine, but only to the password keeper device.

      Now THAT is how to do passwords right.

      --
      "I opened my eyes, and everything went dark again"
    4. Re:Bah by Sqr(twg) · · Score: 3, Insightful

      Using a password manager with one strong master password + randomly-generated passwords unique to each website is better.

      ...if, and only if, the password manager is completely secure in itself.

      If the terminal used to access the password manager is compromised, then the attacker gets the master password and thus access to all keys - not just the one that was requested.

      In other words, you might have used an insecure computer to log on to slashdot, and the attacker now has your bank login credentials.

    5. Re:Bah by tlhIngan · · Score: 2

      The linked paper did mention password managers in passing, but dismissed them as being vulnerable to client-side malware which could compromise all your passwords. That assumption is true if you're running your password manager on a Windows system, I suppose, which is likely the only thing the "Redmond researchers" are even aware of. But if you keep your password manager on a separate device or run it under a secure sandbox in a secure OS, you're much better off than the paper implies.

      Yeah, if you keep your passwords on an isolated system, great. But most people don't do that - they use client side systems, cloud syncing, etc., so that the password manager will auto-fill in the password for them.

      Isolating your passwords to a secure device is fine and all, but it also removes a lot of the convenience of it because now you have this gadget you have to carry around, access, copy the password manually, etc.

      Whereas a client side password manager you just visit the website, go to the manager, click a couple of times and it's autofilled. And many have the ability to grab passwords from the web form and save it so it's a lot less risk.

      And people love to put it on a Dropbox or other cloud service so they can use their password manager anywhere and have it up to date.

      So no, it's just moving the vulnerability to that one point. And it doesn't matter if you run Windows, Linux, OS X, BSD, whatever. They're all vulnerable.

      Hell, iOS and Android are seeing copycat clones of popular password managers like 1Password and the like (nevermind the SEO creeps who make it so finding the official site harder by forcing their way up the Google ranks and sponsored ads hoping that you'd mistakenly click on the fake trojaned version they offer instead of the original).

  4. No duh by gurps_npc · · Score: 3, Insightful
    When some site, like say slashdot, uses passwords not for real security, but instead to identify it's users, then only an idiot wastes their memory creating a 'good password' for it.

    Better to use the same crappy password for web sites that do involve real financial risk.

    Of course, if you use that same password for a bank account, or anything that knows a credit card number, SS#, or similar information, you need to have your head examined.

    --
    excitingthingstodo.blogspot.com
  5. Say what? by djupedal · · Score: 2

    In other news, researchers in Europe have discovered there is more risk to your data when taking password advice from MS than ever before.

  6. Good since OpenID failed to take over by medv4380 · · Score: 4, Interesting

    The advocacy for Password Managers and Password Keepers is just utter BS. If some nothing website insists that I have to make an account just to post one little comment, and I might come back 5 years later to post again then they're getting generic username plus generic password. I'm not waisting my time making some uber powerful password, and utilizing something just to remember it. Even then the OpenID solution would have been great but every once in a while I'm presented with the option of logging in with my Google ID and giving some organization full access to my contact list, or full access to my google drive. Screw them, and I'll just create generic account just for their site though their old interface just so they can't read my contacts or documents. If they're so worried that people are using BS passwords on their site that spammers keep hacking to post then maybe they should accept better business practices.

  7. So complex by Impy+the+Impiuos+Imp · · Score: 4, Funny

    So re-use low complexity passwords for unimportant sites and use high-complexity unique passwords for important sites.

    Got it. Low for my bank account, high for World of Warcraft.

    --
    (-1: Post disagrees with my already-settled worldview) is not a valid mod option.
    1. Re:So complex by fibonacci8 · · Score: 2

      You could even refer to something low-complexity as a "PIN", and something of high complexity as a "password". I imagine you're already doing that for your bank and game respectively.

      --
      Inheritance is the sincerest form of nepotism.
  8. Re:Or Just Use a Password Manager by Russ1642 · · Score: 2

    You pull out your phone, look up the password, and type it in! It's REALLY hard.

  9. Absolutely by swillden · · Score: 3, Insightful

    I've always done this. I have one short, low-entropy password which I use on ALL low-risk web sites. For example, it's the one I use on slashdot. I don't really care if anyone gets in and starts posting stuff as me. In fact it might be a good thing, since it would give me some plausible deniability for the stupid things I sometimes say :-)

    For important sites (e.g. financial), I use long, randomly-generated passwords and manage them in a password manager, which itself is protected with a very strong password. But for everything else, that's too much effort and serves no purpose. And for my "crown jewels" account -- my e-mail account, which if hacked would provide the intruder with the ability to reset most all of my other passwords -- I use a strong password and have two-factor authentication enabled.

    --
    Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
  10. High entropy rules on low importance sites by erice · · Score: 4, Interesting

    This is why it is infrurriating when low importance sites require high complexity passwords. They create unnecessary exposure for the limited pool of high complexity passwords I can remember. Meanwhile, the bank will take anything.

  11. Re:Or Just Use a Password Manager by retchdog · · Score: 2

    You can use one on your smartphone. For android, you can even get an open source one and build it yourself if you want. (i forget the name of the one i used.)

    Or just print out the ones you might need and put them in your wallet. (waits for shocked disbelief to pass) Seriously, why not? You're not being hunted by the NSA here; if your wallet gets stolen, it'll be by some street thug, not a master haxx0r. They're going to take your money and maybe your credit cards, then throw out the rest of the crap. If you're really worried, print out the first (N-3) characters of your passwords, and then just memorize the three characters. This way, you get high entropy against skilled attackers (good), and low entropy against street trash (good enough) who won't bother more than a few attempts at most.

    It's all about having good enough security for the circumstance at hand, and compromising against convenience for you.

    --
    "They were pure niggers." – Noam Chomsky
  12. NSA approves of this! by MindPrison · · Score: 4, Funny

    Selectively Reusing Bad Passwords Is Not a Bad Idea, Researchers Say

    This article has been approved by the NSA!

    --
    What this world is coming to - is for you and me to decide.
  13. HAHA WUT? by bmo · · Score: 2, Interesting

    Microsoft researchers have determined that reuse of the same password for low security services is safer than generating a unique password for each service.

    This has to be a fucking joke. It has to be. bmo looks at calendar. Huh, it's not April 1.

    And what, exactly, is a "low security service?" The only "low security service" I can possibly think of is stuff like Mailinator where you don't even use a password.

    Remember when the entire Youporn chat login credentials file was leaked? You know, the one with real names, aliases, emails, and passwords in cleartext? Remember? Nearly every single password was usable on Facebook and the same password was reused in email.

    People had fun with that. I was in /g/ when it happened. I laughed at the results.

    Yahoo lost control of my fucking credentials twice showing logins from Romania and Sweden. I no longer use Yahoo Mail as a result, except as a throw-away, and the last time pushed me over the edge into using a password manager that holds -unique to every site- passwords that I can't even remember myself at 25 characters of complete ASCII gibberish. And you know what? It's easier on top of being more secure.

    Lose control over your login credentials at one place, and the rest is vulnerable if you recycle them elsewhere. Password re-use over multiple sites is fucking bad. Anecdotes aren't data but I don't care about your calculations because my reality trumps your poorly researched paper.

    --
    BMO

  14. Simpler approach... by flajann3290 · · Score: 4, Insightful
    A simpler approach is to have a few high-entropy passwords and append a value at the end that is unique to each website using some self-created rule for it that is easy for you to remember. I would speak on how I do this but I won't for obvious reasons. :p

    A great way to remember your passwords is to use them often. The more the better.

    What kills me is that different sites have different password restrictions that infuriates me. Some force you to use "special characters", others forbid it. Some force you to use a combination of letters and numbers, and many force you to use at least one uppercase letter and one lowercase letter. Some even restrict how long your password can be!!!!

    This wrecks havoc with my high-entropy passwords that now becomes useless or needing to be altered, as in capitalizing a letter that I totally forget about later...