Selectively Reusing Bad Passwords Is Not a Bad Idea, Researchers Say

← Back to Stories (view on slashdot.org)

Selectively Reusing Bad Passwords Is Not a Bad Idea, Researchers Say

Posted by Unknown on Wednesday July 16, 2014 @02:47AM from the brain-full-try-again-later dept.

An anonymous reader tipped us to news that Microsoft researchers have determined that reuse of the same password for low security services is safer than generating a unique password for each service. Quoting El Reg: Redmond researchers Dinei Florencio and Cormac Herley, together with Paul C. van Oorschot of Carleton University, Canada ... argue that password reuse on low risk websites is necessary in order for users to be able to remember unique and high entropy codes chosen for important sites. Users should therefore slap the same simple passwords across free websites that don't hold important information and save the tough and unique ones for banking websites and other repositories of high-value information. "The rapid decline of [password complexity as recall difficulty] increases suggests that, far from being unallowable, password re-use is a necessary and sensible tool in managing a portfolio," the trio wrote. "Re-use appears unavoidable if [complexity] must remain above some minimum and effort below some maximum." Not only do they recommend reusing passwords, but reusing bad passwords for low risks sites to minimize recall difficulty.

24 of 280 comments (clear)

Min score:

Reason:

Sort:

This makes sense. by Anonymous Coward · 2014-07-16 02:50 · Score: 3, Insightful

My intuition says that most people do this. Though, I could be wrong.
1. Re:This makes sense. by Anonymous Coward · 2014-07-16 03:18 · Score: 5, Interesting
  
  The point of password reuse is to use an algorithm that you can remember but not someone can guess.
  This is not my password but it's an example of how I create one:
  If I visit a site and it's name is GoogleSucks.com, I will use my "easy" word + the first syllable of the site + a padding word that I use on all sites, Depending on how asinine the password requirements are, the beginning or end of the password will be padded with numbers and symbols, but always the same ones.
  So Googlesucks.com might be turkeyGootrucking8
  and another site like a bank site that I want higher entrophy on will use a different algorithm, so BOA might end up a hard non-englisht word + the passing word, then the company's initials + needed password entrophy, so BOA would end up with namastetruckingBOA8
  So when I use sites that want to remember my shipping address or credit card (I never save my credit card number, I don't care how "safe" your site is) I use the harder credentials. I just want to post a comment on the many HuffPo type of sites, easy password all the time. So while each password for each site is unique, effectively the easy password is reused but padded with something unique to the site so that even if the password was stolen it's unusable for any other site.
2. Re:This makes sense. by vtcodger · 2014-07-16 03:34 · Score: 4, Interesting
  
  My intuition says that most people do this. Though, I could be wrong.
  Well, some of us try to do it. We are, regrettably, impeded by whacked out sysadmins who insist we must use THEIR idea of a strong password -- which always seems to be different from anyone else's idea of a strong password, and/or that we need to change passwords periodically, and/or that we can't reuse passwords.
  I sometimes seems that there is an inverse relationship between the actual need for security and the system administrator's perception of the need for security.
  But other than the fact that users often have to contend with the idosyncracies of sociopaths who feel that anything that is easy to use is clearly flawed, this seems a pretty good idea. If it gets the attention it deserves, perhaps it might be one small first step toward straightening out the incredible mess that is computer security.
  
  --
  You can't see ANYTHING from a car, You've got to get out of the goddamned contraption and walk...Edward Abbey
3. Re:This makes sense. by SQLGuru · 2014-07-16 03:59 · Score: 3, Informative
  
  Yep. This has been my strategy for many years. I rank sites by how much I care whether they are compromised. For low ranked sites, they get one of several easy passwords (depending on how important THEY think their passwords are). For critical sites (i.e. banking info) they get a unique strong password conforming to the password rules.
4. Re:This makes sense. by knarfling · 2014-07-16 04:26 · Score: 4, Interesting
  
  I see that someone has had problems with a sysadmin.
  Try to remember that not all sysadmins are BOFH. Some actually agree with you on the need for complex passwords and how often they should be changed. Many of them, however, have to follow outdated and impractical guides forced upon them by government standards in order to comply with HIPA, SOX, or PCI.
  There are a couple of things that bother me, though. The first is pattern re-use. P@$$word521 does meet the complexity requirements of many systems. But when you use P@$$word125, P@$$word251, P@$$word215 and then tell everyone that you use P@$$word with the same three numbers and just rotate the numbers, it is not much better than a post-it under the keyboard. Complex passwords do not have to be difficult to remember. Just because someone has difficulty coming up with good passwords does not mean that a hard-to-remember password is actually complex.
  The second thing that bothers me is when a sysadmin will force a password policy on you, but won't use it himself. I know one admin that forced a password change every 90 days for all accounts except his. When he left the company, his password history was completely blank. He had used the same password for years. While I think passwords could live longer than 90 days and twice a year would be sufficient for many passwords, if a change is required, it should be required for all users including the sysadmin.
  Just my little rant.
  
  --
  Great civilizations have lived and died on false theories. Don't mess up mine with a few facts.
Dumb dumb dumb advice... by dskoll · 2014-07-16 02:50 · Score: 4, Insightful

That is just so stupid. Use a password-keeper and use strong passwords everywhere. Then you only need (1) physical access to your password keeper and (2) to remember one strong passphrase.
1. Re:Dumb dumb dumb advice... by dskoll · 2014-07-16 02:54 · Score: 3, Funny
  
  Following up on myself: That research paper is awesome! Never before have I seen the use of partial differential equations to justify unequivocal bullshit. Amazing! They must've really worked hard on that.
2. Re:Dumb dumb dumb advice... by retchdog · 2014-07-16 03:05 · Score: 4, Funny
  
  Never before have I seen the use of partial differential equations to justify unequivocal bullshit.
  Haven't read many research papers, have you? ;-)
  
  --
  "They were pure niggers." – Noam Chomsky
3. Re:Dumb dumb dumb advice... by CrimsonAvenger · 2014-07-16 03:09 · Score: 3, Informative
  
  I doubt it's ideal, but I use PasswordSafe and carry it on a USB stick.
  And in the end, there are only about three computers I ever access it from.
  
  --
  
  "I do not agree with what you say, but I will defend to the death your right to say it"
4. Re:Dumb dumb dumb advice... by sideslash · 2014-07-16 03:09 · Score: 3, Insightful
  
  That is just so stupid. Use a password-keeper and use strong passwords everywhere. Then you only need (1) physical access to your password keeper and (2) to remember one strong passphrase.
  I didn't RTA, but when you say it's stupid not to always use a strong password, aren't you making an unwarranted assumption? There are some sites where it truly doesn't matter. On such sites I will never send any sensitive data, and all I want is to get past the annoying login to get to something I care about. You know, like the bugmenot cases. If you take the time to create such accounts for yourself with an insecure(!) and memorable password, there's nothing wrong with that.
5. Re:Dumb dumb dumb advice... by jbmartin6 · 2014-07-16 03:23 · Score: 4, Insightful
  
  This isn't stupid at all, it is something missing from a lot of security advice: a hint of reality. The amount of effort any person will put towards security, or any other goal, is finite. Therefore it is useful to put at least some thought into how that limited effort can be used for the maximum benefit. For the most part, I don't care what my gawker password is or all the other silly little logons. I use the same simple password for all of them because there is zero risk to me if they are compromised, other than someone else can now post with the screen name I picked (and don't care about) To suggest that I should lug around a password safe and log into it every time I need to use one of these zero risk logons is to suggest that I squander my limited security effort. It is far better to conserve that effort for things that are actually important.
  
  --
  This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
6. Re:Dumb dumb dumb advice... by Charliemopps · 2014-07-16 03:48 · Score: 4, Informative
  
  That is just so stupid. Use a password-keeper and use strong passwords everywhere. Then you only need (1) physical access to your password keeper and (2) to remember one strong passphrase.
  Whats dumb is giving the same advice over and over, building your security policy around those people following that advice all despite 30yrs of evidence that proves they wont follow the advice
  Security is as much about psycology as procedure. I worked at AT&T a little over 10yrs ago and one day they announced that the password requirements to one of their systems would be changed to now require a 29 letter phrase, including at least 3 spaces, capitals, lower case, numbers and special characters. The end result? A utopia of highly secure, un-crackable system to be proud of? No... the whole company had their passwords written on post-it notes stuck to their monitor within a week.
7. Re:Dumb dumb dumb advice... by dskoll · 2014-07-16 04:04 · Score: 3, Insightful
  
  But I sure as fuck am not going to put ALL of them into ANY app or single program - there are backdoors built into routers these days, you expect some start-up (or even established) "password keeper" doesn't have that possibility? I am concerned for your common sense.
  Woah, woah, woah, chill out!
  I have the complete source code for my password manager. And guess what... I've even read the source code!
  It uses "openssl bf" to encrypt (that's the Blowfish cipher). In spite of all the warnings about OpenSSL holes, I don't believe anyone's yet found a problem with its Blowfish implementation, and though Blowfish is old and there may be weak keys, I don't believe it has serious vulnerabilities especially when only used to encrypt small files.
8. Re:Dumb dumb dumb advice... by sexconker · 2014-07-16 04:04 · Score: 4, Informative
  
  So what is this ideal password keeper? And how to do you access it whenever and wherever you're located?
  KeePass. It has strong encryption options, it isn't tied to any site or service, the (encrypted) database can be synced however you want (such as with Dropbox) and used on any devices you want (including phones), it's got all sorts of options for generating passwords, automatically typing them, automatically expiring them, etc., and it's fairly light weight.
Bah by Nimey · 2014-07-16 02:51 · Score: 4, Insightful

Using a password manager with one strong master password + randomly-generated passwords unique to each website is better.
That said, the linked paper is long and math-heavy, so I rate it likely the submitter (and the "editor") misunderstood something.

--
Hail Eris, full of mischief...

E pluribus sanguinem
1. Re:Bah by TheCarp · 2014-07-16 03:18 · Score: 4, Interesting
  
  I have to say, I REALLY like password manager someone was working on that was based on, I think, a rasberry pi, where it would actually act as a USB HID to enter the password, and keeps your encrypted passwords on its physical hardware device.
  Still susceptable to keyloggers and other malware but...1) they can only get the passwords as you use them and 2) they will NEVER see your master password since it never even gets entered into the machine, but only to the password keeper device.
  Now THAT is how to do passwords right.
  
  --
  "I opened my eyes, and everything went dark again"
2. Re:Bah by Sqr(twg) · 2014-07-16 03:32 · Score: 3, Insightful
  
  Using a password manager with one strong master password + randomly-generated passwords unique to each website is better.
  ...if, and only if, the password manager is completely secure in itself.
  If the terminal used to access the password manager is compromised, then the attacker gets the master password and thus access to all keys - not just the one that was requested.
  In other words, you might have used an insecure computer to log on to slashdot, and the attacker now has your bank login credentials.
No duh by gurps_npc · 2014-07-16 02:53 · Score: 3, Insightful

When some site, like say slashdot, uses passwords not for real security, but instead to identify it's users, then only an idiot wastes their memory creating a 'good password' for it.
Better to use the same crappy password for web sites that do involve real financial risk.
Of course, if you use that same password for a bank account, or anything that knows a credit card number, SS#, or similar information, you need to have your head examined.

--
excitingthingstodo.blogspot.com
Good since OpenID failed to take over by medv4380 · 2014-07-16 03:02 · Score: 4, Interesting

The advocacy for Password Managers and Password Keepers is just utter BS. If some nothing website insists that I have to make an account just to post one little comment, and I might come back 5 years later to post again then they're getting generic username plus generic password. I'm not waisting my time making some uber powerful password, and utilizing something just to remember it. Even then the OpenID solution would have been great but every once in a while I'm presented with the option of logging in with my Google ID and giving some organization full access to my contact list, or full access to my google drive. Screw them, and I'll just create generic account just for their site though their old interface just so they can't read my contacts or documents. If they're so worried that people are using BS passwords on their site that spammers keep hacking to post then maybe they should accept better business practices.
So complex by Impy+the+Impiuos+Imp · 2014-07-16 03:05 · Score: 4, Funny

So re-use low complexity passwords for unimportant sites and use high-complexity unique passwords for important sites.
Got it. Low for my bank account, high for World of Warcraft.

--
(-1: Post disagrees with my already-settled worldview) is not a valid mod option.
Absolutely by swillden · 2014-07-16 03:06 · Score: 3, Insightful

I've always done this. I have one short, low-entropy password which I use on ALL low-risk web sites. For example, it's the one I use on slashdot. I don't really care if anyone gets in and starts posting stuff as me. In fact it might be a good thing, since it would give me some plausible deniability for the stupid things I sometimes say :-)
For important sites (e.g. financial), I use long, randomly-generated passwords and manage them in a password manager, which itself is protected with a very strong password. But for everything else, that's too much effort and serves no purpose. And for my "crown jewels" account -- my e-mail account, which if hacked would provide the intruder with the ability to reset most all of my other passwords -- I use a strong password and have two-factor authentication enabled.

--
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
High entropy rules on low importance sites by erice · 2014-07-16 03:10 · Score: 4, Interesting

This is why it is infrurriating when low importance sites require high complexity passwords. They create unnecessary exposure for the limited pool of high complexity passwords I can remember. Meanwhile, the bank will take anything.
NSA approves of this! by MindPrison · 2014-07-16 03:15 · Score: 4, Funny

Selectively Reusing Bad Passwords Is Not a Bad Idea, Researchers Say

This article has been approved by the NSA!

--
What this world is coming to - is for you and me to decide.
Simpler approach... by flajann3290 · 2014-07-16 03:26 · Score: 4, Insightful

A simpler approach is to have a few high-entropy passwords and append a value at the end that is unique to each website using some self-created rule for it that is easy for you to remember. I would speak on how I do this but I won't for obvious reasons. :p
A great way to remember your passwords is to use them often. The more the better.
What kills me is that different sites have different password restrictions that infuriates me. Some force you to use "special characters", others forbid it. Some force you to use a combination of letters and numbers, and many force you to use at least one uppercase letter and one lowercase letter. Some even restrict how long your password can be!!!!
This wrecks havoc with my high-entropy passwords that now becomes useless or needing to be altered, as in capitalizing a letter that I totally forget about later...