Slashdot Mirror
Selectively Reusing Bad Passwords Is Not a Bad Idea, Researchers Say
An anonymous reader tipped us to news that Microsoft researchers have determined that reuse of the same password for low security services is safer than generating a unique password for each service. Quoting El Reg: Redmond researchers Dinei Florencio and Cormac Herley, together with Paul C. van Oorschot of Carleton University, Canada ... argue that password reuse on low risk websites is necessary in order for users to be able to remember unique and high entropy codes chosen for important sites. Users should therefore slap the same simple passwords across free websites that don't hold important information and save the tough and unique ones for banking websites and other repositories of high-value information. "The rapid decline of [password complexity as recall difficulty] increases suggests that, far from being unallowable, password re-use is a necessary and sensible tool in managing a portfolio," the trio wrote. "Re-use appears unavoidable if [complexity] must remain above some minimum and effort below some maximum."
Not only do they recommend reusing passwords, but reusing bad passwords for low risks sites to minimize recall difficulty.
That is just so stupid. Use a password-keeper and use strong passwords everywhere. Then you only need (1) physical access to your password keeper and (2) to remember one strong passphrase.
Using a password manager with one strong master password + randomly-generated passwords unique to each website is better.
That said, the linked paper is long and math-heavy, so I rate it likely the submitter (and the "editor") misunderstood something.
Hail Eris, full of mischief...
E pluribus sanguinem
The advocacy for Password Managers and Password Keepers is just utter BS. If some nothing website insists that I have to make an account just to post one little comment, and I might come back 5 years later to post again then they're getting generic username plus generic password. I'm not waisting my time making some uber powerful password, and utilizing something just to remember it. Even then the OpenID solution would have been great but every once in a while I'm presented with the option of logging in with my Google ID and giving some organization full access to my contact list, or full access to my google drive. Screw them, and I'll just create generic account just for their site though their old interface just so they can't read my contacts or documents. If they're so worried that people are using BS passwords on their site that spammers keep hacking to post then maybe they should accept better business practices.
So re-use low complexity passwords for unimportant sites and use high-complexity unique passwords for important sites.
Got it. Low for my bank account, high for World of Warcraft.
(-1: Post disagrees with my already-settled worldview) is not a valid mod option.
This is why it is infrurriating when low importance sites require high complexity passwords. They create unnecessary exposure for the limited pool of high complexity passwords I can remember. Meanwhile, the bank will take anything.
Selectively Reusing Bad Passwords Is Not a Bad Idea, Researchers Say
This article has been approved by the NSA!
What this world is coming to - is for you and me to decide.
The point of password reuse is to use an algorithm that you can remember but not someone can guess.
This is not my password but it's an example of how I create one:
If I visit a site and it's name is GoogleSucks.com, I will use my "easy" word + the first syllable of the site + a padding word that I use on all sites, Depending on how asinine the password requirements are, the beginning or end of the password will be padded with numbers and symbols, but always the same ones.
So Googlesucks.com might be turkeyGootrucking8
and another site like a bank site that I want higher entrophy on will use a different algorithm, so BOA might end up a hard non-englisht word + the passing word, then the company's initials + needed password entrophy, so BOA would end up with namastetruckingBOA8
So when I use sites that want to remember my shipping address or credit card (I never save my credit card number, I don't care how "safe" your site is) I use the harder credentials. I just want to post a comment on the many HuffPo type of sites, easy password all the time. So while each password for each site is unique, effectively the easy password is reused but padded with something unique to the site so that even if the password was stolen it's unusable for any other site.
A great way to remember your passwords is to use them often. The more the better.
What kills me is that different sites have different password restrictions that infuriates me. Some force you to use "special characters", others forbid it. Some force you to use a combination of letters and numbers, and many force you to use at least one uppercase letter and one lowercase letter. Some even restrict how long your password can be!!!!
This wrecks havoc with my high-entropy passwords that now becomes useless or needing to be altered, as in capitalizing a letter that I totally forget about later...
My intuition says that most people do this. Though, I could be wrong.
Well, some of us try to do it. We are, regrettably, impeded by whacked out sysadmins who insist we must use THEIR idea of a strong password -- which always seems to be different from anyone else's idea of a strong password, and/or that we need to change passwords periodically, and/or that we can't reuse passwords.
I sometimes seems that there is an inverse relationship between the actual need for security and the system administrator's perception of the need for security.
But other than the fact that users often have to contend with the idosyncracies of sociopaths who feel that anything that is easy to use is clearly flawed, this seems a pretty good idea. If it gets the attention it deserves, perhaps it might be one small first step toward straightening out the incredible mess that is computer security.
You can't see ANYTHING from a car, You've got to get out of the goddamned contraption and walk...Edward Abbey
I see that someone has had problems with a sysadmin.
Try to remember that not all sysadmins are BOFH. Some actually agree with you on the need for complex passwords and how often they should be changed. Many of them, however, have to follow outdated and impractical guides forced upon them by government standards in order to comply with HIPA, SOX, or PCI.
There are a couple of things that bother me, though. The first is pattern re-use. P@$$word521 does meet the complexity requirements of many systems. But when you use P@$$word125, P@$$word251, P@$$word215 and then tell everyone that you use P@$$word with the same three numbers and just rotate the numbers, it is not much better than a post-it under the keyboard. Complex passwords do not have to be difficult to remember. Just because someone has difficulty coming up with good passwords does not mean that a hard-to-remember password is actually complex.
The second thing that bothers me is when a sysadmin will force a password policy on you, but won't use it himself. I know one admin that forced a password change every 90 days for all accounts except his. When he left the company, his password history was completely blank. He had used the same password for years. While I think passwords could live longer than 90 days and twice a year would be sufficient for many passwords, if a change is required, it should be required for all users including the sysadmin.
Just my little rant.
Great civilizations have lived and died on false theories. Don't mess up mine with a few facts.