dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
13756
share rss forum feed


antdude
A Ninja Ant
Premium,VIP
join:2001-03-25
United State
kudos:4
Reviews:
·Time Warner Cable

Selectively Reusing Bad Passwords Is Not a Bad Idea, Researchers Say

»it.slashdot.org/story/14/07/16/1···hers-say

"An anonymous reader tipped us to news that Microsoft researchers have determined that reuse of the same password for low security services is safer than generating a unique password for each service. Quoting El Reg: Redmond researchers Dinei Florencio and Cormac Herley, together with Paul C. van Oorschot of Carleton University, Canada ... argue that password reuse on low risk websites is necessary in order for users to be able to remember unique and high entropy codes chosen for important sites. Users should therefore slap the same simple passwords across free websites that don't hold important information and save the tough and unique ones for banking websites and other repositories of high-value information. 'The rapid decline of [password complexity as recall difficulty] increases suggests that, far from being unallowable, password re-use is a necessary and sensible tool in managing a portfolio,' the trio wrote. 'Re-use appears unavoidable if [complexity] must remain above some minimum and effort below some maximum.' Not only do they recommend reusing passwords, but reusing bad passwords for low risks sites to minimize recall difficulty."

Interesting. What do you guys think of this?
--
Ant @ AQFL.net and AntFarm.ma.cx. Please do not IM/e-mail me for technical support. Use this forum or better, »community.norton.com ! Disclaimer: The views expressed in this posting are mine, and do not necessarily reflect the views of my employer.



Parad0X787
"If U know neither the enemy nor yoursel
Premium
join:2013-09-17
Edmonton, AB

1 recommendation

Agreed ..... and use day by day to train our brain "How to burn a password into your brain"....[ »nakedsecurity.sophos.com/2014/07···r-brain/ ]


Millenium

join:2013-10-30
kudos:1
Reviews:
·Time Warner Cable

1 recommendation

reply to antdude

I think password complexity is directly proportional to importance. And I use the same simple password for all at the bottom of the list. I keep unique, unrelated, user names and email addresses across all places I log in. Acquiring my credentials or email at dslreports, for instance, isn't going to be any help anywhere else.



dandelion
Premium,MVM
join:2003-04-29
Germantown, TN
kudos:5

1 recommendation

reply to antdude

Been doing that for a long time.



sivran
Opera ex-pat
Premium
join:2003-09-15
Irving, TX
kudos:1
reply to antdude

It took them this long to figure out?

I have been re-using the same weak password on non-sensitive sites since 1996 or so. I have a few other weak passwords I randomly choose, but none more used than that one from way back.

Curiously enough I've never had an account protected by said password stolen... I guess I'm just darn good at picking sites no one wants to bother hacking... or at least using the passwords from.
--
Oh, Opera, what have you done?



Snowy
Premium
join:2003-04-05
Kailua, HI
kudos:6
Reviews:
·Clearwire Wireless
·Time Warner Cable

2 recommendations

reply to antdude

It's nice to see security truisms challenged.

The failure point of selectively using bad passwords on not critical sites is found in the question:
What sites are critical vs what sites are not critical.

That old Gmail account you hardly ever used & use even less now cannot be as important as your banking site.

Sounds like a reasonable analysis until it's learned the hard way that the little importance Gmail account was the password recovery email account for your banking site.



mackey
Premium
join:2007-08-20
kudos:12
reply to antdude

Seriously? They needed to do a study to learn what should be common sense? I've been doing this for years.

/M



Blackbird
Built for Speed
Premium
join:2005-01-14
Fort Wayne, IN
kudos:3
Reviews:
·Frontier Communi..
reply to antdude

Hmm... it's interesting to see Microsoft's R&D money spent on such noteworthy studies. Next, they'll probably determine via similar studies that most individual users upgrade their operating systems when they purchase a new computer to replace their aging one...
--
The American Republic will endure until the day Congress discovers that it can bribe the public with the public's money. -- A. de Tocqueville


kevinds
Premium
join:2003-05-01
Calgary, AB
kudos:3
Reviews:
·Shaw

1 recommendation

reply to antdude

said by antdude:

Users should therefore slap the same simple passwords across free websites that don't hold important information and save the tough and unique ones for banking websites and other repositories of high-value information.

Agreed, I have been doing exactly this for a long time now

BG5150

join:2008-08-14
New York, NY
reply to antdude

Most of my logins are BG5100, 5110, 5120, etc.

PWs are usually my dad's name. Followed by a 1 and/or ! as required by the site.

Makes things a lot easier on me when logging into sites.



dvd536
as Mr. Pink as they come
Premium
join:2001-04-27
Phoenix, AZ
kudos:4

my password here used to be password1 for 4 years. its since been changed to a stronger one
--
Despises any post with strings.


TheMG
Premium
join:2007-09-04
Canada
kudos:3
Reviews:
·NorthWest Tel
reply to dandelion

said by dandelion:

Been doing that for a long time.

Ditto.

Websites that have little importance and don't hold any personal information I use the same password. These are the types of sites that if the account gets compromised, no big deal, just create another and move on.

redwolfe_98
Premium
join:2001-06-11
kudos:1
Reviews:
·Time Warner Cable

1 recommendation

reply to antdude

speaking of which, cnet's databases were hacked:

»nakedsecurity.sophos.com/2014/07···r-group/



Kilroy
Premium,MVM
join:2002-11-21
Saint Paul, MN

4 recommendations

reply to antdude

I guess it depends on how secure you want to be. If you're not using a password manager you obviously don't care about your online account security and this is fine, for you. If you're using a password manager it doesn't matter if you have a random password for every site as you don't have to remember it.

The question I have is, what is a low security service? Facebook? LinkedIn? Your e-mail? DSL Reports? All of those sites could have very broad implications on your online reputation.

My personal opinion is that if you're not using a password manager you don't care about your online security. There is no way anyone can remember the sheer number of user names and passwords that our digital lives require. With the number of sites that are breached and the number of accounts that are compromised password reuse isn't secure.
--
"Progress isn't made by early risers. It's made by lazy men trying to find easier ways to do something." - Robert A. Heinlein


redwolfe_98
Premium
join:2001-06-11
kudos:1
reply to antdude

kilroy, you are right.. i just don't like having to deal with my password-manager every time that i log in to a website..


Millenium

join:2013-10-30
kudos:1
Reviews:
·Time Warner Cable
reply to Kilroy

said by Kilroy:

The question I have is, what is a low security service? Facebook? LinkedIn? Your e-mail? DSL Reports? All of those sites could have very broad implications on your online reputation.

Disposable email accounts. Places you're not looking to establish a reputation and places you don't provide authentic personal info. Places where all you're interested in is casually hanging out and participating, rather than "networking." Places you might establish a test account to have a look at services or products before you provide authentic info. Non essentail or easily duplicated accounts at places you want to enjoy services, but where personal info sharing is a privacy concern easily and harmlessly avoided.

A simple, common use password makes it very easy to remember across all these circumstances.

Wyngs

join:2010-02-20
Coos Bay, OR

1 recommendation

reply to antdude

Am I the only one in the whole world who uses pencil and notebook to store passwords in case I forget?

In any case, for some years now, I have been using the same word, followed by a change in number and special character. If I forget a password, it usually takes but a couple of tries to come up with it - else open the notebook.

Several times I've considered using a word search utility that I could enter web site name and password - but each time chickened out. If someone hacked into my computer, they would then have it all.



Snowy
Premium
join:2003-04-05
Kailua, HI
kudos:6
Reviews:
·Clearwire Wireless
·Time Warner Cable

1 recommendation

reply to Kilroy

said by Kilroy:

If you're not using a password manager you obviously don't care about your online account security and this is fine, for you. If you're using a password manager it doesn't matter if you have a random password for every site as you don't have to remember it.

I use a password manager.
FF's remember password option.
It's the most efficient password manager I know of.
Exporting them a few times a year allows me to keep a local copy for backup.
The advantage beyond simply remembering a sites password is it also servers in validating a site is the site it says it is.

A bogus site will not populate the user name/password fields as the legit site will.
On some days I may need to validate or invalidate several hundred links.
If the link produces my user name or password the site is legit, period.

I maintain a login to sites I never use just to be able to use the remember password option in this manner.

Last time I mentioned this it became obvious that the remember password option isn't used by many of you for security reasons but I'll say it again - I use it for security reasons - my security.


Kilroy
Premium,MVM
join:2002-11-21
Saint Paul, MN

said by Snowy:

A bogus site will not populate the user name/password fields as the legit site will

I agree, this is another security feature of using a password manager that is seldom mentioned.
--
"Progress isn't made by early risers. It's made by lazy men trying to find easier ways to do something." - Robert A. Heinlein

TheMG
Premium
join:2007-09-04
Canada
kudos:3
Reviews:
·NorthWest Tel
reply to Kilroy

said by Kilroy:

The question I have is, what is a low security service? Facebook? LinkedIn? Your e-mail? DSL Reports? All of those sites could have very broad implications on your online reputation.

Facebook - I don't have an account there.

LinkedIn - no account there either

DSL Reports - considered as "medium" security as I use it a lot and have been an active user for many years.

Examples of "low" security accounts:

-disposable email accounts
-websites that require registration for a one-off download or something (I use disposable email addresses and fake information when signing up for those)
-free porn sites

Examples of "medium" security:

-frequently used online forum accounts
-videogame accounts
-online shopping accounts (where credit card information is NOT held on the account)

High security:

-online banking
-government online services
-server remote access/VPN accounts
-anything where sensitive personal information and/or financial/payment information is kept on file for future use (I don't typically enable this if there's an option)

Low security typically use the same one or two relatively simple (but not easily guessable) passwords.

Medium security use mostly unique passwords that are easily memorable yet difficult to brute/disctionary/guess.

High security use unique passwords that are lengthier and more random, not quite as easy to remember but since I have very few "high security" accounts, still feasible.