Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Selectively Reusing Bad Passwords Is Not a Bad Idea, Researchers Say

Unknown Lamer posted about a month and a half ago | from the brain-full-try-again-later dept.

Security 280

An anonymous reader tipped us to news that Microsoft researchers have determined that reuse of the same password for low security services is safer than generating a unique password for each service. Quoting El Reg: Redmond researchers Dinei Florencio and Cormac Herley, together with Paul C. van Oorschot of Carleton University, Canada ... argue that password reuse on low risk websites is necessary in order for users to be able to remember unique and high entropy codes chosen for important sites. Users should therefore slap the same simple passwords across free websites that don't hold important information and save the tough and unique ones for banking websites and other repositories of high-value information. "The rapid decline of [password complexity as recall difficulty] increases suggests that, far from being unallowable, password re-use is a necessary and sensible tool in managing a portfolio," the trio wrote. "Re-use appears unavoidable if [complexity] must remain above some minimum and effort below some maximum." Not only do they recommend reusing passwords, but reusing bad passwords for low risks sites to minimize recall difficulty.

cancel ×

280 comments

Sorry! There are no comments related to the filter you selected.

This makes sense. (3, Insightful)

Anonymous Coward | about a month and a half ago | (#47466617)

My intuition says that most people do this. Though, I could be wrong.

Re:This makes sense. (5, Interesting)

Anonymous Coward | about a month and a half ago | (#47466905)

The point of password reuse is to use an algorithm that you can remember but not someone can guess.

This is not my password but it's an example of how I create one:
If I visit a site and it's name is GoogleSucks.com, I will use my "easy" word + the first syllable of the site + a padding word that I use on all sites, Depending on how asinine the password requirements are, the beginning or end of the password will be padded with numbers and symbols, but always the same ones.
So Googlesucks.com might be turkeyGootrucking8
and another site like a bank site that I want higher entrophy on will use a different algorithm, so BOA might end up a hard non-englisht word + the passing word, then the company's initials + needed password entrophy, so BOA would end up with namastetruckingBOA8

So when I use sites that want to remember my shipping address or credit card (I never save my credit card number, I don't care how "safe" your site is) I use the harder credentials. I just want to post a comment on the many HuffPo type of sites, easy password all the time. So while each password for each site is unique, effectively the easy password is reused but padded with something unique to the site so that even if the password was stolen it's unusable for any other site.

Re:This makes sense. (4, Interesting)

vtcodger (957785) | about a month and a half ago | (#47467081)

My intuition says that most people do this. Though, I could be wrong.

Well, some of us try to do it. We are, regrettably, impeded by whacked out sysadmins who insist we must use THEIR idea of a strong password -- which always seems to be different from anyone else's idea of a strong password, and/or that we need to change passwords periodically, and/or that we can't reuse passwords.

I sometimes seems that there is an inverse relationship between the actual need for security and the system administrator's perception of the need for security.

But other than the fact that users often have to contend with the idosyncracies of sociopaths who feel that anything that is easy to use is clearly flawed, this seems a pretty good idea. If it gets the attention it deserves, perhaps it might be one small first step toward straightening out the incredible mess that is computer security.

Dumb dumb dumb advice... (4, Insightful)

dskoll (99328) | about a month and a half ago | (#47466621)

That is just so stupid. Use a password-keeper and use strong passwords everywhere. Then you only need (1) physical access to your password keeper and (2) to remember one strong passphrase.

Re:Dumb dumb dumb advice... (3, Funny)

dskoll (99328) | about a month and a half ago | (#47466653)

Following up on myself: That research paper is awesome! Never before have I seen the use of partial differential equations to justify unequivocal bullshit. Amazing! They must've really worked hard on that.

Re:Dumb dumb dumb advice... (4, Funny)

retchdog (1319261) | about a month and a half ago | (#47466765)

Never before have I seen the use of partial differential equations to justify unequivocal bullshit.

Haven't read many research papers, have you? ;-)

Re:Dumb dumb dumb advice... (0)

Anonymous Coward | about a month and a half ago | (#47467159)

See, the problem the tech literate seem to over look is that most people aren't even making an effort on this type of thing. The paper's argument isn't that two tiers of passwords (secure vs insecure) is BEST. Like the dentist begging you to PLEASE you to floss once a day (never mind proper gum brushing, flossing after every meal, mouth wash, fluoride, etc), it's saying that two tiers is better than: 123qwe, b00b13s, password, Aaaaaaaa at all points of authentication.

Sure, it would be nice if everyone chose unique, paragraph long high entropy passwords/phrases for every point of authentication. But: A, that's not practical; B, it's cumbersome; C, it's more ideal to use nominal passwords with 2-factor authentication; F, you're a gimp.

Don't forget that the info-sec has to walk the line formed by usability and security.

Re:Dumb dumb dumb advice... (2)

cdrudge (68377) | about a month and a half ago | (#47466691)

So what is this ideal password keeper? And how to do you access it whenever and wherever you're located?

Re:Dumb dumb dumb advice... (1)

dskoll (99328) | about a month and a half ago | (#47466735)

I use something called TkPasman, which runs on my Linux desktop. I don't use a mobile device much to surf the web, and never to log into any sites I care about because it's just too painful.

I could access it in a pinch by tunneling X over SSH back to my main computer, and I have done so in the past. Another thing I do is sync the password database to the handful of Linux desktops I use on a regular basis.

The password manager keepassx is available for Mac OS, Windows and Linux and you can sync the databases. I'm not aware of one that also works on Android or IOS, though. :(

Re:Dumb dumb dumb advice... (2)

Bacon Bits (926911) | about a month and a half ago | (#47466805)

And what if you have a house fire, break in, or accident?

Re:Dumb dumb dumb advice... (0)

Anonymous Coward | about a month and a half ago | (#47466913)

I don't think it is safe to assume that he is so stupid that he doesn't understand the concept of back ups. He MAY be, but I don't think it is a safe enough assumption.

Re:Dumb dumb dumb advice... (2)

dskoll (99328) | about a month and a half ago | (#47467275)

I have two off-site backups: One to an encfs partition in my office and one to an encfs partition in a colocated server 200km away. Next question?

Simpler approach... (4, Insightful)

Fred Mitchell (3717323) | about a month and a half ago | (#47466995)

A simpler approach is to have a few high-entropy passwords and append a value at the end that is unique to each website using some self-created rule for it that is easy for you to remember. I would speak on how I do this but I won't for obvious reasons. :p

A great way to remember your passwords is to use them often. The more the better.

What kills me is that different sites have different password restrictions that infuriates me. Some force you to use "special characters", others forbid it. Some force you to use a combination of letters and numbers, and many force you to use at least one uppercase letter and one lowercase letter. Some even restrict how long your password can be!!!!

This wrecks havoc with my high-entropy passwords that now becomes useless or needing to be altered, as in capitalizing a letter that I totally forget about later...

Re:Simpler approach... (1)

CronoCloud (590650) | about a month and a half ago | (#47467125)

What kills me is that different sites have different password restrictions that infuriates me.

Yeah, that. Though I basically do what the article says and have "weak" passwords for things like Slashdot, and stronger ones for things involving money. I'd like to be able to use my strongest password everywhere, but many places don't support that many characters. yes it's longer than "correct horse battery staple"

Obligatory XKCD:

http://xkcd.com/936/ [xkcd.com]

Re:Dumb dumb dumb advice... (1)

Anonymous Coward | about a month and a half ago | (#47467029)

So... how is this supposed to be useful when you don't have internet access, or only insecure web-access is available (which is what most airport/rail/mcdonalds have)

The problem with these "password keeper" programs is the fact that you are storing them. That means they are both weak to being cracked/tampered with, and should your device be stolen, you are without all your passwords.

The safest password remains in your head. Two things you should never do:
a) click the "save my password on this site" , because that saves the password on your computer in a state that can be retrieved.
b) save your credit card to any site that you do not have a recurring financial relationship with (eg your electricity bill is OK, your clothes/computer parts/steam is not)

The last point is especially annoying since you can't use paypal or Apple's iTunes without one. I don't want my card number saved and then have my device lost/stolen and used to buy stuff. Yes I lock my device, that is absolutely meaningless when that data can be retrieved through other means. It's somewhat ironic that the "cloud" passwords of Apple's products is actually more secure than "save my password on this device" because you can then lose the device and still get into your sites provided you buy another Apple product, or borrow one in a pinch. I would certainly not trust cloud storage with any high value financial accounts, but if I'm sick of re-entering passwords on sites just to leave a damn comment, that's fine.

Re:Dumb dumb dumb advice... (1)

Anonymous Coward | about a month and a half ago | (#47467179)

In other words, you have a very poor solution, that doesn't work as well for normal people as the procedure proposed in the article, but you're just another derpster that pretends they're smart by criticizing actual smart people. At least you titled the post with your dumb advice well.

Re:Dumb dumb dumb advice... (1)

Russ1642 (1087959) | about a month and a half ago | (#47466739)

I've used one for years. I primarily use it on my phone but it's backed up and synchronized across all my devices. I use a VERY long password but I can type it very quickly. I can quickly log into anything, even if it has been a year since I've logged in. I can also store important personal items such as insurance and health information.

Re:Dumb dumb dumb advice... (3, Informative)

CrimsonAvenger (580665) | about a month and a half ago | (#47466819)

I doubt it's ideal, but I use PasswordSafe and carry it on a USB stick.

And in the end, there are only about three computers I ever access it from.

Re:Dumb dumb dumb advice... (1)

Anonymous Coward | about a month and a half ago | (#47467007)

mSecure. Syncs between your phone, tablet, 'top, destop. Encrypted key file, self destructs on 'x' number of open attempts. Very nice app. The problem is having to whip it out every time you need to look up a high-ent password.

Re:Dumb dumb dumb advice... (0)

Anonymous Coward | about a month and a half ago | (#47467101)

So what is this ideal password keeper?

https://clipperz.is/

Re:Dumb dumb dumb advice... (2)

Geeky (90998) | about a month and a half ago | (#47467115)

I use KeePass and synchronise the file so I have access to it on all my devices including my phone. There are clients for just about every platform.

Re:Dumb dumb dumb advice... (3, Insightful)

sideslash (1865434) | about a month and a half ago | (#47466821)

That is just so stupid. Use a password-keeper and use strong passwords everywhere. Then you only need (1) physical access to your password keeper and (2) to remember one strong passphrase.

I didn't RTA, but when you say it's stupid not to always use a strong password, aren't you making an unwarranted assumption? There are some sites where it truly doesn't matter. On such sites I will never send any sensitive data, and all I want is to get past the annoying login to get to something I care about. You know, like the bugmenot cases. If you take the time to create such accounts for yourself with an insecure(!) and memorable password, there's nothing wrong with that.

Re:Dumb dumb dumb advice... (1, Insightful)

reanjr (588767) | about a month and a half ago | (#47466857)

Yeah, because single point of failure is exactly how you want to perform security.

Re:Dumb dumb dumb advice... (0)

Anonymous Coward | about a month and a half ago | (#47466991)

Well, depending on context, being able to reduce the points of failure in a plan or project or mission to only one potential-in-question is quite impressive. But yes, house of cards, keystone in the arch, etc.

Re:Dumb dumb dumb advice... (2)

93 Escort Wagon (326346) | about a month and a half ago | (#47466997)

Intelligent people regularly back up their data - including their password key stores.

Re:Dumb dumb dumb advice... (4, Insightful)

jbmartin6 (1232050) | about a month and a half ago | (#47466959)

This isn't stupid at all, it is something missing from a lot of security advice: a hint of reality. The amount of effort any person will put towards security, or any other goal, is finite. Therefore it is useful to put at least some thought into how that limited effort can be used for the maximum benefit. For the most part, I don't care what my gawker password is or all the other silly little logons. I use the same simple password for all of them because there is zero risk to me if they are compromised, other than someone else can now post with the screen name I picked (and don't care about) To suggest that I should lug around a password safe and log into it every time I need to use one of these zero risk logons is to suggest that I squander my limited security effort. It is far better to conserve that effort for things that are actually important.

Re:Dumb dumb dumb advice... (1)

93 Escort Wagon (326346) | about a month and a half ago | (#47466967)

That is just so stupid. Use a password-keeper and use strong passwords everywhere. Then you only need (1) physical access to your password keeper and (2) to remember one strong passphrase.

Well, in the Microsoft Universe it was good advice. The rest of us are ten years past that point, though, and are using password managers.

I only have to remember one password - the rather long one I've used to protect my OS X login keychain. Well, and my login password... so I guess that's two.

Re:Dumb dumb dumb advice... (0)

Anonymous Coward | about a month and a half ago | (#47467067)

Dumb Dumb Dumb - don't use a password keeper - unless it's your brain.

Strong passwords aren't strong - they're weak.

Cutting down the number of characters that can be chosen for each position reduces the entropy pool related to the password.
This makes brute forcing the password much easier.

Given a password rule of 8 characters with 1 Numeric, 1 Symbol, 1 Upper Case, 1 Lower Case, and 5
10 * 32 * 13 * 13 * 26 * 23 * 22 * 21 - gives us 14,941,006,080 combinations of characters (assuming US 104 Key keyboard). That's only 14.941 billion possibilities.

With using the full set for each position
68 * 68 * 68 * 68 * 68 * 68 * 68 * 68 - gives us 457,163,239,653,376 (assuming same US 104 key keyboard).

That's 457.163 trillion possibilities - that's 30,597 times more characters - over a 30k increase in entropy - making it 30 thousand times harder to brute force.

Re:Dumb dumb dumb advice... (0)

Anonymous Coward | about a month and a half ago | (#47467173)

and 5 = and 5 characters that are not repeats of a character already used.

Sorry, my math was off as I didn't take the full keyboard character set into account for the remaining 4 characters

10 * 32 * 13 * 13 * 64 * 63 * 62 * 61 - gives us 824,667,217,920 combinations of characters...

Only 554 times more entropy for full character set, still 554 times harder to brute force than restricted (weaker) rule-sets.

Re:Dumb dumb dumb advice... (1)

bluefoxlucid (723572) | about a month and a half ago | (#47467235)

Why does anyone run 8 character minimum anymore? 20 character, all lower case, with the space or underscore.

Re:Dumb dumb dumb advice... (2, Insightful)

AudioEfex (637163) | about a month and a half ago | (#47467185)

You trust one of those absurd "password keepers" and think that making a risk assessment on low-danger websites where no harm could come even if someone did by remote chance try to break into your account is stupid?

If you are one of the password zealots, using one of those "hey stuff all your passwords into one convenient app!" programs is simply the dumbest thing you can do. It's akin to taking every object you own with any value, including all your cash, important papers, SS card, etc. out of your safe or safety deposit and just leaving them in a cardboard box, putting it in one storage shed outside your home, and "securing" it with an off-brand padlock on it you got 2 for 1 at the dollar store. If someone does break into it, by breaking just one lock, you've just given them everything you own of any value.

Now THAT is stupid.

Particularly the phone app based ones - most of which backup to "the cloud" - please, seriously. They are all written by unknown companies that I'm sorry, I'm not willing to trust the most essential data I have to, much less allow them to back up. But even if you disable that (then when you drop your phone and it busts you are fucked), or use a desktop version (lot of good that does on the go), they still make no sense whatsoever. Even if it's a "known" brand - still absolutely frigging retarded. It's amazing how many folks see the promise of encryption and think it's safe - unless you are decompiling the source code, you have no idea you can even trust that. But even if it is truly encrypted - have you never heard of the very time-tested wisdom against putting all your eggs in one basket?

It makes perfect sense to reuse the same password, or very close, for stupid sites where there really is little risk to begin with. Every fucking thing you do on the Internet requires a login these days - "Oh noes! Someone hacked into my Pollstar.com account, that doesn't even have my real name attached, and signed me up for concert date notifications for Taylor Swift to my dummy email account!"

You need your strongest password for your email (which is the key to many site password resets), and hopefully you are smart enough to have multiple throw-away email addresses for low-priority stuff (which you can conveniently forward, or, as I do, just have multiple accounts on your phone or tablet device). Next you need to have decently strong passwords for your financial sites, depending on what they are. But beyond that - even for things like your cable company - not much someone can do, even if they break into it, that can't be undone, aside from pay my bill for me (and if anyone wants to do that, shoot me a message, I'll send you the damn password). My payment info is saved, but it's ********** out, someone can't glean the number from logging in as you. Someone can play a trick and upgrade your service I guess? I'm sure the world's foremost hackers are right on that one.

Like everything, there is a middle ground. You just need to make a reasonable risk assessment by site. I basically have three tiers - one, strongest for email/financial, two, semi-reused for things like paying my cable bill or light subscription maintenance, etc., and three, reused for stupid sites that shouldn't require a login anyway, or where the data is completely inconsequential (the aforementioned Pollstar, etc).

But I sure as fuck am not going to put ALL of them into ANY app or single program - there are backdoors built into routers these days, you expect some start-up (or even established) "password keeper" doesn't have that possibility? I am concerned for your common sense.

Re:Dumb dumb dumb advice... (1)

bluefoxlucid (723572) | about a month and a half ago | (#47467213)

I use a password manager for the bad practice of high password complexity. Passwords like 'mj%9F!17' that should have never been created because they're crap, and impossible to remember.

For my important stuff--like my password safe password--I use passwords like "crazy_dutch_flying_candybar". It really doesn't make a difference if you use underscores, spaces, or concatenation; just use the same always so you never have to remember how you formatted it. Most systems accept underscores, and concatenation is confounding due to the mental impulse to add a space.

You can also make up numerics and memorize them with Dominic's System, but this greatly reduces entropy. For example, if you used 1477 and came up with "jesus_christ_chasing_girls" (because 14--AD, Anno Domino, The Year of our Lord, Jesus Christ--and 77--GG, Girls Girls, Yakko Warner, chasing girls all the damn time), anyone who has your Dominic's matrix can come up with a few thousand likely passwords. Even with some interpretation, there are 100 names and 100 activities describable in a handful of sensible ways, so maybe 100 x 500, give or take.

Re:Dumb dumb dumb advice... (4, Informative)

Charliemopps (1157495) | about a month and a half ago | (#47467223)

That is just so stupid. Use a password-keeper and use strong passwords everywhere. Then you only need (1) physical access to your password keeper and (2) to remember one strong passphrase.

Whats dumb is giving the same advice over and over, building your security policy around those people following that advice all despite 30yrs of evidence that proves they wont follow the advice

Security is as much about psycology as procedure. I worked at AT&T a little over 10yrs ago and one day they announced that the password requirements to one of their systems would be changed to now require a 29 letter phrase, including at least 3 spaces, capitals, lower case, numbers and special characters. The end result? A utopia of highly secure, un-crackable system to be proud of? No... the whole company had their passwords written on post-it notes stuck to their monitor within a week.

Bah (4, Insightful)

Nimey (114278) | about a month and a half ago | (#47466625)

Using a password manager with one strong master password + randomly-generated passwords unique to each website is better.

That said, the linked paper is long and math-heavy, so I rate it likely the submitter (and the "editor") misunderstood something.

Re:Bah (2)

dskoll (99328) | about a month and a half ago | (#47466675)

The linked paper did mention password managers in passing, but dismissed them as being vulnerable to client-side malware which could compromise all your passwords. That assumption is true if you're running your password manager on a Windows system, I suppose, which is likely the only thing the "Redmond researchers" are even aware of. But if you keep your password manager on a separate device or run it under a secure sandbox in a secure OS, you're much better off than the paper implies.

Re:Bah (0)

Anonymous Coward | about a month and a half ago | (#47466757)

If you have a secure, separate device, why not authenticate using client-side SSL certificates instead?

Re:Bah (2, Insightful)

Anonymous Coward | about a month and a half ago | (#47466773)

If you're using a secure sandbox to run a secure OS to store your secure passwords, you're so far, far, far removed from the average user that you don't matter.

Re:Bah (0)

Anonymous Coward | about a month and a half ago | (#47466789)

But if you keep your password manager on a separate device or run it under a secure sandbox in a secure OS, you're much better off than the paper implies.

There is no secure OS. There are fairly secure systems, they have no direct interaction with any other system. You might do well having a synced pair of a no-wifi tablet and a cheap little un-networked PC that both have your password manager so you can type in "af#$Asdfasd0fas-122341å09nsd±fasd9823eÜnjfaa" whenever you want to log into Slashdot.

Re:Bah (0)

Anonymous Coward | about a month and a half ago | (#47466847)

I use a password manager for everything not important (like slashdot). I memorize anything important. You still only have to remember a few things but no one has to get a crappy password.

Re:Bah (4, Interesting)

TheCarp (96830) | about a month and a half ago | (#47466903)

I have to say, I REALLY like password manager someone was working on that was based on, I think, a rasberry pi, where it would actually act as a USB HID to enter the password, and keeps your encrypted passwords on its physical hardware device.

Still susceptable to keyloggers and other malware but...1) they can only get the passwords as you use them and 2) they will NEVER see your master password since it never even gets entered into the machine, but only to the password keeper device.

Now THAT is how to do passwords right.

Re:Bah (0)

Anonymous Coward | about a month and a half ago | (#47467043)

Have a link to that?

Re:Bah (2)

tlhIngan (30335) | about a month and a half ago | (#47467089)

The linked paper did mention password managers in passing, but dismissed them as being vulnerable to client-side malware which could compromise all your passwords. That assumption is true if you're running your password manager on a Windows system, I suppose, which is likely the only thing the "Redmond researchers" are even aware of. But if you keep your password manager on a separate device or run it under a secure sandbox in a secure OS, you're much better off than the paper implies.

Yeah, if you keep your passwords on an isolated system, great. But most people don't do that - they use client side systems, cloud syncing, etc., so that the password manager will auto-fill in the password for them.

Isolating your passwords to a secure device is fine and all, but it also removes a lot of the convenience of it because now you have this gadget you have to carry around, access, copy the password manually, etc.

Whereas a client side password manager you just visit the website, go to the manager, click a couple of times and it's autofilled. And many have the ability to grab passwords from the web form and save it so it's a lot less risk.

And people love to put it on a Dropbox or other cloud service so they can use their password manager anywhere and have it up to date.

So no, it's just moving the vulnerability to that one point. And it doesn't matter if you run Windows, Linux, OS X, BSD, whatever. They're all vulnerable.

Hell, iOS and Android are seeing copycat clones of popular password managers like 1Password and the like (nevermind the SEO creeps who make it so finding the official site harder by forcing their way up the Google ranks and sponsored ads hoping that you'd mistakenly click on the fake trojaned version they offer instead of the original).

Re:Bah (1)

bluefoxlucid (723572) | about a month and a half ago | (#47467261)

Client-side malware is easy. Just write dancing pigs for Linux, and package it for Listaller.

Re:Bah (0)

Anonymous Coward | about a month and a half ago | (#47466811)

Perhaps you're forgetting this from 2011:

LastPass Password Service Hacked [slashdot.org]

Re:Bah (1)

Nimey (114278) | about a month and a half ago | (#47466829)

Pfft. You seem to think Slashdot stories have any credibility, or that a vulnerability from three years ago still matters.

You're adorable.

Re:Bah (0)

Nimey (114278) | about a month and a half ago | (#47466859)

Further, your non-story is about anomalous traffic they couldn't explain, so out of an abundance of caution they forced everyone to change their master passwords. Hardly a smoking gun.

You are probably an idiot.

Re:Bah (0)

Anonymous Coward | about a month and a half ago | (#47467033)

Now all I need to do is crack one password, then I have them all.

Re:Bah (3, Insightful)

Sqr(twg) (2126054) | about a month and a half ago | (#47467053)

Using a password manager with one strong master password + randomly-generated passwords unique to each website is better.

...if, and only if, the password manager is completely secure in itself.

If the terminal used to access the password manager is compromised, then the attacker gets the master password and thus access to all keys - not just the one that was requested.

In other words, you might have used an insecure computer to log on to slashdot, and the attacker now has your bank login credentials.

Re:Bah (1)

nine-times (778537) | about a month and a half ago | (#47467097)

Meh, then you still need to have access to that password manager on any computer you want to visit that site with.

Or Just Use a Password Manager (0)

CritterNYC (190163) | about a month and a half ago | (#47466639)

Or just use a password manager and you can have unique high entropy passwords for every single site and service without taxing your brain.

Re:Or Just Use a Password Manager (0)

Anonymous Coward | about a month and a half ago | (#47466747)

Or just use a password manager and you can have unique high entropy passwords for every single site and service without taxing your brain.

And how does this password manager help you when you're on a computer that you don't manage? Don't say "just never log into anything if you're not at home."

Re:Or Just Use a Password Manager (2)

Russ1642 (1087959) | about a month and a half ago | (#47466775)

You pull out your phone, look up the password, and type it in! It's REALLY hard.

Re:Or Just Use a Password Manager (1)

s0nicfreak (615390) | about a month and a half ago | (#47467177)

The main reason I ever need to use a computer when away from home is that my phone is dead or lost...

Re:Or Just Use a Password Manager (2)

retchdog (1319261) | about a month and a half ago | (#47466867)

You can use one on your smartphone. For android, you can even get an open source one and build it yourself if you want. (i forget the name of the one i used.)

Or just print out the ones you might need and put them in your wallet. (waits for shocked disbelief to pass) Seriously, why not? You're not being hunted by the NSA here; if your wallet gets stolen, it'll be by some street thug, not a master haxx0r. They're going to take your money and maybe your credit cards, then throw out the rest of the crap. If you're really worried, print out the first (N-3) characters of your passwords, and then just memorize the three characters. This way, you get high entropy against skilled attackers (good), and low entropy against street trash (good enough) who won't bother more than a few attempts at most.

It's all about having good enough security for the circumstance at hand, and compromising against convenience for you.

Re:Or Just Use a Password Manager (1)

93 Escort Wagon (326346) | about a month and a half ago | (#47467039)

And on iOS 7, if you're using iCloud Keychain you can look them up in Settings -> Safari -> Saved Passwords (assuming you know your own device's password).

Re:Or Just Use a Password Manager (1)

geekoid (135745) | about a month and a half ago | (#47467163)

ou don't even need a smart phone. Is there a cell p[hone on he planet that does have some sort of 'notepad' feature?

Re:Or Just Use a Password Manager (1)

Lehk228 (705449) | about a month and a half ago | (#47467055)

if that is how we are going to do things, why not use actual certificates instead of a password/certificate halfbreed?

KeePassSafe on desktop and mobile (0)

Anonymous Coward | about a month and a half ago | (#47466641)

Nothing more needs to be said.

No duh (3, Insightful)

gurps_npc (621217) | about a month and a half ago | (#47466643)

When some site, like say slashdot, uses passwords not for real security, but instead to identify it's users, then only an idiot wastes their memory creating a 'good password' for it.

Better to use the same crappy password for web sites that do involve real financial risk.

Of course, if you use that same password for a bank account, or anything that knows a credit card number, SS#, or similar information, you need to have your head examined.

Everyone smart has already been doing this (0)

Anonymous Coward | about a month and a half ago | (#47466649)

I have a password, six letters, all lowercase, available in the dictionary, that I use for websites that I care just enough to register my distinct presence on. It matters little to me if this password gets compromised as I use far more secure passwords for the accounts that actually matter, but the password is just secure enough so that I can get where I want to go without having to crack open a password manager.

Say what? (2)

djupedal (584558) | about a month and a half ago | (#47466659)

In other news, researchers in Europe have discovered there is more risk to your data when taking password advice from MS than ever before.

Re:Say what? (1)

pr0fessor (1940368) | about a month and a half ago | (#47466837)

Really? The way I read it is there is a group of free websites that don't require any personal information so don't volunteer any, keep an extra spam catching email account to sign up with, and don't sweat the small stuff.

Passwords are bad (1)

cyclomedia (882859) | about a month and a half ago | (#47466703)

Just bad, every site has different rules, at least one I use restricts the length to something daft like 10 chars. The should at minimum print the requirements (must have uppercase, digits etc) next to the password box, because as soon as I get into the reset-password screen for the umpteenth time and read those requirements I remember which password I used on that site.

Doesn't change the fact that requiring users to somehow remember or securely store a bunch of random gibberish to do anything on any website is just a bad system. Don't blame the users for using post it notes or things like password123 when the SYSTEM is dumb.

Re:Passwords are bad (0)

Anonymous Coward | about a month and a half ago | (#47466803)

Doesn't change the fact that requiring users to somehow remember or securely store a bunch of random gibberish to do anything on any website is just a bad system. Don't blame the users for using post it notes or things like password123 when the SYSTEM is dumb.

What do you want to replace it with?

Re:Passwords are bad (1)

ChadL (880878) | about a month and a half ago | (#47467015)

Not the OP, but I'd like to see passwords replaced with SSL client certificates. The GUI for them in most modern browsers is horrific and the error messages shown when something goes wrong even worse; but both issues could be fixed.
If additional verification of identity is required then a password would be much safer behind a certificate (as an attacker trying passwords would need the users certificate and could easily be rate limited by account).

Good since OpenID failed to take over (4, Interesting)

medv4380 (1604309) | about a month and a half ago | (#47466737)

The advocacy for Password Managers and Password Keepers is just utter BS. If some nothing website insists that I have to make an account just to post one little comment, and I might come back 5 years later to post again then they're getting generic username plus generic password. I'm not waisting my time making some uber powerful password, and utilizing something just to remember it. Even then the OpenID solution would have been great but every once in a while I'm presented with the option of logging in with my Google ID and giving some organization full access to my contact list, or full access to my google drive. Screw them, and I'll just create generic account just for their site though their old interface just so they can't read my contacts or documents. If they're so worried that people are using BS passwords on their site that spammers keep hacking to post then maybe they should accept better business practices.

Re:Good since OpenID failed to take over (1)

Average (648) | about a month and a half ago | (#47466855)

The thing is, I'm already having to use a password manager to keep track of my valuable passwords. With what, easily a dozen banking-ish relationships (cards, mortgage, retirement, etc) alone. That battle on complexity was lost long ago (ymmv).

Thus, if I've already resorted to a password manager for my valuable life, adding an entry to that vault for even the most trivial sites (and creating a random password) is easier than remembering a throwaway name/pass for even 30 seconds.

It's not that "you need a password manager to post to your local newspaper blog". You don't. It's that, if you're already using a password manager (and I can't imagine living without one now), using it for trivia is trivial.

Re:Good since OpenID failed to take over (1)

medv4380 (1604309) | about a month and a half ago | (#47467021)

I don't actually have to remember hundreds of different throwaway usernames and passwords. It's One username/password combo for hundreds of websites. Makes it easy when 5 years later you forget you made an account for the site and it says sorry that username already exists. Which since it's a stupid nonsense username that only I would use I just go login and put it with the password that it should be. Any spammer that hacks that one account has access to hundreds of sites to post as me, and you know what. I don't care. There is very little harm to me in someone hacking that account and posting spam, or trollish nonsense as me. A bit irritating, but a waist of my time to even fight it, and I'm pretty sure it's a waist of their time too.

Re:Good since OpenID failed to take over (1)

Ardyvee (2447206) | about a month and a half ago | (#47467117)

What about the remember your password function on your browser? Do you, would you use that?

Note: I consider this to be on a different category than password managers since (by my experience) anybody capable of logging-in on the machine has access to the account.

Re:Good since OpenID failed to take over (1)

93 Escort Wagon (326346) | about a month and a half ago | (#47467079)

I'm not waisting my time making some uber powerful password, and utilizing something just to remember it.

There are tools that make this trivially easy, you know.

Re:Good since OpenID failed to take over (1)

bmo (77928) | about a month and a half ago | (#47467143)

Lastpass fills in both the "new password" and "confirm new password" automagically after you've generated a secure password. This makes passwords for trivial sites even more trivial to use.

I cannot even imagine what I would have had to do when I had to re-set all my passwords one night and /didn't/ have a password manager to type all that shit in for me, including the "new password" and "confirm new password" fields. It would have taken half a day, but instead it only took one hour. And all that stuff is backed up offsite in a csv file in multiple locations.

Life is easier with a password manager. It literally is.

--
BMO

Re:Good since OpenID failed to take over (1)

wvmarle (1070040) | about a month and a half ago | (#47467211)

I have three bank accounts, two PayPal accounts and a credit card account. That's six highly sensitive logins.

Then I have my local computer (remote ssh login) and a remote cloud server (remote ssh login). Also requiring decent passwords. That's eight already. Plus one generic password for slashdot and all the other forums.

So that's nine passwords to remember. Well, I may be able to manage that.

Now the second part: remember which password belongs to which service, without making your passwords something like (still have to remember the first part separately), which in turn would compromise your password's security.

For added difficulty: I don't use all the above accounts actively. It is quite OK to remember a rather complex password you use on a daily basis, it gets harder if you check your bank maybe once a week, let alone that dormant account that is accessed maybe once or twice a year.

That just doesn't work. As a result, the banks that don't allow me to use my password manager have a relative weak password, something that at least I can remember easily and link to the correct account, for actual security relying on the second factor in the authentication chain there. The alternative would be the good old post-it note, or having them written down (or stored in a plain text file) somewhere.

People are not computers. Memories falter and fail, and are inaccurate. We'll have to live with that.

So complex (4, Funny)

Impy the Impiuos Imp (442658) | about a month and a half ago | (#47466767)

So re-use low complexity passwords for unimportant sites and use high-complexity unique passwords for important sites.

Got it. Low for my bank account, high for World of Warcraft.

Re:So complex (2)

fibonacci8 (260615) | about a month and a half ago | (#47466885)

You could even refer to something low-complexity as a "PIN", and something of high complexity as a "password". I imagine you're already doing that for your bank and game respectively.

Nice to know (1)

Marginal Coward (3557951) | about a month and a half ago | (#47466769)

That's nice. Now, I no longer need to remember "12345" for Slashdot - I can go back to just using "pass".

I got a fool proof method (1, Funny)

140Mandak262Jamuna (970587) | about a month and a half ago | (#47466777)

I apply ROT-13 encryption on my passwords TWICE, and write down the resulting string in a post it note and paste it to the *underside* of the key board. Ha, ha, I am really safe. I can use this technique on all the sites, high value... low value... no value... INBD.

Absolutely (3, Insightful)

swillden (191260) | about a month and a half ago | (#47466783)

I've always done this. I have one short, low-entropy password which I use on ALL low-risk web sites. For example, it's the one I use on slashdot. I don't really care if anyone gets in and starts posting stuff as me. In fact it might be a good thing, since it would give me some plausible deniability for the stupid things I sometimes say :-)

For important sites (e.g. financial), I use long, randomly-generated passwords and manage them in a password manager, which itself is protected with a very strong password. But for everything else, that's too much effort and serves no purpose. And for my "crown jewels" account -- my e-mail account, which if hacked would provide the intruder with the ability to reset most all of my other passwords -- I use a strong password and have two-factor authentication enabled.

High entropy rules on low importance sites (4, Interesting)

erice (13380) | about a month and a half ago | (#47466825)

This is why it is infrurriating when low importance sites require high complexity passwords. They create unnecessary exposure for the limited pool of high complexity passwords I can remember. Meanwhile, the bank will take anything.

Re:High entropy rules on low importance sites (0)

Anonymous Coward | about a month and a half ago | (#47466955)

Agreed, but it is worse when high importance sites require low entropy passwords. I think fidelity.com requires 12 characters, only alpha-numeric. F**k you!

Re:High entropy rules on low importance sites (0)

Anonymous Coward | about a month and a half ago | (#47466957)

Worse still: my bank does not allow punctuation (and maybe even numbers) in my passwords.

Re:High entropy rules on low importance sites (1)

scamper_22 (1073470) | about a month and a half ago | (#47467019)

Yeah, this one is the worst. These low-complexity sites started to have more rules. Things like minimum 8 chars, mix of case, at least one number and one letter...

Now, for all these low priority sites, I have to remember permutations of my password.

Re:High entropy rules on low importance sites (0)

Anonymous Coward | about a month and a half ago | (#47467193)

Password PassWord password passw0rd pa55word pa55w0rd password pas5word

Re:High entropy rules on low importance sites (1)

wvmarle (1070040) | about a month and a half ago | (#47467221)

At least one of my banks complained of a too long password when I used an 8-character password. I had to shorten it to no more than 6 characters.

Some forums don't even accept that short passwords.

NSA approves of this! (4, Funny)

MindPrison (864299) | about a month and a half ago | (#47466875)

Selectively Reusing Bad Passwords Is Not a Bad Idea, Researchers Say

This article has been approved by the NSA!

Re:NSA approves of this! (0)

Anonymous Coward | about a month and a half ago | (#47467167)

Or they work for the NSA.

HAHA WUT? (2, Interesting)

bmo (77928) | about a month and a half ago | (#47466877)

Microsoft researchers have determined that reuse of the same password for low security services is safer than generating a unique password for each service.

This has to be a fucking joke. It has to be. bmo looks at calendar. Huh, it's not April 1.

And what, exactly, is a "low security service?" The only "low security service" I can possibly think of is stuff like Mailinator where you don't even use a password.

Remember when the entire Youporn chat login credentials file was leaked? You know, the one with real names, aliases, emails, and passwords in cleartext? Remember? Nearly every single password was usable on Facebook and the same password was reused in email.

People had fun with that. I was in /g/ when it happened. I laughed at the results.

Yahoo lost control of my fucking credentials twice showing logins from Romania and Sweden. I no longer use Yahoo Mail as a result, except as a throw-away, and the last time pushed me over the edge into using a password manager that holds -unique to every site- passwords that I can't even remember myself at 25 characters of complete ASCII gibberish. And you know what? It's easier on top of being more secure.

Lose control over your login credentials at one place, and the rest is vulnerable if you recycle them elsewhere. Password re-use over multiple sites is fucking bad. Anecdotes aren't data but I don't care about your calculations because my reality trumps your poorly researched paper.

--
BMO

Re:HAHA WUT? (1)

Lazere (2809091) | about a month and a half ago | (#47467217)

My slashdot password does not need to be high entropy. I can probably use the same password for a soylentnews account. While it's true that if one gets compromised, they both do, guess what? I don't care. Nope. Not one bit. Facebook's different, email's different, my bank is different. What do I care if my pointless accounts get compromised? If you're using these types of accounts on computers you don't control, it makes sense to have easy to remember passwords and keep the high-entropy passwords for the actually important stuff.

Slashdot is a low security service. Yelp also (1)

raymorris (2726007) | about a month and a half ago | (#47467269)

> And what, exactly, is a "low security service?"

Slashdot gets my low-security password. If someone gets my Slashdot password and posts as me, I don't much care. I REUSE the same low-security password on Yelp, so if you hack Slashdot, you can post a restaurant review with my name. Whoop-tee-doo.

seems like effort (0)

Anonymous Coward | about a month and a half ago | (#47466901)

Just forget the username and passwords to most sites and have it reset so often it becomes par for the course.

I forgot the slashdot password and can't be bothered to log in.. Forgetting loads of shit is the brains old age way of dealing with crap.
- ciderbrew.

Non-Uniform Password Requirements (1)

Joe Gillian (3683399) | about a month and a half ago | (#47466921)

One major issue I can see with this is the sheer number of websites that have arbitrary password restrictions: capitals, special characters, numbers, etc. The worst ones are those that require multiples of each, so that there is no way you can make something easy to remember - and then expect you to come up with another password in two weeks.

Until website operators realize that putting arbitrary restrictions on passwords doesn't help them to be any more memorable (and likely not any more secure), I can't see this method working.

Necessity (1)

fibonacci8 (260615) | about a month and a half ago | (#47466935)

Using weak passwords for cases when a password at all is unnecessary should be the norm as a defense against phishing, even by a company you presently trust. Mandatory complexity increases are probably being used already to undermine password variety. When a password has to be one thing different each time (another capital letter, another numeral, another punctuation mark) a service of dubious character could very quickly spot patterns that could be used improperly.

That's exactly what I do. (1)

91degrees (207121) | about a month and a half ago | (#47466961)

For most websites, I really don't care. Here I use a dictionary word. If someone logs into my /. account the limit to the damage they can do is to pretend to be me. Hell, with this one they don't even get a valid email address.

My bank accounts and email address each have their own password based on out of date information that inexplicably stays in my memory.

I actually use a different password for facebook, nit because I'm particularly concerned about someone haking into that. More because I don't trust facebook with the password Iuse for everything else.

Re:That's exactly what I do. (1)

geekoid (135745) | about a month and a half ago | (#47467129)

I've had some get into my account twice here on /.
So now I have a hard password. One time I found out when /. blocked me.

Similar to what I do (1)

GameboyRMH (1153867) | about a month and a half ago | (#47467009)

My weak passwords aren't actually weak but they're relatively simple, I use them for forums etc, my email has a STRONG password because it's the keys to the kingdom of all my accounts, and if I used online banking that would have a strong password as well.

Something that helps to make a simple password unique and stronger yet memorable is to come up with a way to mix in something from each site. For example you could postfix them with the dominant color on the site, for Slashdot that would be green.

Social hacking? (1)

EmperorOfCanada (1332175) | about a month and a half ago | (#47467069)

The problem is that once you allow a hacker to penetrate a low value service it could give a hacker the threads needed to start unravelling through social hacking.

If I were some kind of hacker (don't have the time) it would be through the least secure systems and social hacking that I would start. I personally would think that attacking a core server that is most likely locked down solidly and is sat on by an army of paranoid administrators. I would much prefer if someone simply gave me the keys to the system.

Basically the two main hacks that I read about are either the above, or poorly maintained/secured systems with things liked default passwords etc.

For instance I have seen security checks where the admins will send a crude Phishing message to users that even include a warning about phishing attacks and the users proceed to send the data that the admins were phishing for.

So the above Microsoft advice might look good on a spreadsheet but in reality it is plaintext stupid.

I would likje to point out (1)

geekoid (135745) | about a month and a half ago | (#47467113)

that it's trivially easy to create an easy to remember hard password.

Example:
First girlfriend was Sally Mendoza
You lived on 123 Main st

naiM321azodneM_yllaS_A

the A is for rotation.

There are may patterns you could use.
Use the first line of a poem and the birth year of your mom.
In_Xanadu_did_Kubla_Khan_44
or do it backwards.
even
P4ssw0rds_wh0s3_g0t_t1me_f0r_that

Think outside the ivory tower (1)

Falos (2905315) | about a month and a half ago | (#47467133)

A throwaway password tier is something that legitimately increases the casual's security against the obvious (http://xkcd.com/792/) and might actually catch on. Something like "grandma1!" is perfectly fine if she leaves it down at the facetweets and socnets while using something different (hopefully stronger) for her bank account.

But hey, if you think soccer moms and surfers are just as likely to indulge a "Sandbox-contained PW manager in a secure virtual OS" tutorial as the five seconds it takes to tell them "Hey, use a special password for those super important sites, 'kay?" then knock yourself out.

Good luck fitting it on a billboard, though.

bank accts strong, all else who cares? (0)

Anonymous Coward | about a month and a half ago | (#47467195)

Social whatever: I get in, I don't get in; I don't give a shit. My bank accounts? whole different story.

Too secure == insecure (1)

spaceyhackerlady (462530) | about a month and a half ago | (#47467231)

The problem with crazily-complex passwords is that if you can't remember them you write them down, and, at a stroke, have compromised security. One of the worst I've encountered is the U.S. Customs eAPIS [dhs.gov] web site, for sending advance information when you want to fly a private plane or sail a private boat to the U.S.

The other issue is that you risk locking out legitimate access.

My bank does the password plus security question thing. My security questions (you can make up your own) are more than a little interesting. :-)

...laura

Or just combine things (0)

Anonymous Coward | about a month and a half ago | (#47467263)

You don't want the same password across multiple sites in case one of them turns into a not-so-low-risk site later.

But you can "mix and match."

Your "throwaway" password can be your 1st nephew's name and the "variable part" could be the first 3 letters of the web site's name.

So if you have "throwaway" MySpace, Google, and Yahoo accounts and your 1st nephew's name is George, the passwords could be MySGeorge, GooGeorge, and YahGeorge respectively.

Apologies in advance to George's uncle - he'll have to pick a different throwaway password now.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>