Password reuse

2010-09-14

in Geek stuff, Internet matters, Security

The latest XKCD comic identifies one of the major security failings of the internet today: the tendency of users to use the same password on more than one important site. It’s fine to use the same password for a bunch of news sites that do not store important personal information. What’s foolish is using the same password for a potentially vulnerable site and for something important, like a bank’s website or the password on an encrypted hard drive partition. Doing so risks allowing someone to compromise your information, one step at a time.

Another related risk is password recovery systems. Countless websites allow users to either have their password emailed to them or reset their password via email. That means that anybody who gains access to an email account linked to such features can then gain access to any sites that rely on that sort of password replacement system.

The wisest thing seems to be using strong unique passwords for email and other important sites, then having a couple of lower tier passwords to use for general sites that do not pose security risks. Random.org has a password generator, though the trick of building up a password from a memorable piece of music or poetry is probably less troublesome and still quite secure. An alternative approach is to have unique passwords for everything and rely on a password management program (or a piece of paper kept guarded in your wallet) to keep track of them.

Online security would also be better if all sites allowed the use of passphrases, rather than just passwords (and sometimes ones with an absurdly short maximum length). Two-factor authentication can also help.

Report a typo or inaccuracy

{ 16 comments… read them below or add one }

Padraic September 14, 2010 at 8:14 am

I think this problem will decline as we are able to use credentials from secure services to log in to more trivial services; if I can use Facebook to log in to NYTimes (giving them the demographic data they need for advertisers), then I don’t need to create a password and run the risk of duplicating my bank password.

Milan September 14, 2010 at 8:34 am

Of course, that opens up new kinds of vulnerabilities as people target the infrastructure that enables such universal logins.

Sarah September 15, 2010 at 12:17 am

I presume you realise that a piece of paper in your wallet is a disastrously bad idea unless you are confident that nobody untrustworthy will ever have access to your wallet?

Milan September 15, 2010 at 12:45 am

The wallet approach may not suit everyone, but it has a number of advantages. Basically, we all know how to defend wallets. There are no clever mathematical attacks that can be launched against them, and we protect them anyhow because they contain other valuable things.

I wouldn’t recommend this approach for those who live with people who they do not trust, but if your wallet is safe in your pocket and safe at home, it seems a decent place to keep passwords.

Matt September 15, 2010 at 2:39 am

But your wallet is lose-able. And if you do lose it, you have a bunch of passwords, a bank card, a credit card and an ID. Seems like a recipe for disaster.

. September 15, 2010 at 8:32 am

June 17, 2005
Write Down Your Password

Microsoft’s Jesper Johansson urged people to write down their passwords.

This is good advice, and I’ve been saying it for years.

Simply, people can no longer remember passwords good enough to reliably defend against dictionary attacks, and are much more secure if they choose a password too complicated to remember and then write it down. We’re all good at securing small pieces of paper. I recommend that people write their passwords down on a small piece of paper, and keep it with their other valuable small pieces of paper: in their wallet.

Milan September 15, 2010 at 9:16 am

And if you do lose it, you have a bunch of passwords, a bank card, a credit card and an ID. Seems like a recipe for disaster.

That is a risk, definitely. A couple of protective measures could be to not write down your entire password – keeping a secret stub memorized – and being ready to switch your passwords quickly if you lose your wallet.

Sarah September 15, 2010 at 2:18 pm

if your wallet is safe in your pocket and safe at home But your wallet isn’t safe in your pocket or in your home – wallets are frequently stolen from both those locations. My guess is that in most cases you’re far more at risk of having a wallet stolen than of having someone hack your passwords online. Of course, often thefts of minor items are motivated by money for drugs, so they probably wouldn’t pay much attention to pieces of paper, but that’s a pretty big gamble. Moreover, the more people write down their passwords, the more thieves will gain from stealing wallets, so it’s only safe if very few people do it – otherwise you’re encouraging much higher rates of mugging and robberies conducted while the householder sleeps.

On top of that, many services explicitly instruct you NOT to write down your password and will require you to pay any losses associated with your failure of security. If you wrote your online banking password down, had it stolen and your account cleaned out then your bank will blame you, whereas if someone manages to get access to the account by somehow guessing your password then the bank is likely to pick up the costs (and then strengthen their own security, e.g. through longer passwords).

. September 15, 2010 at 2:20 pm

“How many have (a) password policy that says under penalty of death you shall not write down your password?” asked Johansson, to which the majority of attendees raised their hands in agreement. “I claim that is absolutely wrong. I claim that password policy should say you should write down your password. I have 68 different passwords. If I am not allowed to write any of them down, guess what I am going to do? I am going to use the same password on every one of them.”

According to Johansson, use of the same password reduces overall security.

Since not all systems allow good passwords, I am going to pick a really crappy one, use it everywhere and never change it,” Johansson said. “If I write them down and then protect the piece of paper–or whatever it is I wrote them down on–there is nothing wrong with that. That allows us to remember more passwords and better passwords.”

R.K. September 15, 2010 at 5:49 pm

The people who raise the issue of losing wallets are right, but it would also require a superhuman memory to maintain good password security without aids, these days. If you want to have strong passwords for every important site and change them regularly, you just need to record them somewhere.

The trickiest is sites that are important but rarely accessed. There, it is especially easy to forget a secure password, through lack of use.

Matt September 15, 2010 at 6:18 pm

The people who raise the issue of losing wallets are right, but it would also require a superhuman memory to maintain good password security without aids, these days.

I disagree. I have 3 “Secure passwords” I use: 1 for gmail, one for my bank, and one for my credit card. I have committed them to memory, (they have memorable things about them), but they are based on my obscure thought processes, and thus extremely unlikely to be guessed even by people who know me well. They change, but usually within the realm on which they were originally based.

My other passwords are less secure and quite possibly guessed, but they don’t matter as much.

Milan September 21, 2010 at 10:38 am

That sounds like a good system, as well.

One thing I would recommend is at least keeping a written record of passwords in some very secure place – a bank’s safe deposit box, if you like.

I have some encrypted archives from high school and my undergrad years to which I have forgotten the passwords. I wish I had stored them somewhere secure.

. September 21, 2010 at 12:40 pm

Google Apps Gets Two-Factor Security

“Passwords alone are not enough to secure access. Many organisations require two-factor authentication with a token. Google just added free two-factor verification to Google Apps, sending a one-off token to the user’s mobile phone. It’s good to have this for free, and it backs up Google’s assertion that cloud apps are more secure — but it doesn’t answer how it helps if an intruder is getting into Apps through a lost or stolen phone.”

. November 12, 2010 at 11:58 am

So in general: you don’t need to regularly change the password to your computer or online financial accounts (including the accounts at retail sites); definitely not for low-security accounts. You should change your corporate login password occasionally, and you need to take a good hard look at your friends, relatives, and paparazzi before deciding how often to change your Facebook password. But if you break up with someone you’ve shared a computer with, change them all.

Two final points. One, this advice is for login passwords. There’s no reason to change any password that is a key to an encrypted file. Just keep the same password as long as you keep the file, unless you suspect it’s been compromised. And two, it’s far more important to choose a good password for the sites that matter — don’t worry about sites you don’t care about that nonetheless demand that you register and choose a password — in the first place than it is to change it. So if you have to worry about something, worry about that. And write your passwords down, or use a program like PasswordSafe.

Milan February 7, 2011 at 6:26 pm

One definite downside of strong passwords is stress. Trying to remember a bunch of strong passwords is quite stressful. You worry that you will lose access to something important because one has slipped your mind. That’s an especially big worry for any kind of computer archive, since it might be months or years before you need to remember the password again.

It’s possible to lose encrypted archives forever because you forgot a password before you remembered to write it down and lock it up. I have. My earliest encrypted archives, made when I was tinkering around with PGP back in elementary school, are now inaccessible to me because I have forgotten the passwords. I wonder what’s inside them; I am sure I have forgotten it completely.

You can also be inconvenienced for a long while by forgetting your password. I have been embarrassed before by forgetting the PIN for a rarely used credit card. I was all set to buy something and couldn’t. I have also forgotten my password for filing taxes online, and have been waiting more than a week for the Canada Revenue Agency to send me a new one.

Milan August 9, 2012 at 9:53 pm

Blizzard’s gaming service Battle.net seems to be the latest major website to get hacked and lose customer data.

As they are reporting on their website:

Some data was illegally accessed, including a list of email addresses for global Battle.net users, outside of China. For players on North American servers (which generally includes players from North America, Latin America, Australia, New Zealand, and Southeast Asia) the answer to the personal security question, and information relating to Mobile and Dial-In Authenticators were also accessed. Based on what we currently know, this information alone is NOT enough for anyone to gain access to Battle.net accounts.

We also know that cryptographically scrambled versions of Battle.net passwords (not actual passwords) for players on North American servers were taken. We use Secure Remote Password protocol (SRP) to protect these passwords, which is designed to make it extremely difficult to extract the actual password, and also means that each password would have to be deciphered individually. As a precaution, however, we recommend that players on North American servers change their password. Please click this link to change your password. Moreover, if you have used the same or similar passwords for other purposes, you may want to consider changing those passwords as well.

This illustrates why it is important to use a unique password for each website or service.

Leave a Comment

You can use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

Previous post:

Next post: