Stories
Slash Boxes
Comments

SoylentNews is people

posted by janrinok on Monday July 21 2014, @11:07PM   Printer-friendly
from the contradictory-advice dept.

Despite there being years worth of security experts advising users (from Grandma to government officials) to use passwords with high entropy, and each only for one account, researchers from Microsoft as well as one from Carleton University have published a paper (pdf) suggesting exactly the opposite. Their rationale is that the use of higher entropy passwords everywhere lowers the average strength of passwords overall, with users struggling to remember them all, and that the better approach is to use weak, easy to remember passwords at the majority of unimportant sites (or rather, a single password for such sites), reserving stronger passwords for more sensitive sites such as those with financial information or presumably primary email accounts.

From the paper:

"The rapid decline of [password complexity as recall difficulty] increases suggests that, far from being unallowable, password re-use is a necessary and sensible tool in managing a portfolio," the trio wrote.

"Re-use appears unavoidable if [complexity] must remain above some minimum and effort below some maximum."

More at The Register.

What do Soylenters think? Is Microsoft onto something here? Or is this just laziness being taken to a formal level? Or worse, bad advice being deliberately doled out to aid in Big Brother data slurping?

Related Stories

Some Popular Password Protection Programs Have Significant Vulnerabilities 21 comments

Researchers have detailed a series of quickly patched vulnerabilities in five popular password managers that could allow attackers to steal user credentials.

"Critical" vulnerabilities were discovered and reported in LastPass, RoboForm, My1Login, PasswordBox and NeedMyPassword in work described by the University of California Berkeley researchers as a "wake-up call" for developers of web password vaults.

"Our attacks are severe: in four out of the five password managers we studied, an attacker can learn a user's credentials for arbitrary websites," Researchers Zhiwei Li, Warren He, Devdatta Akhawe, and Dawn Song wrote in the paper The Emperor's New Password Manager: Security Analysis of Web-based Password Managers ( http://devd.me/papers/pwdmgr-usenix14.pdf ) (PDF).

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 3, Informative) by Murdoc on Monday July 21 2014, @11:21PM

    by Murdoc (2518) on Monday July 21 2014, @11:21PM (#72059) Homepage
    It doesn't have to to be either/or between password strength and how easy it is to remember. In fact you can have a stronger password than complete jibberish alphanumeric with special characters and still make it relatively easy to remember: Password Strength [xkcd.com] Although I'm sure many here already know this.

    Like I would trust anything microsoft has to say about security!

    • (Score: 2) by maxwell demon on Tuesday July 22 2014, @06:45AM

      by maxwell demon (1608) on Tuesday July 22 2014, @06:45AM (#72169) Journal

      But everyone knows that digits in your password make it much safer. That's why I always use the password "12345".

      BTW, I wonder how many people now use "correct horse battery staple" and think they have a very secure password. ;-)

      --
      The Tao of math: The numbers you can count are not the real numbers.
      • (Score: 0) by Anonymous Coward on Tuesday July 22 2014, @06:55AM

        by Anonymous Coward on Tuesday July 22 2014, @06:55AM (#72174)

        I wonder how many people think they have that as their password, but actually have "correcth".

      • (Score: 1) by Murdoc on Wednesday July 23 2014, @12:37AM

        by Murdoc (2518) on Wednesday July 23 2014, @12:37AM (#72557) Homepage

        "BTW, I wonder how many people now use "correct horse battery staple" and think they have a very secure password."

        According to Explain xkcd [explainxkcd.com], some people have already thought of that.

        From that page: "The Web service Dropbox has an Easter egg related to this comic on their sign-up page. That page has a password strength indicator (powered by JavaScript) which changes as you type your password. This indicator also shows hints when hovering the mouse cursor over it. Entering "Tr0ub4dor&3" or "Tr0ub4dour&3" as the password causes the password strength indicator to fall to zero, with the hint saying, "Guess again." Entering "correcthorsebatterystaple" as the password also causes the strength indicator to fall to zero, but the hint says, "Whoa there, don't take advice from a webcomic too literally ;).""

      • (Score: 1) by ButchDeLoria on Wednesday July 23 2014, @05:21PM

        by ButchDeLoria (583) on Wednesday July 23 2014, @05:21PM (#72854)

        That's amazing, I've got the same combination on my luggage!

    • (Score: 0) by Anonymous Coward on Tuesday July 22 2014, @07:11AM

      by Anonymous Coward on Tuesday July 22 2014, @07:11AM (#72178)

      Without peeking at the xkcd strip, I can tell that the other password was some variant of "troubador" but I don't have the faintest recollection of what the other one was about.

  • (Score: 3, Insightful) by Adamsjas on Monday July 21 2014, @11:28PM

    by Adamsjas (4507) on Monday July 21 2014, @11:28PM (#72062)

    I know lots of people do this for sites they have to sign into just to participate or to stop the nagging.

    Why waste a good password at those sites? There is literally nothing to protect there.
    Just about any password you would let your browser remember for you is a candidate for this type of treatment.

    The problem, of course is this lazy method tends to get used everywhere, and all of a sudden your ArsTechnica password gets stolen and, sure enough, it works at Gmail (or something more sensitive).

    Microsoft et al are merely restating the obvious. Writing down all those passwords would probably be worse, even if you keep the list at home.

    Without a password manager of some sort, you are pretty well not going to be able to manage all the passwords you will accumulate. Best case is you will probably resort to some mental formula, (fixed part + site specific part). The formula becomes obvious to the attacker as soon as your password gets stolen.

    With a password manager (vault) you can survive with unique gibberish passwords. Its still a bother.

    • (Score: 2) by frojack on Tuesday July 22 2014, @02:23AM

      by frojack (1554) on Tuesday July 22 2014, @02:23AM (#72111) Journal

      I still don't think I could recommend password re-use, even for throw away accounts.
      Re-use means you quite possibly lose multiple accounts on different servers all because a weak site got hacked.

      Agreed about the password manager, but seems odd coming from someone not concerned about password re-use.

      --
      No, you are mistaken. I've always had this sig.
    • (Score: 3, Insightful) by stormwyrm on Tuesday July 22 2014, @03:16AM

      by stormwyrm (717) on Tuesday July 22 2014, @03:16AM (#72123) Journal

      Writing down all those passwords would probably be worse, even if you keep the list at home.

      How so? If you had good passwords written down in a notebook kept reasonably safe then it doesn't become practical to brute force your passwords. To attack your accounts someone would have to steal your password notebook somehow, putting such an attack out of reach of just about everyone. The NSA is not going to break into your house to copy your notebook, not unless you're considered enough of a threat for them to expend the resources to send someone all the way to where you live just to do that. They'd just as soon pick you up and send you to Gitmo. The Russian Mafia's hackers won't do it either, not worth the effort. Neither will your local police force under ordinary circumstances: in the US anyway they really ought to have a warrant to be able to do that, and most civilised countries will have similar requirements. Hell, writing down a good password on a post-it note you stick on your monitor can't be worse than using a bad password to begin with. A bad password can be brute forced by anyone on the Internet who takes the time to do so. Passwords stuck on your monitor can only be seen by those who have physical access to your computer, and you probably know who most of those people are.

      I frankly don't understand why people think that writing down passwords is a bad thing. It's in most cases better than using a weak password! Of course, a password vault is better yet for most uses, as the only way to break it if you used a good password on it to begin with is probably the infamous $5 wrench, and most civilised countries have the decency not to permit that or its functional equivalent (the Fifth Amendment still applies in the US right?).

      How do you know what sites are unimportant? It's not always easy to tell. Social networking accounts might be considered unimportant until they get hacked and compromising information is breached or the account is manipulated for nefarious purposes. You might have put in financial information somewhere at one time and forgotten about it. Compromised accounts can be put to many creative uses to those with imagination, so it is better to assume that every account is important.

      --
      Numquam ponenda est pluralitas sine necessitate.
    • (Score: 0) by Anonymous Coward on Tuesday July 22 2014, @07:16AM

      by Anonymous Coward on Tuesday July 22 2014, @07:16AM (#72180)

      The other option is to use relatively strong passwords on such sites. Works fine if you don't need to log in with the same account next time.

  • (Score: 3, Informative) by Horse With Stripes on Monday July 21 2014, @11:37PM

    by Horse With Stripes (577) on Monday July 21 2014, @11:37PM (#72068)

    This is just teaching users a bad habit. How do we know that a user can properly determine what sites are unimportant? What makes a site an "unimportant site"?

    Is it unimportant if it doesn't have any payment information?
    - What if it't not your payment info (eg, a work related account)? Does that make it unimportant to you?

    What about social media site?
    - What if you have more than one account (eg, real and fakes)?

    What about a throwaway email account?
    - Is that unimportant? Not to a spammer.
    - What if you have more than one email account at the same provider?

    At some point users who are deemed incapable of being able to remember strong passwords will also be incapable of properly determining if a site is really important or unimportant. Teach and encourage the use of strong passwords in all situations.

    BTW, there is no lowering of the overall average strength of passwords by using higher entropy passwords. That's outright bullshit. The harder any and all passwords are to crack the better for everyone.

    • (Score: 3, Insightful) by Popeidol on Tuesday July 22 2014, @01:38AM

      by Popeidol (35) on Tuesday July 22 2014, @01:38AM (#72104) Journal

      I've always thought of it in terms of what I would do if the account was stolen:

      • If I just say 'eh' and reset my password if I can be bothered? Put in a heavily used throwaway password.
      • If I have to call the bank, or talk to my boss, or go through a lengthy recovery process? put in something unique and complex.

      Obviously there's a gradient between those two, but most things fit into one or the other (including soylentnews). I have a finite and fallible memory and this uses it in a slightly more effective way.

      • (Score: 0) by Anonymous Coward on Tuesday July 22 2014, @07:05AM

        by Anonymous Coward on Tuesday July 22 2014, @07:05AM (#72176)

        One more option: Is this a stupid site that require creating a user for a one-time use?

        A huge amount of web shops do not allow ordering something without creating a username and a password, even though you are never going to login, because you'll likely never buy anything there again. And if you do end up buying something from the same place three years later, the e-mail address you used is likely an old one you don't have access to anymore anyway, so even a password reset is not going to help.

        I wonder who convinced these people that creating artificial barriers for customers to jump is a good idea...

        A few sites have started allowing ordering stuff without creating a throwaway username and password, hopefully this trend will continue.

    • (Score: 2, Interesting) by slartibartfastatp on Tuesday July 22 2014, @10:50AM

      by slartibartfastatp (588) on Tuesday July 22 2014, @10:50AM (#72224) Journal

      There are sites that do that. Remember psn ? So I'm betting that most sites won't encrypt it either so it's abc123 for them.

      Even if they don't happen to be attacked and have user/password lists leaking on the web, I don't trust they won't use it themselves!

      That's why I use different usernames as well, so they'll have less tips on how reusing passwords for one specific user.

    • (Score: 0) by Anonymous Coward on Tuesday July 22 2014, @04:27PM

      by Anonymous Coward on Tuesday July 22 2014, @04:27PM (#72337)

      What if it't not your payment info (eg, a work related account)? Does that make it unimportant to you?

      In most work situations the employee is given training on how to properly protect personal identifying information (PII) of others, which includes warnings of criminal and civil legal penalties if they do not properly comply with policy.

      What about a throwaway email account?
      - Is that unimportant? Not to a spammer.

      If a spammer gets a hold of my throwaway email account, I don't really care what they do with it. That is actually why it is called a "throwaway".

  • (Score: 4, Interesting) by Anonymous Coward on Monday July 21 2014, @11:38PM

    by Anonymous Coward on Monday July 21 2014, @11:38PM (#72069)

    All computer security systems have one fundamental goal, but it isn't what we typically think of. That goal is to enable users to do their work better. A good security implementation makes the task of working securely easier. If your system makes it harder to work more securely then human nature will inevitably undermine the system's security.

    You can complain about stupid, lazy users. You can threaten them with punishment. But fundamentally the computer is there to serve them. Systems that do not serve the users' needs will be circumvented. People will write down passwords and stick them on post-it notes. They will pick easy to remember and easy to guess passwords. Etc. You simply can't fight human nature. So find a way to channel it instead of obstructing it.

    • (Score: 3, Interesting) by Thexalon on Tuesday July 22 2014, @03:05AM

      by Thexalon (636) on Tuesday July 22 2014, @03:05AM (#72118)

      People will write down passwords and stick them on post-it notes.

      Which is probably just fine, so long as said post-it note is in a reasonably physically secure location. Nobody cares enough about many of my accounts to break into my house or office and steal a post-it note, whereas they could conceivably care enough to let an automated password cracker do its job.

      --
      The only thing that stops a bad guy with a compiler is a good guy with a compiler.
      • (Score: 2) by urza9814 on Tuesday July 22 2014, @03:11PM

        by urza9814 (3954) on Tuesday July 22 2014, @03:11PM (#72301) Journal

        Which is probably just fine, so long as said post-it note is in a reasonably physically secure location. Nobody cares enough about many of my accounts to break into my house or office and steal a post-it note, whereas they could conceivably care enough to let an automated password cracker do its job.

        That's great until someone breaks into your house to steal your laptop and happens to grab your passwords with it since they're probably nearby. Now they can empty your bank account, rack up charges on your credit cards, possibly even track your exact location...

        • (Score: 0) by Anonymous Coward on Tuesday July 22 2014, @04:37PM

          by Anonymous Coward on Tuesday July 22 2014, @04:37PM (#72341)

          Now they can empty your bank account, rack up charges on your credit cards...

          ...until I contact my bank and the credit card company to alert them of possible fraudulent charges. While this would certainly be annoying as all hell to me, it is hardly the end of the world.

          ...possibly even track your exact location...

          Pshaw! Not likely. Where the hell are you getting these paranoid dystopian fantasies from?

          • (Score: 1) by ButchDeLoria on Wednesday July 23 2014, @05:26PM

            by ButchDeLoria (583) on Wednesday July 23 2014, @05:26PM (#72857)

            Well, if they get your Google account info or iCloud login, they could use Find My iPhone or Android Device Manager to track your device via GPS. And most people rarely go too far from their cell phone.

  • (Score: 3, Interesting) by bziman on Tuesday July 22 2014, @12:09AM

    by bziman (3577) on Tuesday July 22 2014, @12:09AM (#72080)

    This probably wouldn't work for your grandmother, but since I run my own domain, I just use a different unique e-mail address and login for each site I use.

    I originally started this so I can figure out which companies were giving my e-mail address to spammers, and also, so I could shut off compromised addresses without having to kill off an address used with other sites.

    But for most of the unimportant sites, while I use unique user names, I use one of a handful of fairly unique passwords. I don't worry too much about the password being compromised, because there's no way to use it to attack the login on another site.

    Of course, I use mostly unique xkcd-style high-entropy passwords when security matters.

    • (Score: 0) by Anonymous Coward on Tuesday July 22 2014, @12:54AM

      by Anonymous Coward on Tuesday July 22 2014, @12:54AM (#72094)

      That is exactly what I do and how I started doing it too. But I took it one step further, I started off with a domain that was obviously "mine" and have since registered a domain with the word "mail" in it so that it looks like a low-rent hotmail/gmail/fastmail/etc domain. I figure that cross-referencing usernames is the lowest hanging fruit, easy to automate, but a dedicated attacker might also figure out the personal domain trick. Especially if I used obvious email addresses (so no more amazon@mydomain.com either).

      • (Score: 1) by bziman on Tuesday July 22 2014, @03:18PM

        by bziman (3577) on Tuesday July 22 2014, @03:18PM (#72303)

        One of my main assumptions is that there isn't much I can do to stop an attack focused specifically on me, individually. My efforts are designed to thwart mass attacks. Remember, if the attack is focused on me, directly, they can just use the $5 wrench approach.

  • (Score: 0) by Anonymous Coward on Tuesday July 22 2014, @12:10AM

    by Anonymous Coward on Tuesday July 22 2014, @12:10AM (#72081)

    There was a white paper on el reg a couple of years ago about user security being weak due to low engagement. The conclusion was that as a persons time is valuable ($75/hour was the used value) so that any security that requires more than trivial effort will be discarded.TFA is just restating the obvious any password that can be remembered can be hacked. And if every site needs a freaking password to check then I for one will be using the weakest password I can, I have stuff to do and places to surf.

    • (Score: 2, Funny) by Anonymous Coward on Tuesday July 22 2014, @12:45AM

      by Anonymous Coward on Tuesday July 22 2014, @12:45AM (#72091)

      I have stuff to do too. Using your identity. I'm sure you won't mind.

      • (Score: 0) by Anonymous Coward on Wednesday July 23 2014, @04:56AM

        by Anonymous Coward on Wednesday July 23 2014, @04:56AM (#72638)

        I've been using your identity for a decade and half on that other site that's been taken over by dice. No password needed even.

  • (Score: 1) by Pooch on Tuesday July 22 2014, @01:19AM

    by Pooch (3199) on Tuesday July 22 2014, @01:19AM (#72101)

    i would like to be able to use passphrases. give me the option of specifying a lot more characters for a password and i'll turn it into a passphrase. something unique to me at that site, and easy to remember and hard to crack. i'm amazed at sites that still restrict password length to 12 characters or less ... yeesh ... make it 50 or more so i can use a phrase, ffs.

    • (Score: 0) by Anonymous Coward on Tuesday July 22 2014, @05:24AM

      by Anonymous Coward on Tuesday July 22 2014, @05:24AM (#72157)

      Watch out for the ones that let you type in really long passwords but they only actually use the first 8-12 characters.

  • (Score: 2) by Subsentient on Tuesday July 22 2014, @03:39AM

    by Subsentient (1111) on Tuesday July 22 2014, @03:39AM (#72131) Homepage Journal

    That is a sensible approach to me. Just make sure important sites have some really, really, really absurdly complex password. The rest can have the password 'boobs'.

    --
    "It is no measure of health to be well adjusted to a profoundly sick society." -Jiddu Krishnamurti
  • (Score: 2) by Yog-Yogguth on Tuesday July 22 2014, @07:30AM

    by Yog-Yogguth (1862) Subscriber Badge on Tuesday July 22 2014, @07:30AM (#72183) Journal

    How so? Because it's just the same as how Mickey Mouse signed on an awful lot of video rental cards.

    History lesson: long long ago before there even was DVDs much less Netflix or YouTube one could go to physical stores that specialized in renting out video entertainment stored on magnetic tape. These stores required you to create a sort of a physical account to hold you responsible for returning the spools of magnetic tape called video cassettes and to charge you a fee if you were late in returning them. You had to sign the card with your name but a lot of people just wrote Mickey Mouse or Daffy Duck instead (most still returned the videos and paid any late fees because they didn't want to throw away their self-esteem over a trip to a store and/or a few bucks).

    So why did they sign with the names of imaginary characters? Why not? It wasn't important.

    123456 is the Mickey Mouse of the 21st century and password the Daffy Duck :)

    P.S. For example do I mind if anyone uses "my" Disqus account? An account that only exists because it's the only way I'll be allowed to comment and/or be censored and finally deleted together with everything else a few years later as it reaches the FIFO GIGO gnomes on the conveyor belt of modern "newsmedia" and only leaving behind the (now unverifiable) ghost on some NSA rack? Of course not, in fact I would be thrilled if anyone did but instead it turns out that it's possible to make multiple Disqus accounts with exactly the same "name" (they don't use it as account identification, or at least they didn't use to) and somebody had done just that by random chance (the name is an unusual pun that could also be a real name, it's not in English) and this had happened even within a small subset of about a million people tops (who speaks that language and also use Disqus).

    P.P.S. Of course I've forgotten the password, it was either Goofy or abcdef but maybe neither. The lesson is to always use Mickey Mouse :P

    --
    Bite harder Ouroboros, bite! tails.boum.org/ linux USB CD secure desktop IRC *crypt tor (not endorsements (XKeyScore))
  • (Score: 1) by SunKis on Tuesday July 22 2014, @07:38AM

    by SunKis (2973) <{mnlists} {at} {frimail.net}> on Tuesday July 22 2014, @07:38AM (#72184)

    Not for the average Joe maybe, but my approach is to use a small program to generate base64 encoded digests based on a common secret and a phrase that is constructed from the name of the site, something like "My site.com account's secret password". The digest is then truncated to a shorter length to allow for sites that don't permit long passwords. This program is accessible on one of my sites and I also have it as an app on my phone. Usually the passwords are saved in the browser so you only have to generate it once for each browser.

    The only problem is that when one of your passwords is stolen, you'll have to change either the secret or the phrase for that site and when that happens a couple of times it becomes hard to remember where.

  • (Score: 0) by Anonymous Coward on Tuesday July 22 2014, @11:04AM

    by Anonymous Coward on Tuesday July 22 2014, @11:04AM (#72227)

    I've been doing this for years, I have unique, strong passwords for important things, and a lazy default (which is strong anyway) which I share among sites whose passwords I'll likely otherwise forget.

    It's just management of limited non-forgetfulness. We're only human after all.

  • (Score: 2) by WizardFusion on Tuesday July 22 2014, @12:22PM

    by WizardFusion (498) Subscriber Badge on Tuesday July 22 2014, @12:22PM (#72249) Journal

    As people have mentioned, a password manager is the best option. I only have to remember one password then, a sufficiently long one, based on a phrase (thequickbrownfox, for example)

    For every site I visit that I really have to use a username/password, I create a new one using the built-in password generator. I don't need to remember it, and I don't let my browser remember it either.

    As for those sites that I will never visit again, but want a valid email address and password, I use mailinator.com and a simple "Password1!"

    • (Score: 0) by Anonymous Coward on Sunday August 10 2014, @04:24AM

      by Anonymous Coward on Sunday August 10 2014, @04:24AM (#79553)

      My default password for throwaway accounts has been Fuckbeta1! for about 8 months now. ;)