{"id":3758,"date":"2014-07-18T23:25:53","date_gmt":"2014-07-18T15:25:53","guid":{"rendered":"https:\/\/www.darknet.org.uk\/?p=3758"},"modified":"2015-09-09T19:36:48","modified_gmt":"2015-09-09T11:36:48","slug":"microsoft-says-re-use-passwords-across-sites","status":"publish","type":"post","link":"https:\/\/www.darknet.org.uk\/2014\/07\/microsoft-says-re-use-passwords-across-sites\/","title":{"rendered":"Microsoft Says You SHOULD Re-use Passwords Across Sites"},"content":{"rendered":"<p>Ok so we constantly tell people not to reuse passwords across sites, because if they are stored in plain text (<a href=\"https:\/\/www.darknet.org.uk\/2013\/11\/cupid-media-exposes-42-million-passwords-plain-text\/\">and leaked<\/a>) those naughty hackers now have your e-mail address AND your password and can wreak havoc on your life.<\/p>\n<p>Which is pretty much true, but Microsoft disagrees and there is some validity to what they say, if you MUST re-use passwords (which you shouldn&#8217;t) &#8211; do so only on low risk sites (anything without payment details really).<\/p>\n<p align=\"center\"><img decoding=\"async\" src=\"https:\/\/farm6.staticflickr.com\/5568\/14483655529_76a59509cc.jpg\" alt=\"Re-use Passwords - what madness!\" \/><\/p>\n<p>Keep the good passwords for the important sites (like online banking).<\/p>\n<p>As for me, I say use a bloody password manager, generate different passwords for every site and make them all strong! A good online password manager is free, and even though some of them appear to not be totally secure (<a href=\"https:\/\/www.darknet.org.uk\/2014\/07\/password-manager-security-lastpass-roboform-etc-safe\/\">as we wrote a few days ago<\/a>) &#8211; they are certainly better than not using one.<\/p>\n<blockquote><p>Microsoft has rammed a research rod into the security spokes of the internet by advocating for password reuse in a paper that thoroughly derails the credentials best practise wagon.<\/p>\n<p>Password reuse has become a pariah in internet security circles in recent years following a barrage of breaches that prompted pleas from hacked businesses and media outlets to stop repeating access codes across web sites.<\/p>\n<p>The recommendations appeared logical; hackers with email addresses and passwords in hand could test those credentials against other websites to gain easy illegal access.<\/p>\n<p>Now Redmond researchers Dinei Florencio and Cormac Herley, together with Paul C. van Oorschot of Carleton University, Canada, have shot holes through the security dogma in a paper Password portfolios and the Finite-Effort User: Sustainably Managing Large Numbers of Accounts (PDF).<\/p>\n<p>The trio argue that password reuse on low risk websites is necessary in order for users to be able to remember unique and high entropy codes chosen for important sites.<\/p><\/blockquote>\n<script async src=\"https:\/\/pagead2.googlesyndication.com\/pagead\/js\/adsbygoogle.js?client=ca-pub-3033787195489589\"\r\n     crossorigin=\"anonymous\"><\/script>\r\n<!-- Darknet Responsive Post Ad Links [previously link ad unit] -->\r\n<ins class=\"adsbygoogle\"\r\n     style=\"display:block\"\r\n     data-ad-client=\"ca-pub-3033787195489589\"\r\n     data-ad-slot=\"5456620019\"\r\n     data-ad-format=\"auto\"><\/ins>\r\n<script>\r\n     (adsbygoogle = window.adsbygoogle || []).push({});\r\n<\/script>\n<p>I&#8217;m not sure why we are arguing about this though, I honestly don&#8217;t even know any of my passwords any more (or try to remember then) as for one, I have over 100 and I don&#8217;t have to. I use a password manager (<a href=\"https:\/\/www.passpack.com\/\">PassPack<\/a> in my case). <\/p>\n<p>I only need to remember 1 login\/password combo and 1 really strong keyphrase (which even the experts agree, is way better than a contiguous password).<\/p>\n<blockquote><p>Users should therefore slap the same simple passwords across free websites that don&#8217;t hold important information and save the tough and unique ones for banking websites and other repositories of high-value information.<\/p>\n<p>&#8220;The rapid decline of [password complexity as recall difficulty] increases suggests that, far from being unallowable, password re-use is a necessary and sensible tool in managing a portfolio,&#8221; the trio wrote.<\/p>\n<p>&#8220;Re-use appears unavoidable if [complexity] must remain above some minimum and effort below some maximum.&#8221;<\/p>\n<p>Password sets should be reused across groups of websites. Those sites holding little personal information could be placed in the users&#8217; &#8216;go-ahead-and-hack-me&#8217; bucket protected by codes like P@ssword1, while sites where pwnage would trigger fire and brimstone should be protected by complex and unique login credentials.<\/p>\n<p>Hackable groups &#8220;should be very exposed&#8221; and &#8220;should have weak passwords&#8221;, the researchers said, because pushing users to light up even a small amount of grey matter &#8220;would be wasteful&#8221;.<\/p>\n<p>The Redmond research realises the realities of userland security; People are bad at remembering passwords and seemingly worse at caring about the issue of security.<\/p>\n<p>Research published in 2012 found the average Brit glued the same five passwords to their 26 online accounts while one in 25 used the same code for everything.<\/p><\/blockquote>\n<p>You can read the full paper here &#8211; <a href=\"http:\/\/research.microsoft.com\/pubs\/217510\/passwordPortfolios.pdf\">Password portfolios and the Finite-Effort User: Sustainably Managing Large Numbers of Accounts<\/a> <strong>[PDF]<\/strong><\/p>\n<p>The whole issue is kind of sad if you ask me.<\/p>\n<p>It&#8217;ll be interesting to see if any kind of counter-studies are done on this, or anyone comes out with a rebuttal of any sort. It&#8217;s a little odd to release a research paper on something that&#8217;s basically an opinion though.<\/p>\n<p>Source: <a href=\"http:\/\/www.theregister.co.uk\/2014\/07\/16\/redmond_says_password_reuse_is_more_than_okay_its_necessary\/\">The Register<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Ok so we constantly tell people not to reuse passwords across sites, because if they are stored in plain text (and leaked) those naughty hackers now have your e-mail address AND your password and can wreak havoc on your life. Which is pretty much true, but Microsoft disagrees and there is some validity to what [&hellip;]<\/p>\n","protected":false},"author":25,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_seopress_robots_primary_cat":"","_seopress_titles_title":"","_seopress_titles_desc":"Re-use Passwords across different websites? You've gotta be kidding right! No, Microsoft suggests that you go ahead and do that.","_seopress_robots_index":"","_genesis_hide_title":false,"_genesis_hide_breadcrumbs":false,"_genesis_hide_singular_image":false,"_genesis_hide_footer_widgets":false,"_genesis_custom_body_class":"","_genesis_custom_post_class":"","_genesis_layout":"","footnotes":""},"categories":[1],"tags":[8875,8091,456,675,133],"featured_image_src":null,"featured_image_src_square":null,"author_info":{"display_name":"Darknet","author_link":"https:\/\/www.darknet.org.uk\/author\/darknet\/"},"_links":{"self":[{"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/posts\/3758"}],"collection":[{"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/users\/25"}],"replies":[{"embeddable":true,"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/comments?post=3758"}],"version-history":[{"count":0,"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/posts\/3758\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/media?parent=3758"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/categories?post=3758"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/tags?post=3758"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}