Strategies.

Surprised that nobody's mentioned yet that the Reg itself stores passwords, in, err, plain text. Unless they've fixed it up recently.

Anyway, there are numerous strategies for multiple secure memorable passwords. Here is one:

Stage 1: construct a base string from a memorable phrase. "why do I have so many passwords" => "wd1h5mp".

Stage 2: construct a string from the domain name you're logging in to. "theregister.co.uk" => "hrgk" from the 2nd, 4th, 6th, and last letters.

Stage 3: concatenate: "wd1h5mphrgk". At eleven characters of lower-alpha-numeric it's outside the range of most rainbow tables I've seen. And even if somebody does crack your password then they need another one to compare it with to have any chance of figuring out your strategy.

It's not perfect but it's good enough for most "low-value" sites.

They encourage "password" reuse

With those stupid challenge-response schemes for password recovery and re-validation.

How many sensible folk just make stuff up for these questions? Especially for the financial sites...

Useless

I always thought password re-use would be closer to 100%.

And given that I have 4 email accounts, facebook, twitter, 6 or 7 forums, an ISP account, DNS, Web server, one work pc, 3 home pc, bank and credit card account... can I actually be expected to remember well over 25 completely different passwords, AND change all of them on a regular basis, AND never reuse the same password on any of them???

Do I really have time to carry a password program with me and look them up all the time??

Come on... most people have a hard time remembering ONE password....

get serious here... this is a stupid study...

How about they focus on how much personal info people unnecessarily give websites that unnecessarily ask. How about they teach people to LIE on website registration ALL the time, every time... And then having a stupid forum account hacked really doesn't matter all that much anymore. So how about it becomes acceptable to have one password for the trivial stuff... and focus on using better security on IMPORTANT stuff....

This study's conclusions just sound like a waste of time to me

Three parts

Have part 1 on a post-it note next to your monitor. A list with alphanumeric code and the name of the applicable site. something like 2Hc5i = ebay.

Then add half of old car number plate (or an old postcode, or a chunk of a memorable phone number or whatever). Keep this part in your head.

And finish with a common ending such as x1X, also memorized.

The post-it part is vulnerable only to those physically on site. Someone with physical access to your comp still needs to guess your other details - and even someone who knows you intimately would have trouble with the last three digits.

So an eBay password would be 2Hc5ihe5x1X , and although the corresponding amazon account would have the same he5x1X suffix, a hacker would have to work hard on the unique prefix.

My system

My passwords are based on a series of riddles which are encoded using a rotating alphabet based on the lunar calendar. I convert the encoded riddles into egyptian heiroglyphs and carve them upon small stones which I cast into a deep well.

clipperz

I've tried various schemes in the past but decided I'm never going to be able to create and remember good passwords. I've tried various programs and never found any that were convenient and available whenever I need them. The only thing I have found that works for me is clipperz (www.clipperz.com). I now need to remember just one strong password (3 old passwords I could already remember combined with something between each one). It is available wherever I am online, is easy to make a read-only offline copy and also has one-time passwords for use when using untrusted computers that may be running key loggers. It's design assumes you can't trust the host server, so it does not store your master password. All encryption decryption happens locally in the browser and only the encrypted blob is stored on the server. The main release is the beta version, but the gamma version has a nice new interface with fast search.

It has direct logins that work for many but not all sites. It does not matter to me that these do not work for some sites because it does not take long to copy and paste the password I need.

I do not claim to have a deep understanding of security, but from what I have read I think this is a robust approach. I would be interested to hear if those who know more than me disagree.

OpenID anyone?

I have a couple of OpenID accounts/identities which I would be delighted to be able to use more frequently. Seems like a simple solution, if only more websites were willing to delegate authentication.

Too much back-slapping

My, aren't we a clever bunch? We all seem to have such great strategies so that "password-stealing could never happen to me". Congratulations but that isn't the problem: passwords are the problem. Invented by people to lazy to come up with a reliable authentication system and forced on us mere mortals.

Because we're so crap at memorising the immemorable we nearly all have some form of password reuse. Even if we spice it up with our own salts. But we're still dependent upon developers implementing a secure backend to stop them being read as plain text. Even then we are at risk, even if not directly, when others are compromised: when someone robs a bank all customers lose out. Plus the whole predictability aspect of password reuse allows for more sophisticated profiling and the best scams are those where you don't even need to steal someone else's keys or password.

I'd hope that a public key infrastructure initiated with an SSL-encrypted exchange of public keys between browser and server might be an alternative. To register you would just allow your browser to send your public key to the server which would send you its public key. All further communication could run happily using public/private key encryption. Certainly not foolproof but a damn site easier to deal with.

the title

This is what pisses me off, why do we need all these seperate passwords for 00s of sites?? OpenID for all the low value stuff and then a small number of secure passwords for the things that matter, along with 2factor auth, like texting a code to your phone or something.

Sure, with yahoo, google (and facebook?) providing them 35billion people now have OpenID accounts, but find me ONE site where I can use it? Even the tech sites (like El Reg) don't support it...

I'm suprised the figure is so low, I'd have thought password resuse for similar "low value" sites would be near 100%...

The problem with random password generators...

Since random password generators result in passwords that most people can not remember this results in problems:

If the program being used stores passwords locally:

1. Cant access sites from other computer since your passwords are not on the other computer if you cant remember your "random" password.

2. If you have a computer crash, and do not have a backup of your passwords, you are screwed.

If the program stores passwords remotely, then great, you are giving joe blow all of your passwords in one place, so if they are ever compromised, you are screwed.

If you have a large number of sites that you go to, having separate passwords for each one can end up resulting in a lot of confusion and other issues.

Where I work, clients have on average AT LEAST 3 different passwords for different areas, and yes a lot of them duplicate their passwords.

However I can not tell you how often we are having to reset passwords due to someone forgetting their password/getting confused and then get blocked due to having large number of invalid login attempts.

Complexity creates insecurity

Good article, found only one one mistake; HBGary did not establish rootkit.com. As a non-profit community site kept by private person it have been existing since 1999, at least Whois-records show this. Guess the article connects two separate sites due loose affiliation via one employee who also founded HBGary.

Password complexity is a tricky one; our policies to create complex passwords on multiple places sort of force people to certain traits; like using existing words together to reach length, then prolly adding number into end, and special character into middle - after all, passwords should be impossible to remember and never written down. This then leads into generating potential passwords to look for - you don't need wholel keyspace.

Interesting in development side on mind - did they develop their software themselves or was it a readymade package? What kind of securitymechanisms there were on place otherwise? This brings interesting angle on corporate view to requirements on either outsource development or packages bought.

Bad Statistics

The number of available data to do this statistical study on is too small, you would have needed to get almost all of those passwords for people on both sites to have had a statistically significant number of data.

Pointless and a waste of editorial space.