back to article Anonymous hack showed password re-use becoming endemic

Computer scientists have discovered that password re-use is far more prevalent than previously thought after comparing a sample of matched passwords that spilled out at a result of the revenge attack by Anonymous against security researchers HBGary with the earlier Gawker password breach sample set. Hackers affiliated with …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    Roboform ...

    or Lastpass for free. Allow you to generate complex random passwords when you sign up for things online. Remembers them for you too.

    No affiliation, just a happy user.

    1. Andy 75

      Title like thing

      Maybe the researchers should drop an email to the addresses involved and just ask the users whether, as at x date, they used the same password in a more secure site as well?

      I'd imagine that those who answer would be fairly honest especially if they are told "it's for science"

    2. JP19
      Thumb Up

      KeePass?

      KeePass is good too (and also free).

      Browsers could probably handle this a lot better than they currently do.

      1. Chrome

        KeePass

        +1

        Especially when used with Dropbox. Also both have Android apps (probably for other platforms too but I don't have the money to buy the handsets to check)

        1. Benny

          iphone/ipad have it

          but you can't move the file between DB and KPX like you can on an Android

    3. Steve X

      post-its

      Why go to the trouble of generating complex random passwords if you're then going to store them all on the same electronic post-it? How long until someone cracks that and gets all your passwords at once?

      1. bittenbytailfly
        Alert

        I second that!

        I've never understood the password vault model - much better to have a system that generates a strong password every time from something memorable. I use Deadbolt Password Manager (http://www.deadboltpasswordgenerator.com)

      2. Galidron
        Boffin

        @electronic post-t

        Reasons

        1. You can store the vault in a more secure location then real post-its. To crack the vault you have to be able to get your hands on it first.

        2. A vault can be copied to additional locations so you can have access to your passwords from multiple locations if necessary.

        3. Unless you use a weak password for the vault or the vault has a weakness in key generation, you should have changed your passwords at least once sometime in the years it will take to crack.

  2. Anonymous Coward
    Terminator

    password security

    The problem I find, with this situation, is that, these days, there are just so many things that want to be password protected.

    If you do (as we all know we should) and have a different complex password for everything that requires one, AND change them every 6 weeks (or whatever) then you are going to need some way of storing them.

    I know that where I work, due to the 6 week change policy, and (seemingly) infinite password history for one of our pieces of software, many of our users do the password1, password2 etc.. method, others keep them written in their draws.

    Is it really any worse to have, say 4 or 5 passwords ranging from one or two for very important things, a couple of less important things, and one for all those websites that you use your old dead email account to sign up to?

    1. Anonymous Coward
      Pirate

      indeed..

      and for all the commentators suggesting password storing services and / or apps what if keePass / Roboform / Lastpass get hacked? You are potentially really f**ked then!

      I have enough trouble trying to remember Pins for anything other than the three bank cards I use most, the lesser used ones - forget it.. I tried recently to remember a replacement one for another card but then the pin for one of the cards I use all the time just dropped right out of my head. That was really frustrating, realising this as trying to use it. And the last thing I want to do is re-use card pins!

      I also recently upgraded a bank account to get all the extras it came with which resulted in a heap more passwords <and User names!> to try and remember for the different services.. Why not just use the email address as user name or better still let me get to the services via the internet banking!

  3. Daniel B.
    Boffin

    Blackberry!

    Blackberries have a "password storage app" for storing passwords (duuuuuh), and it has a "generate random password" feature. I've been using it lately for site passwords I don't really trust. I used to have a generic password for non-critical sites, but that one was cracked by the Gawker bust. So now I've changed passwords, and any site that looks like it might have the Gawker "security" model will have a random generated password.

  4. Kieran 2

    I re-use passwords.

    And if you managed to get hold of my oft-used passwords and the list of sites I use them on... well, you'd be able to make me look like a dick on a lot of forums, I guess. Not much else.

    I don't have Gawker or rootkit logins, but they don't sound like sites I would bother having unique passwords for: I save those mostly for banking, social networking, and work.

  5. DavidShepherd

    Password re-use

    Good article. It's really not that surprising to find high degree of password re-use as well as easily compromised passwords. There are some easier ways to create secure, unique and easy to remember passwords. More good tips - http://dshepherdhowto.com/password-recreational-browsing/

  6. Tom 15

    Bad dev

    You shouldn't really just MD5 the password, otherwise you might as well store it in plain text, rainbow tables make it just as easy to find out what it is. Really you should mix it with some other stuff first, for instance we have a GUID for each user which can't change and then password is combined with the GUID for the user...

    1. Daren Nestor

      Exactly

      Accounts that I use to buy stuff have strong passwords. Accounts for forums and news sites are weaker, reused in other forums and if someone got them, meh.

    2. Anonymous Coward
      Anonymous Coward

      Re: Bad dev

      I thought md5 was a hash function. It's not reversible?

      1. chuBb.

        salting

        It is but unless you 'salt' the hash by combining other unknown data with it you are vulnerable to raindow tables and such like (a rainbow table is a precomputed hash of known weak passwords, so all you have to do is look up a hash that matches your unknown password and you either have discovered the password, or lucked out and found a string combination which yields the same hash as the hash to be cracked).

        In the past I have used guid's (like Tom 15 suggested) and other unique readonly identitifiers associated with a users account along with a secret key value all concatenated together before the hash is generated. That way in order to crack the password not only would the cracker have to guess a unique value generated by the users account being created, but the users password and the secret key which is highly. Although if the servers are rooted your probably buggered as all this does is make the hashes rainbow table resistant, weak passwords still are vulnerable to brute force etc.

        1. Steve Roper
          Thumb Up

          Re: salting

          "weak passwords are still vulnerable to brute force etc"

          I do a similar thing to disguise passwords as you (my method involves ROT-PRNG on the password characters along with a 20-character string interlaced with them) but there is one more thing I do to reduce the chance of brute-forcing, and it's something that used to be done a lot in days of yore but of late seems to have been forgotten.

          That is, limit failed login attempts. My method is 3 strikes and the account is locked, and the owner sent an email advising them of the hack attempt, with a link for them to click on to reactivate the account. (The link doesn't log them in though, they still need to enter username and password to do that.) So attempting to log in on one of my customers' accounts means you need to get it right within 3 tries or fail completely. It's easy to do, and compensates a lot for peoples' tendency to use weak passwords.

          Finally, my system logs the IP addresses of repeated login attempts after an account is locked, and notifies me of the ISP owning that address so I can advise them of the hack attempts if necessary.

      2. Anonymous Coward
        Big Brother

        Re: Re: Bad dev

        Correct, but the previous poster was referring to a technique called salting I believe.

        If the password is hashed then a rainbow table (which can be downloaded nowadays I bet for common hashing mechanisms) can be generated and compared against the hashes i.e. the same password will always generate the same hash (you can even see which accounts share the same hash and therefore the same password.)

        If you use salt added to the password before you hash then even identical (entered) passwords will be different due to the salt; a hacker would have to generate a rainbow table for each account using the salt; it makes brute forcing harder (not impossible) as each password has to be individually attacked.

        GUIDs are a good salt as they are random. Database IDs are not so good as it is not uncommon for the admin user to be user #1 so it is quite easy to pre-compute a rainbow table with a 1 prefix/suffix to common passwords and word lists.

        How you merge the salt with the password can help if you avoid just prefix/suffix and find some other way of merging the salt and password together before hashing, but now we are heading into security through obscurity territory - adventurers beware.

        Security however is through depth as well as breadth.

        1. Anonymous Coward
          Anonymous Coward

          hmm

          Surely you want to merge the salt with the password after hashing, otherwise you can never work out the salt. I personally think a security mistake some people make is to not alter the salt after a password change, it becomes plainly obvious were the salt is.

          The whole business of hashed passwords is imo security though obscurity. Sure, a password hash can't be actually be reversed but it needs to be consistent, so guesswork will eventually win out... then salting, separated fields, for password and salt.... easily known salt... (might make it 1000 times harder there)... an unknown salt at least requires a bit more work to find out where the salt is, unless of course, there is a code breach.

          1. Paul Powell
            Boffin

            Salting...

            The salt is combined with the password before hashing. You can store the salt in plain text in the table next to the password hash (one for each user).

            When a user enters their password it gets combined with the salt and then hashed. If it matches the hash value then the user is let in, otherwise no. This defeats rainbow table attacks which look up the hashed password in a large database of password hashes.

            The only advantage I can see of concealing or encrypting the salt is that someone can attempt to break each password one by one to get back to the original plain text - this however is infeasible and is the reason people started making rainbow tables in the first place.

            If you put the salt if first the position is never given away as the entire hash changes with just one character different in the salt. Putting it in after is just obfuscating the hash and is easily crackable.

            By the time someone is using rainbow tables you can pretty much presume that they have your entire password file/db, any web code, and anything else in your back end database - otherwise what is the point of using them? This means that they already know where you put your salt (it's in the code after all). They already know what your 'secret' salt is as well.

            If you have put in the salt after the hash then you'll need to go back and look at that...

            Hashing passwords is not security through obscurity - it's a peer reviewed open technique that is mathematically proven (given the absence of Quantum computing and that P=NP is not true)

      3. Adam Trickett
        Black Helicopters

        the rainbow table is to reverse it

        A hash isn't supposed to be reversible, but you can create a rainbow table of all the possible hashes for a given combination of passwords, then use the table "in reverse" to find all the possible passwords for a given hash. It's just an awfully big table of numbers - pretty easy to generate on a modern computer...

    3. Mitch Kent

      +1 from me too

      If I couldn't give a monkey's uncle about the security of the site, then it gets my standard low grade easy password. I only save the tricky stuff for sites that can charge me money...

    4. Anonymous Coward
      Anonymous Coward

      Spot on...

      I'd go so far as to say that most people I know in IT make a point of re-using simple passwords for "low value" web site, yeah someone could make me look like a dick on forum, but I'm pretty sure that I do a better job of that than most hackers would. (A skiddie's post would be way out of line with my usual idiocy, so fairly easily detectable.) All these people make sure as hell to keep their private stuff just that, banks, home, etc all have non-trivial passwords...

    5. James O'Shea

      throw-away passwords

      Sites such as El Reg and other fora get throw-away passwords. The same throw-away password, in fact. Anyone who figures out what it is (and it's a dictionary word, unusual only in where I stuck the caps) can log into any such site that I infest and pretend to be me.

      Serious sites, such as my bank, get 12 to 16 digit passphrases with rAndoM cApS, numb3rs, $ymbols, and c0mBin@t1ons of the above. Usually using a phrase from a non-Indo-European language. And usually misspelled. My stuff isn't impossible to break, just hard.

    6. Anonymous Coward
      Anonymous Coward

      well

      Least I'm not one of the only people who has security levels... generic junk accounts, then secure passwords for other things. I used to be more generic, foolishly, and I was taught the error of my ways by a company I worked for being a bunch of wannabe spies.

      1. Oliver 7

        +1

        As above. It's all very well having a locker but I can sometimes use three computers plus my smartphone in one day to access the same Web sites, how can I port my passwords between them? Much simpler to have a simple password for all sites that are social or media related and save the memory-busters for your bank account, etc.

        Neilsen isn't everyone's favourite but he's right about some things. People just can't be arsed investing the time to learn complex sequences of codes or instructions for operating things, whether that be accessing a Web site or programming a DVR. It's simplicity and seamlessness that is key to Apple's success, etc, etc.

        At my work I need to access 30 or so systems that have varying user IDs and mostly have heterogenous password requirements and expiry periods. Coupled with the fact that I don't access many of them for weeks at a time, how on Earth can I be expected to do this all in my head? (disclaimer: I didn't say that I don't!)

  7. Andrew Tyler 1

    The luggage padlock of passwords.

    I use the same password for all my junk accounts, and its the same password I've been using for 10 years. Not familiar with rootkit.com, but Gawker would definitely qualify as a junk account if I had one there. I probably should graduate to using some password tool for them someday, but for the time being I'm not too worried.

    Surely this is what most people do.

    1. Alex 0.1
      Thumb Up

      Bingo

      I think it's exactly this. As with you and several other commentors, I simply use a shared semi-throwaway password for any of the myriad forums/commenting/random other website that wants a password for no good reason I use - I then have another password for fewer more important things (online shops I buy from regularly), another for email, and another for online banking.

      If some sloppy admin of some random forum gets his password db exploited, sure, i'll look like a password re-user (though, my password is re-used but still not exactly short or easy to crack) but that password doesnt help get to anything important to me, and simply having to switch to a new password for any low-importance site I use is much easier than having to use and remember different passwords for all of the eleventy billion different places that want one (I don't particularly consider browser addons that generate + store passwords for me a solution, as I regularly want/need to access things from remote locations, plus, software developers do abandon their projects regularly).

  8. Anonymous Coward
    Anonymous Coward

    It's gawker ffs

    My priorities:

    a) Remembering my passwords.

    b) Not using a email/password that is also valid for that email account.

    c) Security

    I can only remember about 3 passwords. As my priority is remembering them, I use 2 of them all the time and have 1 for important stuff. Important stuff mainly = my encrypted disk image which holds all my work and bank details.

  9. This post has been deleted by its author

  10. This post has been deleted by its author

  11. This post has been deleted by a moderator

    1. Anonymous Coward
      Anonymous Coward

      Possibly because..

      ..Jussi may have been fired.

      The IRC chat between Anonymous and HBGary (including Aaron, Penny etc) is here - fun stuff. It's basically HBGary pleading with anon not to release the remaining e-mails (Greg, who happens to be Penny's hubby). When Aaron joins (about half way down) it all turns nasty again.

      http://pastebin.com/x69Akp5L

      Just search for Jussi

  12. Jamie Kitson

    Play your cards right

    But even with the most conservative estimate of password re-use - 31 per cent - from real world data of the users of the two tech sites is much lower than previously published studies, which suggest somewhere between 12 and 20 per cent.

    Higher or lower?

  13. Anonymous Coward
    Anonymous Coward

    title

    If databaset is not a real word then it should be.

  14. Anonymous Coward
    Flame

    And this is news?

    Look its human nature to pick a series of passwords and use them for everything.

    John Doe will use one series of passwords for all of his banking accounts.

    He'll use a different series of passwords for work stuff.

    He'll use a single one for all that internet pron stuff he looks at so no one catches him.

    The reason I say series is that some sites make you change your password every so often so you end up going through a series of rotations.

    The point is that you can't always remember what password you used for what account, so you then have to write them down somewhere. Usually on an electronic device in a password encrypted file so you can get access to them... ;-)

    So of course people will reuse a password?

    The Flame is for the fact that this is so obvious that its not really news!.

  15. Anteaus

    Forums one thing..

    ...and I likewise use low-quality passwords in forums, mainly because of the need to be able to remember them when working in several places. But, not for things that matter.

    The more worrying aspect though, is the growing trend towards global web-access to company files. Here, Microsoft enforce 'password complexity' which sounds clever but isn't. In fact, password-complexity rules disbar a lot of strong but memorizable passwords, and enforce the use of either non-memorizable or else weak passwords. For example the reasonably strong "nobodywilleverguessthispassword" is disbarred, but the very weak "Password1" is, ridiculously, allowed.

    That, and I've never understood the reasons for forcing password-expiry. If the user has to keep changing the password, it more-or-less guarantees they will use "Password1" .. "Password2" and so on INSTEAD of a strong password which they only need memorize once.

    What is password expiry meant to achieve anyway? If a hacker has had access to my files for 42 days, does it make any difference if I disallow an extra few days' access? Most likely (s)he will have done any damage they're gonna do, gotten fed-up and gone elsewhere long before then.

    IMHO the best passwords are those which have a regular vowel/consonant structure, and thus look like words, but are nonsense. These are surprisingly easy to remember, but shouldn't be crackable by dictionary methods.

  16. Anonymous Coward
    Anonymous Coward

    How many?

    I currently have over 600 accounts with various websites. ok, so I've been on the internet a long time, but is that so unusual? It's no surprise at all that people re-use passwords.

    How many accounts do other people have?

  17. Bill Coleman

    ...unsalted MD5

    too see just how useless an unsalted MD5 hash is, try this:

    Create a hash of a simple string using any MD5 generator, eg http://www.adamek.biz/md5-generator.php - try your first name or something.

    Then take the generated hash string and simply search for it on google and you will see many translated results from various rainbow tables

    1. Anonymous Coward
      Anonymous Coward

      re: you will see many translated results

      except I didn't, and my name is common in several languages. Positive results for a few strings like "password" and "anonymous" are unsurprising, but Google didn't produce hits for various obvious or weak passwords.

  18. Anonymous Coward
    Anonymous Coward

    a good system?

    Password services are a single point of failure as are the USB key solutions. And maintaining a secure set of passwords is beyond most peoples brain power. So to be secure you need a good system, here's what I do:

    1. take a random secure string and memorise it, e.g. "1A2b3C4D"

    2. decide break points, e.g. after characters 3 and 5 "1A2][b3][C4D"

    3. inject two letters signifying the password context into the first break, e.g. hotmail could be "HO"

    4. inject a rotating numeric, or character for password rotation in the second position, e.g. "1", or "a"

    ...so you get "1A2HOb31C4D" - when you rotate it after 6 weeks or whatever, it becomes "1A2HOb32C4D"

    for gmail rotation 1 would be "1A2GMb31C4D"

    easy to remember - or at least work out, but hard-ish to crack. This approach does have its flaws but I think it's the best compromise.

    anon, because well... duh!

    1. Anonymous Coward
      Happy

      Yep, here's the title

      You are rather trusty of El Reg server admins skills....

  19. stucs201

    In other news

    People discovered to keep their car, house, office and shed keys on the same keyring. Also evidence for people keeping notes, coins and credit/debit cards in the same wallet.

  20. Jonnyp
    FAIL

    only looks at crap passwords

    the thing is, this only looks at passwords that can be broken with brute force. that probably means these people had pretty crap passwords, below average secure at least, and are therefore less savvy in general, and therefore much more likely to be using the same password for everything.

    i think overall the percentage would be a lot lower.

  21. kevin elliott

    Missing the Point?

    The point here is that it's impossible for ost of us to use multiple secure passwords. They're impossible to remember. And the more uncrackable they become, the less useful they are.

    And as for trusting a piece of software to generate and manage passwords... That could be compomised at some point in the future, if it's not already...

    Password technology has outlived it's usefulness for secure applications. For low secuity needs like web forums, it's good enough, even with re-use.

    We need secure keys, not the ones in the unix model, but something I can carry around with me, plug into a networked computer anywhere, and be able to access all my secure accounts safely by typing in a simple pin for the key. Citrix have a system like this, but it's not universal. And generally restricted to a single company.

  22. Anonymous Coward
    Anonymous Coward

    Kwrrwra lbs&ie sufura

    Since we're all sharing our strategies, here's mine:

    I have a "base" quite secure password that is never used (at least not anymore. I belive I used it 10 years ago or somesuch) and then use key offsets. One site will have the "base", but all characters shifted by one key to the left, another to the right, up, down (with wrap-around to the other side of the keyboard if neccesary) etc. Easy to remember, and I haven't seen references to keyboard analysis by the bad guys yet. And even then the base is still semi-random or at least very much not in any dictionary.

    And weak throwaways on forums of course.

  23. jonathanb Silver badge

    Other things to consider

    For a lot of websites, where having a password just lets me read stuff, I don't really care if someone hacks into my account. In fact, the password I use for those sites is the same as the made up username I use when they have no business knowing who I am.

    Secondly, how am I supposed to remember hundreds of different ultra-secure passwords? I would have to keep them all somewhere that isn't very secure.

  24. Adam Trickett
    Linux

    Patterns

    I use a pattern made up of a prefix and postfix that are site related and a common base joined with punctuation.

    I use a different bases for low, medium and high risk sites.

    Even then it's too many combinations to remember, as lots of site won't take punctuation marks or have other stupid restrictions, so I keep a per site prompt (not the actual password) in a GPG file.

    My GPG and SSH pass-phrases aren't written down at all anywhere. They are quite long and contain mixed cases, punctuation.

    I know there are risks but OpenID like login appeals to me for the low level sites as I really, really don't want any more passwords to add to the mix.

    Then I have the same nonsense at work with even more passwords, but there they rotate them so I have them written down and printed (just hints) out as it's just impossible to get anything otherwise...

  25. Gordon Barret
    Black Helicopters

    Cracking Passwords Gromit.

    "Joseph Bonneau, the Cambridge University researcher who carried out the exercise"

    So this scientist has openly admitted to cracking passwords - when is he going to be arrested?

    Considering that even some penetration testers have got into serious trouble for doing the job they were employed to do ...

  26. Dom 3

    Strategies.

    Surprised that nobody's mentioned yet that the Reg itself stores passwords, in, err, plain text. Unless they've fixed it up recently.

    Anyway, there are numerous strategies for multiple secure memorable passwords. Here is one:

    Stage 1: construct a base string from a memorable phrase. "why do I have so many passwords" => "wd1h5mp".

    Stage 2: construct a string from the domain name you're logging in to. "theregister.co.uk" => "hrgk" from the 2nd, 4th, 6th, and last letters.

    Stage 3: concatenate: "wd1h5mphrgk". At eleven characters of lower-alpha-numeric it's outside the range of most rainbow tables I've seen. And even if somebody does crack your password then they need another one to compare it with to have any chance of figuring out your strategy.

    It's not perfect but it's good enough for most "low-value" sites.

  27. Anonymous Coward
    Anonymous Coward

    They encourage "password" reuse

    With those stupid challenge-response schemes for password recovery and re-validation.

    How many sensible folk just make stuff up for these questions? Especially for the financial sites...

  28. Pat 4

    Useless

    I always thought password re-use would be closer to 100%.

    And given that I have 4 email accounts, facebook, twitter, 6 or 7 forums, an ISP account, DNS, Web server, one work pc, 3 home pc, bank and credit card account... can I actually be expected to remember well over 25 completely different passwords, AND change all of them on a regular basis, AND never reuse the same password on any of them???

    Do I really have time to carry a password program with me and look them up all the time??

    Come on... most people have a hard time remembering ONE password....

    get serious here... this is a stupid study...

    How about they focus on how much personal info people unnecessarily give websites that unnecessarily ask. How about they teach people to LIE on website registration ALL the time, every time... And then having a stupid forum account hacked really doesn't matter all that much anymore. So how about it becomes acceptable to have one password for the trivial stuff... and focus on using better security on IMPORTANT stuff....

    This study's conclusions just sound like a waste of time to me

  29. Maty

    Three parts

    Have part 1 on a post-it note next to your monitor. A list with alphanumeric code and the name of the applicable site. something like 2Hc5i = ebay.

    Then add half of old car number plate (or an old postcode, or a chunk of a memorable phone number or whatever). Keep this part in your head.

    And finish with a common ending such as x1X, also memorized.

    The post-it part is vulnerable only to those physically on site. Someone with physical access to your comp still needs to guess your other details - and even someone who knows you intimately would have trouble with the last three digits.

    So an eBay password would be 2Hc5ihe5x1X , and although the corresponding amazon account would have the same he5x1X suffix, a hacker would have to work hard on the unique prefix.

  30. BraveOak

    My system

    My passwords are based on a series of riddles which are encoded using a rotating alphabet based on the lunar calendar. I convert the encoded riddles into egyptian heiroglyphs and carve them upon small stones which I cast into a deep well.

  31. David Whiting

    clipperz

    I've tried various schemes in the past but decided I'm never going to be able to create and remember good passwords. I've tried various programs and never found any that were convenient and available whenever I need them. The only thing I have found that works for me is clipperz (www.clipperz.com). I now need to remember just one strong password (3 old passwords I could already remember combined with something between each one). It is available wherever I am online, is easy to make a read-only offline copy and also has one-time passwords for use when using untrusted computers that may be running key loggers. It's design assumes you can't trust the host server, so it does not store your master password. All encryption decryption happens locally in the browser and only the encrypted blob is stored on the server. The main release is the beta version, but the gamma version has a nice new interface with fast search.

    It has direct logins that work for many but not all sites. It does not matter to me that these do not work for some sites because it does not take long to copy and paste the password I need.

    I do not claim to have a deep understanding of security, but from what I have read I think this is a robust approach. I would be interested to hear if those who know more than me disagree.

  32. ScottME

    OpenID anyone?

    I have a couple of OpenID accounts/identities which I would be delighted to be able to use more frequently. Seems like a simple solution, if only more websites were willing to delegate authentication.

  33. Charlie Clark Silver badge

    Too much back-slapping

    My, aren't we a clever bunch? We all seem to have such great strategies so that "password-stealing could never happen to me". Congratulations but that isn't the problem: passwords are the problem. Invented by people to lazy to come up with a reliable authentication system and forced on us mere mortals.

    Because we're so crap at memorising the immemorable we nearly all have some form of password reuse. Even if we spice it up with our own salts. But we're still dependent upon developers implementing a secure backend to stop them being read as plain text. Even then we are at risk, even if not directly, when others are compromised: when someone robs a bank all customers lose out. Plus the whole predictability aspect of password reuse allows for more sophisticated profiling and the best scams are those where you don't even need to steal someone else's keys or password.

    I'd hope that a public key infrastructure initiated with an SSL-encrypted exchange of public keys between browser and server might be an alternative. To register you would just allow your browser to send your public key to the server which would send you its public key. All further communication could run happily using public/private key encryption. Certainly not foolproof but a damn site easier to deal with.

  34. lostinspace

    the title

    This is what pisses me off, why do we need all these seperate passwords for 00s of sites?? OpenID for all the low value stuff and then a small number of secure passwords for the things that matter, along with 2factor auth, like texting a code to your phone or something.

    Sure, with yahoo, google (and facebook?) providing them 35billion people now have OpenID accounts, but find me ONE site where I can use it? Even the tech sites (like El Reg) don't support it...

    I'm suprised the figure is so low, I'd have thought password resuse for similar "low value" sites would be near 100%...

    1. metallithrax

      Here's one

      www.neowin.net - uses openid

      As for passwords, I use a few different ones based on whether the site is just a forum type, or one that I spend money at.

  35. Dick Emery
    Stop

    You only need ONE password

    You only need ONE password and it does not need to be stored. At least for website use that is.

    Passwordmaker (A Firefox plugin I use) generates a unique password for each website based upon one password plus the URL to make a unique password. All you need do is type in that one password for each site you visit and it fills out the field for you with the REAL password for that site. You don't even have to know what the password is. Just the one password you always use for every site. It is not stored anywhere except in your head.

    The only way the attacker can get your passwords is to know your single password so you need to make sure this is not used anyplace else or written down or keylogged.

  36. Anonymous Coward
    Anonymous Coward

    The problem with random password generators...

    Since random password generators result in passwords that most people can not remember this results in problems:

    If the program being used stores passwords locally:

    1. Cant access sites from other computer since your passwords are not on the other computer if you cant remember your "random" password.

    2. If you have a computer crash, and do not have a backup of your passwords, you are screwed.

    If the program stores passwords remotely, then great, you are giving joe blow all of your passwords in one place, so if they are ever compromised, you are screwed.

    If you have a large number of sites that you go to, having separate passwords for each one can end up resulting in a lot of confusion and other issues.

    Where I work, clients have on average AT LEAST 3 different passwords for different areas, and yes a lot of them duplicate their passwords.

    However I can not tell you how often we are having to reset passwords due to someone forgetting their password/getting confused and then get blocked due to having large number of invalid login attempts.

  37. Anonymous Coward
    Anonymous Coward

    Complexity creates insecurity

    Good article, found only one one mistake; HBGary did not establish rootkit.com. As a non-profit community site kept by private person it have been existing since 1999, at least Whois-records show this. Guess the article connects two separate sites due loose affiliation via one employee who also founded HBGary.

    Password complexity is a tricky one; our policies to create complex passwords on multiple places sort of force people to certain traits; like using existing words together to reach length, then prolly adding number into end, and special character into middle - after all, passwords should be impossible to remember and never written down. This then leads into generating potential passwords to look for - you don't need wholel keyspace.

    Interesting in development side on mind - did they develop their software themselves or was it a readymade package? What kind of securitymechanisms there were on place otherwise? This brings interesting angle on corporate view to requirements on either outsource development or packages bought.

  38. Anonymous Coward
    Joke

    Passwords

    *** * **** **** ********** * ****** *******123456 **** * ******** ****** * * **** qwerty ****

  39. EvilGav 1

    Bad Statistics

    The number of available data to do this statistical study on is too small, you would have needed to get almost all of those passwords for people on both sites to have had a statistically significant number of data.

    Pointless and a waste of editorial space.

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2019