Opinion: Why password reuse is a perilous practice

Roger A Grimes looks at how careless password protocol can help hackers

Interesting real-world data pertaining to password security has emerged recently, once again shedding light on the importance of having strong password policies in place at your organization. That doesn't stop at, for example, requiring a minimum password length -- but also reminding end-users to be careful about both surrendering and reusing passwords too readily. The first set of data came from Amit Klein, CTO of Trusteer. He wrote about a study that found about 50 percent of phishing victims give up their password credentials within the first 60 minutes of a phishing attack's launch, and 80 percent of stolen credentials are taken within the campaign's first five hours. Given the way most of us hover around our email clients and smartphones, this doesn't seem all that far off. I mean, if you're going to be fooled, why would you wait a few days before responding to that emergency message "trying to protect you"? If Trusteer's study holds true for most phishing attacks, it has interesting implications. For one, it probably takes most security vendors from a few hours to a day to help protect their customers against the latest attacks. Even if they block the phishing attack within an hour, half the potential damage is done. This is not to say that defense vendors shouldn't implement the quickest defense they can muster, as protecting half the victims is a very laudable goal. Another theory: The data simply reflects that vendors are proactively protecting their customers after the first hour. Although I'm not overly convinced of the latter theory, I'll placate myself with it. The plague of password reuse

Another interesting data point comes from researchers in the Security Group at the University of Cambridge Computer Laboratory, in which two websites were recently hacked and their password hashes stolen. The two sites appeared to have a lot of overlapping customers (based on email addresses). Of the passwords that were cracked, 76 percent of customers used the same password at both sites. The finding isn't surprising, but this is the first time I've seen data supporting the conclusion that people, against all advice, like to reuse passwords between sites. I learned this lesson early on in the pre-Internet days of dial-up when I was a co-sysop for a popular BBS. One day the BBS wouldn't take my password. I had to call the other co-sysop, and he changed my password to a temporary one so that I could log on. I remember him saying as he viewed my current password (the one that did not work), "Hey, why is your password 'urfucxed'?" (Note: It didn't contain an "x.") I realized then that someone was sending me a message: I had apparently pissed off some other BBS sysop, and he or she had logged on to my site using the password I had reused across hundreds of sites. Many people choose the same password they use at work for personal websites. In these times, not a single day passes without some major password hacking incident becoming public. At the time of this writing, the outbreak of the day involves eHarmony. Combine end-users' propensity to reuse passwords with the aforementioned success of phishing attacks, the security ramifications become clear. No one should reuse passwords across any security domain or website; when the weakest and most poorly protected location is compromised, they all are "fucxed." Malicious hackers routinely reuse passwords they capture on unimportant sites on Web vendors that are likely to store credit cards, such as Amazon, iTunes, and so on. Store your passwords safely

Today, I make sure I never reuse the same password on any site or among any two security domains, although I include a common root word in all of them, to make life easier. Say my root word is "frog" (it isn't). For Amazon, my password may be "Amazonfrog220." For iTunes it may be "iT220Frog," and so on. When I store my passwords, I write "Amazonf220" and "iT220F"; that way, I won't have any of my passwords written down in plaintext for easy stealing if a password storing method (or smartphone) gets compromised. Sure, the attacker could guess at my root word, except that my root word is really a complex passphrase that would be more difficult to break than most people's passwords alone. One of my very smart work colleagues, Laura A. Robinson, makes my method seem Cro-Magnon. She uses Bruce Schneier's free Password Safe tool. Using very strong Twofish encryption, it not only very securely stores passwords, it also allows her to double-click on a stored password and paste it into a password-requesting form. It generates long, complex, and unique passwords, as well. Laura said it surprises most people that she doesn't even know what most of her passwords are. Sure, there are a few places she still has to manually type in passwords, such as on the Xbox and the TiVo, but most of the password work is done very securely. Laura uses Microsoft's Live Sync to sync her Password Safe database (itself very securely protected using a long and complex password) across all her computers and in the cloud. However you accomplish it, make sure you don't share passwords across security domains or among websites. Make sure your company's password policy says the same and that end-users are educated about the dangers. Otherwise they're just passwords blowing in the wind. - Grimes is contributing editor at the InfoWorld test centre

Join the newsletter!

Error: Please check your email address.

Tags password reuseSecurity ID

Show Comments