back to article Microsoft: You NEED bad passwords and should re-use them a lot

Microsoft has rammed a research rod into the security spokes of the internet by advocating for password reuse in a paper that thoroughly derails the credentials best practise wagon. Password reuse has become a pariah in internet security circles in recent years following a barrage of breaches that prompted pleas from hacked …

  1. Anonymous Coward
    Anonymous Coward

    The researchers are idiots. Even a minimally important account can be used if pwned for -say- posting kiddieporn links or terrorist comms; and that account would be tied to at least your IP address. You'd have a real job in court trying to explain that it wasn't you.

    Plus if it's your account, then there's probably some real data in there that can be used to help with identity theft. And that's just two obvious misuses...there are some real evil bastards out there.

    There's no perfect answer; but an offline, encrypted piece of software to remember PROPER AND UNIQUE passwords for you isn't half bad.

    "pushing users to light up even a small amount of grey matter "would be wasteful"."

    The same would appear to apply to researchers.

    1. This post has been deleted by its author

    2. Paul Crawford Silver badge

      Unless your PC is also compromised, then said kiddy-porn or terrorist postings would be traced back to other IP addresses where it was logged in under control of the hackers.

      The bottom line is people are shit at security, and some things (like regular password resets[1]) don't help at all. What MS recognise is that not all accounts are equal, and the consequences need to be weighed up against the effort of remembering passwords.

      [1] Assume that you are forced to change password one per year, as my work proposes. If your password has been randomly compromised then the mean time to exploit it is 6 months. Just how long does a hacker need to have it to install a trojan and/or create another account for mischief?

      So why bother unless there has just been a major breach and they KNOW that everything has to be reset?

    3. Voland's right hand Silver badge

      Even a "harmless" site is still a potential attack vector

      Forget the k1dd13 p0rn. It can be used to spearfish you back or spearfish one of your contacts. Go and explain that it is not you to the hapless victim after that.

      Unfortunately, the only known solution to the password problem equates to a full loss of internet anonymity and privacy. Namely, you can drop the passwords altogether if you use client certificates (and tie the important ones to a physical key storage). So for the time being we still use passwords - they are like democracy (as per Benjamin Franklin quote): they are bad, but we are yet to figure out anything better.

      1. James O'Shea

        Re: Even a "harmless" site is still a potential attack vector

        "Forget the k1dd13 p0rn. It can be used to spearfish you back or spearfish one of your contacts. Go and explain that it is not you to the hapless victim after that."

        Err... no. Let's take the example of what I do on el Reg. I use a certain throwaway email account (from gmail) and a nice simple password. i use the same throwaway account and password on other sites. Exactly the same. Should someone get into el Reg's (or one of the other sites') logon database, they will find... an account which is useless for them, as everyone I know _knows_ that I use that account as a throwaway (I used it on USENET, for God's sake) and will ignore anything sent using it. If I see anything heading my way which uses that account I would be very, very, VERY suspicious of it unless I _KNEW_ that it's legit. And even then I'd check it out.

        And, oh, should there be a site which requires me to 'register' using identifiable data, such as address, and I don't think that they need that data, they get fake data. Spearphishing doesn't work very well when they have the wrong info.

        Now, if the contact is linked to a credit card, or is otherwise of value, I use a real password. If the contact is of no value, I use a simple, easy to remember password. The worst that can happen with my setup on el Reg is that someone can post stuff in my name.

        1. Evil Auditor Silver badge

          "...someone can post stuff in my name."

          "The worst that can happen with my setup on el Reg is that someone can post stuff in my name."

          Oh well, that happens to me All The Time! All of my silly, offensive or just in general rubbish comments (like this very one) were written by an unknown idiot on the 'net who posts stuff in my name, using my fake e-mail address and simple password.

          1. el_oscuro

            Re: "...someone can post stuff in my name."

            So your email is username@example.com and your password is "password"? No wonder I get so many down votes.

        2. rm -rf *.*

          +1

          I do the same, except I use a free account from one of those "disposable" email address providers.

          I change the password used on the comment site ocassionally, but not much else.

      2. James Micallef Silver badge
        Mushroom

        Re: Even a "harmless" site is still a potential attack vector

        It would help if every single friggin' website didn't want you to create an account with password for no reason at all except to nab your details and spam you with rubbish. For example e-shopping site - it's conceivable that I might buy 1 item from a site and never return. They only need shipping address, email, credit card for the one transaction, after which they don't need to keep any of this data. BUT they insist on capturing and storing all this data, pretending it's for my convenience just in case I ever buy anything from there again, when in reality it's for their convenience to grow their sales, send out spam, have a digital willy-measuring contest about 'number of registered users' etc

      3. Dodgy Geezer Silver badge

        Re: Even a "harmless" site is still a potential attack vector

        ...they are like democracy (as per Benjamin Franklin quote): they are bad, but we are yet to figure out anything better....

        I don't think Franklin ever said anything like that, though the evils of democracy were frequently discussed by his contemporaries. He commented that democracy was like two wolves and a lamb voting on what they should have for lunch.

        The quote nearest in meaning to your comment is probably Churchill's "...democ­racy is the worst form of Gov­ern­ment except for all those other forms that have been tried from time to time.…" (House of Commons speech, Nov 1947)

    4. DF118

      Hey, idiot!

      Beginning your post by labelling a self-evidently non-idiotic group of people idiots is the best way to indicate that it's probably not worth reading. Thanks for saving us all that wasted effort.

    5. E_Nigma

      I Disagree

      What is "an offline piece of software"? If it's on an on-line device, it's not really off-line in the security sense, even if it's not designed to access the web itself. Every on-line device is exposed and on such a device, encrypted, schmencrypted. The password text has to be decrypted to be used and at that point it's up for grabs. Also, you are creating a single point of failure, if that piece of software you've got gets beaten, all of your on-line identities and data are exposed. Lastly, I consider someone using hacked Reg accounts to disseminate illegal content unlikely, plus even ordinary message board admins do a pretty good job of spotting when a known user is logging in from a weird IP address.

      1. Anonymous Coward
        Anonymous Coward

        Re: I Disagree

        What is "an offline piece of software"? If it's on an on-line device, it's not really off-line in the security sense, even if it's not designed to access the web itself.

        OK, a piece of software that doesn't itself access the internet then, even if the host machine is connected. I did say it wasn't perfect; but it's the best solution I can think of. 100% better than using the same easy password for multiple accounts anyway.

      2. omnicent
        Coat

        Re: I Disagree

        What is "an offline piece of software"?

        Printed out source-code?

    6. Anonymous Coward
      Anonymous Coward

      you seemed

      to be unusually concerned about child porn...

    7. Evil Auditor Silver badge
      Stop

      @moiety

      It actually is rather sensible advice by those security researchers. I think you should reconsider who the idiot is.

    8. J.G.Harston Silver badge

      "There's no perfect answer; but an offline, encrypted piece of software to remember PROPER AND UNIQUE passwords for you isn't half bad."

      And how do you get access to that piece of software if you're not using your own controllable PC? I get dragged into the Work Programme once a week, and it takes me several attempts to log into various jobsearch sites because my PC at home remembers my password for them, not me. I've spent the weekend walking across the North York Moors and popped into a library to check my email. How would that library be able to store my password for me?

      1. ma1010
        Windows

        I use Keepass which has a 'droid version as well as PC. I think they have a Linux version, too.

        I have it on my home and work PCs and my phone. And another copy on a USB stick that I can use with any PC that will let me run a program from a USB stick. Always have my web sites/passwords with me (80+), and they all have distinct, hard-to-crack passwords. The only one I need to remember is the master one. I've had lots of attempts made to break into my accounts, but none have succeeded.

    9. Flocke Kroes Silver badge

      @moiety: Try downloading the data sheet for a chip

      Some manufacturers require that you create an account before you can download a data sheet. They really need your false name, fictitious address, name of your first pet and the premium rate phone number of your favourite charity. I keep a list of these things handy in case someone else has not already created an account for 'username@example.com' with password 'password'.

      There are times when a simple common password is the best choice.

      1. Peter Galbavy

        Re: @moiety: Try downloading the data sheet for a chip

        I find michael@mouse.com with the password of "donald" or sometimes "youpeoplearemorons" is also useful...

        1. Anonymous Coward
          Anonymous Coward

          Re: @moiety: Try downloading the data sheet for a chip

          Wow. That's the most unpopular thing I've ever said on this forum. All the downvotes in the world aren't going to convince me that re-using passwords is a good idea though.

          @ J.G.Harston - Does your library access allow for using USB sticks? If yes, then something like this might do it for you:

          http://portableapps.com/apps/utilities/keepass_portable

          1. nobody really
            Pint

            Re: @moiety: Try downloading the data sheet for a chip

            [quote]

            Does your library access allow for using USB sticks? If yes, then something like this might do it for you:

            http://portableapps.com/apps/utilities/keepass_portable

            [/quote]

            I for one can say I've never lost a USB stick*. Even if I did, it wouldn't be a problem changing every single password ever just in case it fell into the wrong hands. Nor would it piss me off to find it again 2 days later. Sign me up :)

            *I couldn't back that up**

            **The comment, not the USB stick.

        2. Robert Baker

          Re: @moiety: Try downloading the data sheet for a chip

          When demanded an email address on what I regard as a don't-need-to-know basis, I usually use "none@forget.it". The clueless website's own abuse address is another good one.

          1. DropBear

            Re: @moiety: Try downloading the data sheet for a chip

            When demanded an email address on what I regard as a don't-need-to-know basis, I usually use "none@forget.it"

            Not sure how well that works out for you - in my experience nigh-on every website demanding an email address also checks it by sending a confirmation string there, so rubbish addresses get you precisely nowhere. Thankfully, there are plenty of disposable, short-lifetime mail address suppliers...

        3. Alan Brown Silver badge

          Re: @moiety: Try downloading the data sheet for a chip

          The owner of monkeys.com got royally pissed off a long time ago with people using twelve@ and turned it into a spamtrap.

          Using fake details has been around forever. It's one of the reasons that confirmation messages get sent these days.

      2. Robert Helpmann??

        Re: @moiety: Try downloading the data sheet for a chip

        I have started advising those foolish enough to ask me that they should routinely lie when filling out those questions used to validate your identity, especially when the sites involved are high value (e.g. banking, medical, et cetera). It makes it less valuable to harvest information from social media and other online sources. Obviously, this does not eliminate the risk of identity theft, but it helps secure individual sites.

        As far as passwords are concerned, I find that a pattern-based system works fairly well. You need only remember the pattern used and a starting point for a given site. For example, if my base pattern was 1qaz@WSX and I wanted to apply it to El Reg's site, I would start at the letter T (for www.Theregister.co.uk/) and transpose: tgb5YHN^.

      3. el_oscuro
        Pint

        Re: @moiety: Try downloading the data sheet for a chip

        I never thought of that. username@example.com. I am not sure "password" would work, but most crappy sites would probably accept "Password1".

    10. RobHib
      FAIL

      @ moiety - For Heaven's sake (some of us are actually human)!

      Some of us are actually human--not automatons capable of instantly recalling every 25-digit Microsoft product code for every PC we own!

      I'm reasonably security concious and even I take shortcuts. I have a small cadre of a half dozen or so helper passwords that I use on 'disposable' sites which I can actually remember. Mind you, these passwords aren't real words but rather are alphanumeric strings of no less than eight characters. If I forget a site's password then I only have to cycle through a half dozen or so well-remembered strings.

      For important stuff I use much longer passwords which I have also committed to memory. And for truly critical stuff I use even longer passwords where the first dozen or so characters are recalled from my memory and the remainder of the string loaded from a source that's external from the PC (the full password doesn't exist anywhere--either written down or in my head).

      What the Microsoft researchers are saying makes very considerable sense.

      Isn't that bloody obvious!?

      1. Alan Brown Silver badge

        Re: @ moiety - For Heaven's sake (some of us are actually human)!

        "For important stuff I use much longer passwords which I have also committed to memory."

        Passphrases with suitable entropy are much easier to remember. 6 words is the sweet spot at the moment.

        What amazes me is the number of sites which insist on 8 characters maximum, given that md5 127 character has been around for over 20 years.

  2. Number6

    Password Entropy

    This is where the xkcd comic needs an airing.

    1. AbortRetryFail
      Thumb Up

      Obligatory XKCD (was: Password Entropy)

      Ah, you beat me to it. :D

    2. Michael H.F. Wilkinson
      Joke

      Re: Password Entropy

      The problem is so many people now use "correct horse battery staple" as their password that it is the first thing tried after "password"

      1. h4rm0ny

        Re: Password Entropy

        Your joke icon is inappropriate though you may not realize this! I've done checks on databases of some large services and found a significant number of hashes matching "correct horse battery staple". There are idiots who either don't get the comic at all, or find it hilarious to amuse themselves by setting this as their personal password.

        Sad but true.

      2. Bronek Kozicki
        Boffin

        Re: Password Entropy

        There are two problems with this 1. plenty of password fields have an unreasonably short limit on a number of characters in a password, thus preventing use of a reasonably long passphrase 2. it is arguable whether a passphrase (build from dictionary words) actually has large entropy, since it can be brute cracked simply in (dictionary size * variations)^(small N) tries, rather than characters^(large N)

        1. Anonymous Coward
          Anonymous Coward

          Re: 2

          You might want to actually check some of those numbers. 2^28~=2E8, 2^44~=1E13. Size of a reasonable adult English vocabulary: 5E4. 5E4^4~=6E18. You're better off brute forcing the individual characters of those words than trying to use a dictionary based attack. You would actually need a dictionary of less than 2048 words to make it faster to check than the 2^44 brute force search or 128 words for the 2^28 password. And that still involves knowing that there are 4 words to search through.

          Essentially, the ratio of potential dictionary size to character set size is much greater than the inverse ratio for their corresponding exponents.

          1. Bronek Kozicki
            Thumb Up

            Re: 2

            Hah, the math makes sense, so my "arguable" turns into "definitely wrong". Thanks for proving it!

  3. Liam2

    Or you could just use a password manager and use a unique, randomly-generated, high-entropy password for every site, but only have to remember one.

    1. DF118

      Or save yourself the effort and make the username/registered email address the thing you change from site to site.

    2. Steve Davies 3 Silver badge

      Password Managers?

      Wasn't there a post the other day stating that they were also insecure and open to hacking?

      They are IMHO, a single point of failure.

      1. Anonymous Coward
        Anonymous Coward

        Re: Password Managers?

        Or a notepad and a pen, which most of my elderly customers use, which is a single point of failure but is not insecure or open to hacking.

        1. AndrueC Silver badge
          Meh

          Re: Password Managers?

          Or a notepad and a pen

          In some cases you can improve security by only writing down a pattern. In my previous job where the passwords changed every 90 days I used incrementing numbers and for each account wrote down the number.

          So my main login would be written down as 'MLI:57'. Even if you found the piece of paper it wasn't going to help you much.

      2. AbortRetryFail

        Re: Password Managers?

        If your only keep your password manager locally, and your local machine is compromised to the point where your password manager has been hacked, then I would submit that you have far bigger fish to fry.

      3. Bronek Kozicki

        Re: Password Managers?

        Wasn't there a post the other day stating that they were also insecure and open to hacking?

        They are IMHO, a single point of failure.

        Yes, there was. Useful research but in case of LastPass , it's a FUD. The problems discovered have been fixed last year.

        Although of course, it is risky to put all eggs in one basket, and I'd love to have something better to replace all these passwords. For now though, password manager used in a correct manner seems to be the best solution.

        1. Sir Runcible Spoon

          Re: Password Managers?

          I have several 'awkward' passwords that I use in different combinations, plus numbers that I can use for a variety of security levels.

          For example, If I were to use the base word of, say Klingon (as a memory aide) the password 'root' might be something like

          K11Garn!

          Another might be Enterprise, and be something like 3nt3Rprize=

          Start adding numbers to those and the passwords you write down (for reference) are:

          77 + Alien

          Ship + 73

          Alien + 99 Ship + 03

          As long as I remember the root passwords I can create lots of combinations and keep them written down with very little risk of anyone 'guessing' the root.

          1. Naughtyhorse

            Re: Password Managers?

            DOH

            i got haxed by a trekkie

            1. Sir Runcible Spoon
              Happy

              Re: Password Managers?

              "i got haxed by a trekkie"

              Not really, I used those keys because I was trying to think of something that I would never use :)

    3. Tom 13

      just use a password manager

      There is no one size fits all solution, which is part of the problem with the current security regime mindset.

      Yes, I use a password manager for a number of sites. It sits on my home PC and I use it to generate keys for sites. Mostly I use it for stuff that I care about with high entropy long passwords (assuming the sites permit). But they are all sites that I plan to access only from home on that one computer. For other sites I have easily remembered (for me) passwords. But then I have to generate passwords on a regular basis for creating or changing user accounts. I do simple things like pick song lyrics, l3Et two short words, smack them together between a date and add some additional characters on the front, end, or both. Other times I look at article headlines I am reading. For example, from this article I might generate: )20nE3d14$h0ulD07(

  4. Paul Hovnanian Silver badge

    Unique Passwords

    I recall one lady using this as an explaination for why she had 18 cats.

    Of course, if you just name them Fluffy1, Fluffy2, .....

    1. Steve Davies 3 Silver badge

      Re: Unique Passwords

      Fluffy1 etc will fail the checks in many systems simply because they won't allow the repetition of characters.

      the 'ff' is a failure, pure and simple.

      That in itself is IMHO, a weakness those password systems. If an attacker knows that then then number of options for possible passwords is greatly reduced. I'd probably allow two characters but no more.

      1. Neil Barnes Silver badge

        Re: Unique Passwords

        I just had to change my eBay password.

        Which required me to get a token from my disposable email.

        Which required me to change that email password.

        Which sent the 'click here' to a different email.

        And having got back through the tracks to eBay, it refused to allow my new password on the grounds that certain non-alpha characters, with which it had been perfectly happy before, were no longer allowed...

        I don't understand why password systems *insist* on capitals, numbers, non-alphas, etc instead of just *allowing* them - it reduces the possibilities, I think (ok, has to be eight characters, has to have a number, haven't had a number yet...) though perhaps not as severely as not allowing particular characters in the password. One credential checker refused to accept my place of birth - required - because two of the characters in it are adjacent on the keyboard. Ridiculous.

        Or is there something subtle with input sanitisation that I don't understand, and it's the little Bobby Tables problem all over again?

        1. plrndl

          Re: Unique Passwords

          @Neil Barnes

          Be grateful you weren't born in Scunthorpe!

          1. Naughtyhorse
            Coat

            Re: Unique Passwords

            on sooooo many levels

        2. VinceH

          Re: Unique Passwords

          "And having got back through the tracks to eBay, it refused to allow my new password on the grounds that certain non-alpha characters, with which it had been perfectly happy before, were no longer allowed..."

          But did their system tell you that beforehand and/or behave consistently? I had fun with Ryanair's website on this subject back in January.

          1. Neil Barnes Silver badge

            Re: Unique Passwords

            Vince, from memory, I don't *think* it told me beforehand, though when it rejected the password there was an explanation at the top of the screen (miles from the password entry field) which *may* have been there and simply not noticed the first time.

        3. Chika

          Re: Unique Passwords

          Simples!

          Some people who design such password rules and systems consider only where a person tries to break in. Rules such as different cases, the use of non-alphanumeric characters, the possibility of common entities being used such as names, dates of birth, applications and so forth are enforced because they could be guessed by a person, especially with a bit of investigation.

          The problem with that tends to be those people who use something else rather than the power of guesswork and investigation. Increasing the length and complexity can work there but for how long?

        4. AndrueC Silver badge
          Joke

          Re: Unique Passwords

          I don't understand why password systems *insist* on capitals, numbers, non-alphas, etc instead of just *allowing* them

          Dilbert covered this a while back.

          1. Neil Barnes Silver badge
            Coat

            Re: Unique Passwords

            Six or more characters and numbers?

            "Henry the fifth part 1" ?

            "Three Charlies in search of an author" lacks the requisite number of characters, of course.

            The one with 'Time Out' in the pocket, thanks.

            1. Sir Runcible Spoon
              Coat

              Re: Unique Passwords

              How about

              Four Weddings and a Funeral

              Seven should be ok

        5. William Towle

          Re: Unique Passwords

          > I don't understand why password systems *insist* on capitals, numbers, non-alphas, etc instead of just *allowing* them - it reduces the possibilities, I think

          While announcing a policy decision such as this *does* inform an attacker they don't need to start with a simple dictionary attack, it has benefits with regard to intrusion detection: a) where an intruder has not seen an announcement of the policy, they will make themselves more obvious by repeatedly trying more and more invalid patterns; and b) where an attacker does know the policy the time taken to compromise all accounts remains significantly large because the proportion of the search space removed through denial of some passwords is relatively small.

          Remember that the system should be storing a hashed and salted version of the password which means that a) finding another string with the right hash is hard, and b) that precomputed lists of hashed passwords are useless. This gives the assurance that the uneven distribution of password strings can lead to uneven distribution of digests post-hashing without this having a negative impact on overall security (AFAICT ... I was hoping this might be expanded on in the article)

        6. Tom 13

          Re: why password systems *insist* on capitals,...

          That part is easy. If you don't, a very large number of people revert to the easiest thing to do, which will get you things like fluffypassword instead of even Fluffypa$sw0rd. And if you know most of the target is all lowercase letters, you've reduced the needed brute force to crack it. It's sort of like a couple years ago when they did a rationality check on security questions for password resets. They realized that while in theory the universe of possibilities is large, when you start looking at actual data you quickly realize that seven colors covers 75% of the answers and Mrs. Smith gets you 23% of all favorite high school teachers.

          The problem is, everybody tweaks their required rules differently, AND requires 8/12/16/20 characters AND requires you to change them every 30/60/90 days. For an extreme case I'll pick on my roomie. For work he has to maintain 15+ passwords, none of which can be the same (and the systems are integrated enough to check) which change as often as every 30 days, plus combinations for 5 safes and even the combinations on the safes change every 6 months. A couple years ago every week he was coming into work and getting a message that there had been a confirmed security breach and ALL of the passwords had to be updated. That simply doesn't work for maintaining the security of the environment. So this paper is actually a breath of sanity in a really screwed up mirco-universe.

        7. Alan Brown Silver badge

          Re: Unique Passwords

          "I don't understand why password systems *insist* on capitals, numbers, non-alphas, etc instead of just *allowing* them "

          If you have password quality checks enabled on a unix system, then they are allowed - but the password must be longer.

          If you use [a-z][A-Z][0-9]{symbols} then it will let you use 8 characters (default settings)

          [a-z] only requires 16 characters (again, the default)

          None of this matters if your "password" is something like "tennis;fraud:scandal;muscle:head;echidna" - a real one I was using last year.

      2. Number6

        Re: Unique Passwords

        That was one of the holes in an Enigma cipher; a letter could never map to itself. Declaring that the character following a character cannot be a repeat of that character is probably also a weakness.

  5. Pete 2 Silver badge

    Disposable passwords for disposable accounts

    > The trio argue that password reuse on low risk websites is necessary in order for users to be able to remember unique and high entropy codes chosen for important sites

    I've been doing this for years something over 30 years, if you take bulletin boards into account as well as internet accounts.

    Take a normal website or forum. Maybe one that you post the occasional message, plea for help or stooopid comment about the current government. It requires a password in order to register. It contains none of your personal information since nobody ever uses their real names, gives a birth date of 01-01-66 (or whatever else is easiest to type) and Afghanistan (it's the first one on the list) as their "home" country. So on that basis, there's nothing there to compromise and nothing there that you value. Plus, if you have been using the internet for any length of time, you will have used a disposable email address to receive the one, single confirmation message that the site sends you.

    So for the everyday websites, where registration is merely a chore, using the same password is both sensible and convenient.

    It also separates those sites from the high-value, important accounts like El Reg your bank, PayPal or Amazon account. Here, where accurate information is necessary (you don't want all your Amazon purchases to end up in Afghanistan), it makes sense to use a more rigorous password regime. It also makes sense to use completely different email addresses, so that SPAM sent to your "ordinary" accounts can't be mistaken for administrative emails from someone who holds your real persona data,

    So yes, stick with one password for the mundane stuff. Use it everywhere for decades. Even if it gets stolen, it won't unlock anything you value - provided you use different passwords and email accounts for them.

    But also, have multiple email addresses. Preferably your own domain. Just as you separate high-value passwords from zero-values ones, do the same with emails and keep all the ones you don't care about on Spamgourmet or another disposable service. Not only does it make changing ISP so much easier if all your contacts aren't bound to their email system, but it also means there's no chance of "cross-polluting" your friends contacts with SPAM from a zero-value website that has sold your email address to a hacker.

    1. Anonymous Coward
      Anonymous Coward

      Re: Disposable passwords for disposable accounts

      Same here. I often have to sign up to get datasheets or software for things.

      I use one of my set of 3 crap passwords for it and forget about it. If I need to login again I know it's one of the crap passwords.

    2. Dan 55 Silver badge
      Trollface

      Re: Disposable passwords for disposable accounts

      No wonder governments the world over want to control the Internet, what with so many extremist forum posters from Afghanistan.

    3. roselan

      Re: Disposable passwords for disposable accounts

      The main issue is when a website switches category, and you forget to upgrade the password.

      Here is the politic I use my for passwords: Steal them from friends and co-workers. They are smarter than me, so their passwords must be excellent. It would a waste not to reuse them! (and they are surprisingly easy to remember!)

    4. Anonymous Coward
      Anonymous Coward

      Re: Disposable passwords for disposable accounts

      I'm 100% with you except for the "preferable your own domain" part. Not everyone knows how to set it up or manage it.

      What I have been using for years in non important accounts is using mail accounts of those offered by mailinator. You seldom if ever need to access that inbox after the registration confirmation message, and worst that can happen is that someone impersonates you on some hobby or light interest forum.

      For the ones that have to do with money, I use extra long xkcd-style passwords close to impossible to guess.

    5. Psymon

      Re: Disposable passwords for disposable accounts

      I heartily agree.

      After 20 years of surfing the web, for someone to suggest I use a different password for every single forum or website that demands registration is ludicrous.

      For someone to even expect me to remember what websites I've ALREADY REGISTERED with, is just as daft. After 20 years of surfing the net both personally and within my profession, I can no longer count the number of times I have gone to register on some poxy little website to download a driver, or access some page, only to be told "this email address has already been used".

      I sit there for a moment, like Gandalf in the caves of Moria, thinking "I have no memory of this place", before trying the default password I always use, and being greeted with "Welcome back, Wibble Wobble!"

      I always used to register with dummy names and my old student address, and prior to sites requiring validation of the email address, I always used "f*ckoff@nospam.com" (please excuse my French). These days, I use an old Hotmail address.

      Quite frankly, there are a huge number of sites out there demanding too much information. This is going to come back to bite them on the arse, as they are legally required to protect it, and if they do get hacked, the punitive measures could sink more vulnerable SMBs (who coincidentally are the ones without the resources to focus on security). But I digress...

      In reality, you only really need a 2 tier password system, and re-use should be fine in both. Here's why: The upper tier sites with valuable information such as email, paypal, banking, facebook et al, are extremely strong on their security these days. They have to be for both practical and legal reasons. They are constantly under attack. Microsoft are at the very forefront of security within the industry, so they know what they're talking about. If you want to jeer at this statement, you'll first need to find a time machine and go back 12 years to when your attitude was valid.

      Any bank worth its salt uses a 2-tier password system, anyway, so obtaining the initial password won't help.

      In the (highly) unlikely event that one of these is compromised, They are also legally obligated to raise the alarm immediately. Ebay is a case in point, and that wasn't even the paypal account.

      1. Roland6 Silver badge

        Re: Disposable passwords for disposable accounts

        >In reality, you only really need a 2 tier password system, and re-use should be fine in both.

        I think you will find that a 4 tier approach pretty much covers it:

        Tier 1: Sites that require "registration"/sales contact details to enable you to get at stuff. These as other have noted should be treated to your junk details.

        Tier 2: The majority of the internet, where money isn't involved and it's only the reputation of "wibble wobble" at stake, although you may be exposing some 'personal' information eg. an active email address and your geo location. I suspect that these are the sites that the MS report is mainly referring to.

        Tier 3: Work, Shopping (eg. ebay, Amazon) and other sites where either monies or services that directly impact your lifestyle (eg. utilitiy companies) are involved. Hence these sites will contain real and live details about you. These sites really need individual passwords that get changed periodically, however even here a level of themed reuse/overlap isn't totally out of order. These are the important sites that the MS report refers to.

        Tier 4: Critical sites: Bank, HMRC, Credit reference/identity protection service.

        These sites should only need your email address to send you 'reminders', but do tend to have demanding access criteria using two tier login that may involve bank cards, phone and pin keypads. Because of the demands of these sites, unless they are used alot, people don't tend to remember the access details and so only access them from home or other location where they have all the necessary paraphernalia to hand.

        Obviously, it is up to the user to decide which tier to place a site and to determine an appropriate id and password strategy they will adopt for each tier.

        1. Julian Taylor

          Re: Disposable passwords for disposable accounts

          That does indeed show some responsibility. We do things a little differently now. Very boring since the level of security is rather inhibiting but my own security staff told me that this should be the only way we should operate online:

          Tier 1

          Signup for free offers, free stuff. one-time registration required for forums etc.

          Username: Always use a hotmail address - its spam anyway so it does not matter and, while you can access it (if you must) nobody else is going to worry

          Security: minimum 8 character password with capital and numeric - Wibblew0b, for example

          Tier 2

          Facebook, Twitter other Social Media where personal information will be marketed

          Username: own email address or username (NOT a part of email address)

          Password: minimum 10 characters combination alphanumeric and non-alphanumeric W1bbl€W0=b, for example

          Tier 3

          Anything involving credit cards

          Username: own email address or username (NOT a part of email address)

          Password: Randomly generated 20 characters userlogin password, wrritten down and stored so that I/wife can go in and delete card or personal details if necessary. 1758399%^rtjY80910£$, for example

          Tier 4

          Banking

          Not permitted from normal computers. We have an Ubuntu laptop with Firefox which can only access permitted bank/building society URLs. The firewall will reject URL requests which do not originate from that computer.

    6. ElReg!comments!Pierre

      Re: Disposable passwords for disposable accounts

      Yup, same here; except that I have not one but 2 "spam" email accounts, one for accounts of utterly no interest whatsoever (youtube etc), and one for accounts of a tiny little bit more interest (mostly electronics hardware sellers; some other online shopping).

    7. Anonymous Coward
      Anonymous Coward

      Re: Disposable passwords for disposable accounts

      "It also makes sense to use completely different email addresses, so that SPAM sent to your "ordinary" accounts can't be mistaken for administrative emails from someone who holds your real persona data,"

      I assign a unique email address in my domain for each supplier so I can identify how Spam obtained the address.

      The ones used for Amazon.co.uk often generate Spam - presumably because they forward your details to a Marketplace supplier with an order. Even apparently single source suppliers like Scan Computers are subject to Spam leakage once in a while. Security is only as good as the weakest link in the chain.

      The local Labour councillor's web site used (forged) my email address and personal details to lobby the County Council in one of their tribal disputes.

  6. stu 4

    spot on

    that's what I've been doing for 20 years. always giving website your crap 'spam' email address (hotmail) is another part of that.

    1. Evil Auditor Silver badge
      Thumb Up

      Re: spot on

      Exactly. Only that for some websites I use unique crap e-mail addresses - when I receive spam on those I know which bastard sold it on.

      1. AndrueC Silver badge
        Thumb Up

        Re: spot on

        I use unique crap e-mail addresses

        I do that for every contact. I have my mail server set up with a wildcard pattern so I can hand new addresses out to anyone without having to change anything. I only have to administer the server if an address goes bad so that I can add it to the blacklist.

        This is how I know that LinkedIn either sell their email addresses to third parties or else can be farmed. Last time it took barely two months before the latest address went bad.

        1. Anonymous Coward
          Anonymous Coward

          Re: spot on

          My supplier unique email addresses regularly appear in Spam. Amazon is the worst leaker - probably by sending all my details to their Marketplace partners with an order.

          1. ElReg!comments!Pierre

            Re: spot on

            US Homeland security is the worst offender I've ever seen. One week from crossing the border to mailbox choked full of spam (20 meg limit; I don't know how long it took to reach, I only checked after 1 week...). That's the only time I gave them a "real" addy; now the get the spam one when they insist on getting one.

  7. janimal

    I gave this exact same advice out to a friend 3 weeks ago.

    It works well as long as the user understands what needs to be protected & what is fluff.

  8. Shannon Jacobs

    Another advantage: Deniability?

    Well, mostly I feel like these results are "intuitively obvious to the most causal observer" and I've already been doing things that way for a while. My approach to low-security passwords is slightly different, but the basic idea is the same.

    However one of my secondary criteria is whether or not it may be advantageous to claim that the account was hacked. Especially appropriate for venues where you like to tell jokes and feel concern about getting too close to the edges upon occasion.

    1. 's water music

      Re: Another advantage: Deniability?

      Wait, wat? There are still people who believe I was drunk and posted what I really think of you my account must have been hacked?

  9. gerdesj Silver badge

    Best practice

    Whenever I see the term "best practice" I go postal.

    There's good practice and there's bad practice - but "best"? You'd better be sure you know what you are on about when using that term in my presence and at the very least be an acknowledged world expert. I really lose the plot when the term "a best practice" is deployed.

    Nurse .... nuuurse ....

    Jon

    1. Tannin

      Re: Best practice

      Yes. And when "best practice" becomes "World Best Practice" it's time to call for the strong sedatives before someone gets hurt.

    2. T. F. M. Reader Silver badge

      Re: Best practice

      This industry is in such a great shape because everyone follows the best practices.

  10. lansalot

    cheap trick...

    And I stress the term "cheap "here... As most phishing is done in batch, it's unlikely system looking for the same password on multiple sites is going to work this out. A human might have a bit more luck, if they were determined.. But anyway....

    Think of a passphrase - eg, "I was born in England in the 70s", something you're unlikely to forget. Take the initial letters and numbers, "IwbiEit70s"

    That's your seed and to anyone reading it it's meaningless. Now, decide on a couple of characters to always swap in your phrase, say the second and fourth and stick to that. You'll always be swapping those letters for the second and fourth letters of the website the password is used at. So for eBaY, it becomes "IbbiEyt70s". For aMaZon, it's "ImbiEzt70s". For fAcEbook, "IabiEet70s". To anyone grabbing it, it looks like a random password, but you know the system. Yes, there will inevitably be some collisions, but it's better than having the same absolutely everywhere.

    Also, you're unlikely to forget a password ever again - if you can remember your ebay one, you can remember your amazon one..

    1. Woodgar

      Re: cheap trick...

      All fine and dandy until the website gets hacked and you have to change your password, at which point you can't use your standard rule to make one up.

      Good advice, and I use something similar myself, but it does occasionally come unstuck.

  11. Anonymous Coward
    Anonymous Coward

    I have a notebook with my password details, and I keep it in a safe place. There's something faintly ridiculous on the insistence on never writing down a password: we're quite happy to have physical keys for valuable property, which aren't kept all that securely.

    The danger is in the password kept on a note stuck to the monitor, or somewhere else where it can be trivially discovered.

    The security does shift away from the detail of the password to how that notebook is stored, but since it's not on a computer, the vulnerabilities and risks are different. The risks associated with the internet are mitigated by a complex password, and keeping a copy which is not on the internet greatly improves the safety of the system.

    How is a written-down password, securely stored, any different from the tools, stand-alone or in web browsers, which remember your password for you?

    1. Roland6 Silver badge

      Re: notebook @AC

      >How is a written-down password, securely stored, any different from the tools, stand-alone or in web browsers, which remember your password for you?

      Well it depends on how you write stuff down as it could be more secure...

      My "little black book" contains the details for each website, with common stuff eg. email address and standard security stuff written in abbreviated form; whereas my digital password locker stores all details in full...

    2. Anonymous Coward
      Anonymous Coward

      It was once the mantra of any security adviser that the last line of defence is physical access to the system location.

    3. Anonymous Coward
      Anonymous Coward

      How is a written-down password, securely stored, any different from the tools, stand-alone or in web browsers, which remember your password for you?

      The short answer: in lots and lots of significant ways.

      I don't know about you, but I need to enter passwords many, many times a day - almost one per opened browser tab these days, and I keep multiple dozens of tabs open practically at all times. It follows that if one is not willing to use cheap and thoroughly-reused passwords on most of these (since most are low-value logins), any means of recording all of them is useless unless it can enter those complicated and unique password automatically - I would sure as hell not be willing to look up and mistype them constantly (moot point - I reuse al lot). Which makes paper really a bad fit.

      Also, I'm not amused by the "oh, now I'm safe from hackers, and I surely have nothing to fear from those who live with me and therefore have physical access" approach - I want my passwords safe from online AND local threats (by the way, I'd love to see you set a master password for a 'little black book', for the case it falls out of your pocket on the street - and transcoding everything written down every time I want to use any of it with some sort of substitution cypher is so beyond ludicrous I already regret wasting my time to type this sentence). That sort of security would demand keeping that 'black book' in a safe at all times, while practical usability demands the opposite - keeping it glued to the keyboard at all times. Sorry, not gonna happen.

      Instead, I'm sticking to a few cheap ones reused ad nauseam, and a few stronger ones for the important stuff. And if I ever get unhappy with that, I'll generate a bunch of unique bulletproof ones, stored under a strong master-pass in a pass manager on my mobile - and I'll make sure it's one that can type them out too for me through a wireless USB dongle, the way Keepass already can.

  12. AndrueC Silver badge
    Meh

    I've been doing this for a long time. I have three main levels of password and the most secure has variants for those sites that are particularly strict. It's slightly marred by Tesco who have recently enforced stronger passwords. Consequently when I log in to order groceries I have to use one of my strongest passwords. That's overkill. It's not like anyone can spend my money if they gain access. It only needs a second-tier password in my opinion.

  13. Allan George Dyer
    Holmes

    You heard it here first...

    So Microsoft's researchers have been reading El Reg? I've seen the same advice discussed here endlessly.

    OK, OK, I participated in some of the discussions.

    If a user is willing to use a bad password on your system, it implies they don't care about the data they are entering. Either the data in your system is worthless, or you're trusting the wrong people.

    1. Androgynous Cupboard Silver badge

      Re: You heard it here first...

      If buy something from an online retailer, I use the same junk password - if hacked all it will allow them to do is log on, but that's it - placing an order still requires my card details. It's a minimal level of security appropriate for a minimal amount of risk, and doesn't imply the data is worthless or any trust is misplaced.

      1. Anonymous Coward
        Anonymous Coward

        Re: You heard it here first...

        There are a number of online retailers who keep your credit card details attached to your account. You can't elect to remove those details between orders. Changing the card details requires the card number to pass a validation check. They will even let you send goods to a different address. Amazon.co.uk is one.

        1. nobody really

          Re: You heard it here first...

          [quote]

          There are a number of online retailers who keep your credit card details attached to your account.

          [/quote]

          I'll take that one further. I cancelled my Vodafone [corporate] account and discovered 6 months later they were still debiting my credit card because in their system they had just changed the name of the account owner, but not the payment method.

          Anyhoo, when I complained they told me the only way to remove my CC details from their system was to log back in to the portal and manually remove them as they could not do it over the phone....the portal I had no access to since I had cancelled my account.

          Yeah I got pretty mad. Lucky I had left my previous employer on good terms as I had to get reimbursed by them not by Vodafone who just washed their hands of it.

          Sorry off topic a little....ummm, it involved a password somewhere though.

  14. Richard 12 Silver badge

    The real problem

    Is all the junk sites insisting on you signing up with a "secure" password, email address, blood sample and flesh of your first-born in order to do a one-off transaction.

    And of course by the time you've done all that, you are absolutely certain it will be a one-off as you will never, ever consider using that site again.

  15. small and stupid

    marketing scum

    The problem is all the piece of shit websites that demand you set up an account in order to buy something.

    1. Robert Baker
      FAIL

      Re: marketing scum

      On June 21 I tried to buy a computer workstation and chair from Staples. All went well until I tried to sign up for an account to complete the purchase, at which point I found that they prevent Paste into fields, using a method that can't be blocked using NoScript (which is what I usually do to work around this problem should it arise). In other words, they were trying to force me to use a password weak enough to remember, and to type manually.

      I contacted them pointing out exactly how and why this is a dumb idea (I didn't put it like that, of course), and to this day have had no reply, so they have lost me as a customer.

  16. h4rm0ny

    Date of birth

    Actually, never mind passwords. I'd just be happy if I could persuade such institutions as banks and others from thinking my date of birth is some magical secret that confirms my identity.

    1. Tom 260

      Re: Date of birth

      Not forgetting the completely secret details often asked for in setting up secret questions/answers, which are limited to about 5 of the following things findable in your Facebook profile (or otherwise known by friends & family): Mother's Maiden Name, Place of Birth, First Job, First Pet, First School, Street You Grew Up On, Uncle's Middle Name, etc.

      Since this is often the only line of security in a password reset (which you may need to do at some point, so gibberish isn't always an option), it seems to make picking a complicated password pointless, as you have to invent and remember/record answers. Also see Verified by Visa and Mastercard's similar scheme, which only need the details printed on your card and your DoB to reset the password and make a purchase.

      1. Technological Viking
        Trollface

        Re: Date of birth

        The favorite trick I've picked up recently to deal with offensively restrictive secret question fields is to provide a similarly offensive answer. "What is your mother's maiden name?" is answered by something like "Sod off and ask me something better". Should even this get compromised, this guarantees that the guy trying to social engineer a password reset instantly infuriates the representative on the phone and will be grilled with even more scrutiny and suspicion. Win-win.

        1. Anonymous Coward
          Anonymous Coward

          Re: Date of birth

          The representative on the phone takes such a response as a perfectly valid answer, without the slightest fluster.

          I've used such a method and had to do a reset after being robbed.

          (As an aside, I've found offering information you know they have on screen but have not yet asked as something which can speed up the verification process. e.g. They ask what a recent transaction was for, you offer the date along with the answer.)

      2. nobody really

        Re: Date of birth

        The 'secret' here is there is nothing checks answers for sanity. Just answer 'Spock' for everything.

        Mothers maiden name: Spock

        Place of birth: Spock

        First teacher: Spock

        Favourite colour: Spock

        etc..

        That's got me out of some sticky password reset situations...

  17. JimmyPage
    Boffin

    "Could agree what makes a good password"

    How come, in this age of ISO, BSI, CE etc etc, no one seems to have devised an internet standard for the creation and handling of user authentication credentials in an organised, systematic way .

    Because it seems every man+dog site has their own ideas, and implement accordingly.

    Here's some starters for 10:

    1) define a minimum password length

    2) mandate the form (one letter, one number, one non-alpha)

    3) mandate that passwords must be stored as hashes (because I *know* there are sites with a backend of passwords stored in plaintext)

    4) mandate a password recovery mechanism with one alternate *not* involving email.

    5) mandate a password refresh period and password retention policy (can't reuse the last <x> passwords).

    1. Richard 12 Silver badge
      Boffin

      Re: "Could agree what makes a good password"

      You've never seen a standards committee!

      The couple I deal with (associated with ANSI) are fast compared to the BSI and ISO, and still produce standards that are impenetrable and late - though occasionally one does manage to escape.

      Unfortunately standards committees tend to encourage architecture astronauts, and have a great deal of trouble simplifying things - one of the standards I've been waiting for has now been "in committee" for five years, with no sign that it'll be ready soon (part of the draft was radically changed about three months ago...)

      PS: CE isn't a standard, it's a mark signifying compliance with the "appropriate" ones of several thousand different standards.

    2. J.G.Harston Silver badge

      Re: "Could agree what makes a good password"

      "1) define a minimum password length"

      And if the password prompt doesn't specify a maximum password length, then that is explicitly stating that there is no password length.

      I kept getting thrown out of MasterCard SecureCode because it says something like "must be at least eight characters", so of course I used something like "batteryhorse12" and it kept throwing me out, never at any stage telling me that it enforced a maximum of 12 characters.

      1. Flocke Kroes Silver badge

        There has to be a maximum password length ...

        ... or someone will test the site to see what it does with 1MB passwords.

        I thoroughly agree that the maximum length should be printed in large friendly letters near the prompt, preferably with a list of allowed characters. Anyone tried 'パスワード'?

        1. Terry Cloth

          ``There has to be a maximum password length ...'' why?

          These days I expect Javascript has the ability to feed a hash function (on the server) a character at a time, in which case you only need space to store the hash---if the password is 53,297 characters, it just takes longer to enter.

          Of course, that means that after a typo you start over, rather than backspace, but at least in my case it's very rare for me to make a mistake I recognize in time to be able to correct.

          And if you (web designer) are too lazy to make that work, what's wrong with a 1024-byte password field? It's not as if you're going to run out of RAM, and if someone can handle a password of >1k chars, my hat's off to him.

          (And where's the hats off icon when you need it?)

  18. Another User

    Use reset password link via email

    Nearly all websites offer a "reset password via email link". For rarely visited sites there is no need to use a simple password. Just enter random characters which you do no not even have to memorise.

    Next time you access this site click on reset password option, lather, rinse, and repeat.

    1. Anonymous Coward
      Anonymous Coward

      Re: Use reset password link via email

      I used to do that... Then I changed email addresses...

      1. Anonymous Coward
        Anonymous Coward

        Re: Use reset password link via email

        Worse than that, at some point I've simply been kicked out of my former low-value use-for-everything mail account, without even being told why! I filed an automated complaint (using a brand-new low-value mail account I had to create just so they can reply somewhere) to which the reply was that the account stays locked, with no further explanation. Luckily, I had zero nuclear launch codes handy, else there might be a very neat crater in the place of a former datacenter somewhere by now. Anyway, if I was accessing things by the proposed always-reset method, I would have been locked out of every single low-value account I had (which is 99% of all my accounts)!

  19. Jess

    Different passwords for different uses of the same account?

    I find it strange that the same password is used for an account with multiple functions.

    For example, if a social network has a chat system and you are able to access the chat facility externally (jabber, or via 3rd party sites for example), then why doesn't it allow you to set a separate password?

    Then if it compromised, your entire account isn't gone, (OK your friends will be inundated with spam, but they would have been anyway), you can reset the password from the main account, apologise to your friends and everything is back to normal.

    (I believe facebook has a poor version of this, where it generates passwords for such a use, but not ones that can be remembered easily)

    The recommendations seem to be good, so if Microsoft has people who can use common sense, why didn't they ask them to make the decision as to whether Windows 8 shipped with an on/off switch for Metro?

  20. Anonymous Coward
    Anonymous Coward

    Halfway house?

    For the past few years I've been using a system partway between the two: I have a single consistent passphrase, but I also insert an identifier code for each website (eg. eBay = EB, The Register = RE) within the phrase. This makes each password technically unique but memorable enough to not need to be written down in most cases.

  21. Ian 4

    Wondering how many.....

    ....people have a birthday on 1st Jan, according to Facebook?

  22. Jamie Jones Silver badge
    Facepalm

    I've entered an El Reg parallel universe ..

    I came here to agree with Microsoft, only to find most other commentards do so also!

    I remember one place I worked - they insisted the root passwords for the servers were unique, random character, with 4 servers passwords changed a day (with approx 100 servers, each password had a lifespan of more or less 25 days)

    If I never needed to get into a server out of hours it was easy - all the support staff had their password sheets in their draw or more likely on their desk.

    Not to mention these machines had more holes than Justin Baeber before a firing squad - but no, the PHB were happy because the machines were protected with root passwords such as "Ed3tx6gAUz3Q"

  23. Anonymous Coward
    Anonymous Coward

    I have a really excellent method for dreaming up passwords.

    It really is fantastic.

    1. JimmyPage
      Coat

      Re: I have a really excellent method for dreaming up passwords.

      but the margins here will not permit you to write it down ?

      1. Anonymous Coward
        Anonymous Coward

        Re: I have a really excellent method for dreaming up passwords.

        Oh Good somebody bit, I was trying to make the point if I did have a method I thought decent enough it would be a bit daft to post it on an open forum against a username as someone would take it as a challenge. Every time I have thought of something a bit interesting I hesitated to share.

        One I have used and moved on from, learn some stupid facts, ones outside your normal interest range then make a story out of that, learn the dates and names around the Spanish inquisition, nobody will be expecting that.

        Or take some detail facts from your past and build a phrase

        E.G (these are junk figures but that is even better, also your own pet typos)

        First car 1970 Escort had 135x14 crossply that needed 28psi front and 30psi back and on a good run 30mpg.

        Mk1Esc0rt135x14Xply@28fr/30rMAX30mgp, looks complicated but I'm pretty sure I could remember that tomorrow having written it once, especially if I did actually remember the values as the theme gives you a way in.

        Password reminder "Escort”

        1. DropBear

          Re: I have a really excellent method for dreaming up passwords.

          Mk1Esc0rt135x14Xply@28fr/30rMAX30mgp

          Useless, see the 3rd panel of the "Correct Horse Battery Staple" xkcd comic for the reason why.

          1. Anonymous Coward
            Anonymous Coward

            Re: I have a really excellent method for dreaming up passwords.

            Try a few, it works on the same idea as memory training, these are not for low level sites they are for ones you may have someone looking over your shoulder (not so good with words).

            It only looks hard because it not your default associations or remembered facts, I'm happy if you consider it hard. I keep most windows passwords over about 20 characters and can normally remember them in one or two goes, give me a random 8 character and I might struggle for an afternoon and probably will have forgotten by the next day.

            The only drawback I found with that method is if someone asks you the last part of the password its hard to remember unless you have just typed the lead up.

            Of course there are other ways and I use them but this is one I've managed to show "Passwords are too hard" types to think about, just because the result looks hard does not mean the method is.

            OK another combination for a long backup password you can recover fairly easily ISBN-13 numbers with a word, you are on holiday and need to enter your 20+ character password...

            Remember a favourite book (you could justify having searched for in the browser history), grab the ISBN number and combine it with a word or two. You have to remember the book title (and probably hardback) but basically you can recover a long string from a simple search that won't give away how to use it.

  24. EssEll

    Something you have, something you know

    Based on the old security premise of "something you have + something you know", I use car registration numbers. I can remember probably about 10 of them, so my notebook contains reference to "Volvo" or "Volvo+BMW". They're already a reasonably randomised collection of numbers and letters which are reasonably unique to me, my family and friends and cannot be attacked through a dictionary attack.

    And yes I agree with the Microsoft guys - I use cheap throwaway passwords for unimportant sites (like The Register ;-) ) but these much more robust passwords for more critical sites.

  25. Anonymous Coward
    Anonymous Coward

    Makes a lot of sense and probably common practice.

    I think many of us have been doing this for years. I know I do.

    All my crap accounts I use the password 'cheese' or 'cheese1' or whatever variation I need to pass the security requirements. Nice and simple.

    Then for my important accounts I use the password 'T2ndccrotr=tc" or 'The second crazy cow ran over the road equalling traffic chaos.' or other such variations. How secure? Who knows, but it's fun to remember and makes me smile. :)

  26. Jonski
    Big Brother

    Suggestion

    It's easy to remember unique, high-entropy passwords specific to individual websites if you have the right algorithm.

    For example: for each website (say, this one) you have a strongish stock password root that you use everywhere ("amonkeystolemybananas" or "T!f2A3^5", it doesn't matter it's the only thing you need to remember). You then append or prepend something based on the URL (say every odd letter of the domain "hrgsecu") and potentially a time-based value with keyshift ("jan" > "ksm") somewhere as well.

    For extra-high value sites, use a second stock password and generate similarly.

    So potentially a password would look like hrgsecuT!f2A3^5ksm and problem solved.

    1. Jamie Jones Silver badge
      Joke

      Re: Suggestion

      You must be fun at parties!

    2. Anonymous Coward
      Anonymous Coward

      Re: Suggestion

      "It's easy to remember unique, high-entropy passwords specific to individual websites if you have the right algorithm."

      I agree! I'd also add...

      for increased protection the appended / prepended / inserted characters maybe taken from a constant source (e.g. a grid of random characters) according to a particular algorithm. (I wouldn't use the URL as it is not always constant - e.g. some .co.uk are changing to .uk currently )

      Thus without both components (root-passwd & grid) the password cannot be reassembled, so if someone wanted said password you can quite honestly tell them you don't actually know what it is - and pass a lie detector test doing so (should the need arise). :)

      Grid could be text file/photo on phone/hardcopy/tattoo/wallpaper/whatever

      The best password I had I didn't actually know it. I trained to type a string of random characters at high speed until it became muscle memory. After the initial training I couldn't remember to write it down, but I would know I typed it correctly because if *felt* right, strange but true.

      ..and no, I don't get invited to parties - no suprise there! lol :)

  27. Jin

    Humans are still poor at dealing with texts

    What worries us is not the password, but the textual password. The textual memory is only a small part of what we remember. We could think of making use of the whole memory of ours. More attention could be paid to the efforts of expanding the password system to include images, particularly KNOWN images, as well as conventional texts.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like