Re: Disposable passwords for disposable accounts
I heartily agree.
After 20 years of surfing the web, for someone to suggest I use a different password for every single forum or website that demands registration is ludicrous.
For someone to even expect me to remember what websites I've ALREADY REGISTERED with, is just as daft. After 20 years of surfing the net both personally and within my profession, I can no longer count the number of times I have gone to register on some poxy little website to download a driver, or access some page, only to be told "this email address has already been used".
I sit there for a moment, like Gandalf in the caves of Moria, thinking "I have no memory of this place", before trying the default password I always use, and being greeted with "Welcome back, Wibble Wobble!"
I always used to register with dummy names and my old student address, and prior to sites requiring validation of the email address, I always used "firstname.lastname@example.org" (please excuse my French). These days, I use an old Hotmail address.
Quite frankly, there are a huge number of sites out there demanding too much information. This is going to come back to bite them on the arse, as they are legally required to protect it, and if they do get hacked, the punitive measures could sink more vulnerable SMBs (who coincidentally are the ones without the resources to focus on security). But I digress...
In reality, you only really need a 2 tier password system, and re-use should be fine in both. Here's why: The upper tier sites with valuable information such as email, paypal, banking, facebook et al, are extremely strong on their security these days. They have to be for both practical and legal reasons. They are constantly under attack. Microsoft are at the very forefront of security within the industry, so they know what they're talking about. If you want to jeer at this statement, you'll first need to find a time machine and go back 12 years to when your attitude was valid.
Any bank worth its salt uses a 2-tier password system, anyway, so obtaining the initial password won't help.
In the (highly) unlikely event that one of these is compromised, They are also legally obligated to raise the alarm immediately. Ebay is a case in point, and that wasn't even the paypal account.