back to article We beg, implore and beseech thee. Stop reusing the same damn password everywhere

Two-thirds of people recycle the same password or use variations on the same basic one, according to LogMeIn. Even though more than 90 per cent of people surveyed by the password manager biz said they knew it was risky to recycle passwords or light variations on a theme, 66 per cent of respondents admitted they "always or …

  1. IGotOut Silver badge

    In other news....

    66% of people think password policies on websites are a joke, the worst offenders being banking.

    I reuse the same password on loads of sites, such as here on the Reg.

    1. I am the liquor

      Re: In other news....

      It sounds like this report is berating humans for being unable to use a system that's basically unsuitable for use by humans.

      Most of the people who claim not to regularly re-use passwords are probably liars. Some are probably using password managers, but not a third of the population. Surely no-one is really remembering a completely unique password for every single device, internet shop, social media site and forum they ever used.

      1. Phil O'Sophical Silver badge
        Coat

        Re: In other news....

        Surely no-one is really remembering a completely unique password for every single device, internet shop, social media site and forum they ever used.

        Just use a password manager on your phone. Then you can lose them all at the same time.

      2. Doctor Syntax Silver badge

        Re: In other news....

        "Surely no-one is really remembering a completely unique password for every single device, internet shop, social media site and forum they ever used."

        One part of this is sites demanding passwords when they don't need them.

        Take, for instance, online shops. If I go into a physical shop - it's already getting to the point where it's a stretch to remember doing that - to make a one-off purchase I don't have to set up an account. So why do I have to set up an account for a one-off purchase online? They get some junk that I'll not remember as a password because I'm not going back there again if I can help it. For a logon ID - they'll insist on en email address - they'll get one that will be deleted after a short while.

        The there's iPlayer or sound app as it has become (why?). For no clear reason except possibly they think they can't operate a website without one, they need a userID and password. For a while it worked quite well if this was saved in the browser. The the sound side changed it so that it had to be entered manually. I haven't bothered with the whole thing since then (what pissed me off most is that it stopped working with the iPlayer app on OSMC) but if I had it would have been swapped from the secure password-manager generated random string for the least variation on "password" that I could have got away with.

        Another example is familysearch.org. This used to be a perfectly straightforward free genealogy site with a compact UI. Then the UX designers got at it so the actual user experience started the usual downhill progression that I doubt has bottomed out, part of which was to add a login requirement it never had before. At least that didn't need an email address; I think Mickey Mouse was taken but it got an equally contemptuous one.

        Basically, if the password is important for me I'll keep it secure. If it's just the site being obnoxious about I'll treat it with the contempt it I think it deserves.

        Meantime - RESULT. Whilst writing this I finally got an email confirming the removal of my email address the customer list from a firm of whom I've never been a customer but who insisted on spamming me with their coronavirus updates for customers.

        1. Andy Non Silver badge
          Stop

          Re: In other news....

          "For a while it worked quite well if this was saved in the browser."

          For anything not overly important I store (unique and complex) passwords in the browser, e.g. for El Reg. What really bugs me are sites that won't let me paste in a password. As I always chose long complex passwords it can be a pain in the rear to type them in; so I tend to avoid such sites... I'll often abandon a site registration form if it blocks password pasting and either not bother or go to another site.

          Recently tried to register with the National Lottery but they did the password pasting blocking thing so abandoned my registration. I'll probably be a couple of quid a week better off anyway.

          As for storing my passwords, I use encrypted documents stored in an encrypted folder on an encrypted drive on my local hardware (not cloud). Backed up to other encrypted drives. While it can be a little tedious accessing my bank login details etc, it does allow me to use long, complex usernames and passwords and I don't need to trust a third party to store them for me. Just a pain if some sites block me from pasting them in.

          1. Doctor Syntax Silver badge

            Re: In other news....

            Yup. That was the case with the Beeb. Wouldn't let the browser enter it. Wouldn't let it be pasted from KeepassX either. How much more desperate could they be for users to use weak passwords?

            1. Andy Non Silver badge

              Re: In other news....

              That's how it was for my car insurance company site. I ended up changing my long complex password to a short easy one because it wouldn't let me paste it in. Their site was also very unforgiving, click the back button and you've got to log in again. Click the wrong item trying to navigate their awful menu system and you can't get back, so end up having to log in again. Don't click anything for a couple of minutes and guess what...

              1. gloucester

                Re: In other news....

                @AndyNom

                Perhaps just change providers next year. Probably won't solve the password thing but may save you a bit as they seem to always shaft us on renewal (which reminds me...).

              2. MachDiamond Silver badge

                Re: In other news....

                "That's how it was for my car insurance company site."

                Well, we all know how big a target a car insurance web site is. They can hack into your account and...... give me a minute.... I'll get back to you, but it could be really bad, that's what I'm saying.

                Screw it, I'll just hack the insurance company's server itself and get everybody's info in one big download.

                2. ?

                3. profit.

          2. el_oscuro
            Boffin

            Re: In other news....

            If you have Firefox, try this:

            https://lifehacker.com/enable-copy-paste-in-web-pages-that-disallow-it-with-a-1601848114

            1. Claverhouse Silver badge

              Re: In other news....

              Thanks.

            2. Microchip

              Re: In other news....

              I seem to remember a nice little addon for Chrome in the same ilk, called "Don't Fuck With Paste". Does what it says on the tin.

          3. jelabarre59 Silver badge

            Re: In other news....

            What really bugs me are sites that won't let me paste in a password. As I always chose long complex passwords it can be a pain in the rear to type them in; so I tend to avoid such sites...

            Sometimes those sites will take a bit longer, since before I leave I'll need to hunt down the contact information and send them a comment on their bad site engineering. And the harder they make it for me to send the message, the more harshly it will be worded.

        2. Marketing Hack Silver badge

          @Doctor Syntax

          The real reason that online stores ask you to set up a user account for a single purchase, so they can A) show the number of unique customer accounts they have in their financial and managerial metrics and B) they can better try to get you to come back to make more purchases.

          1. Doctor Syntax Silver badge

            Re: @Doctor Syntax

            I'm aware of that.

            This is the usual thing about marketing. They have one-sided metrics and think one-sidedly in terms of how people will react. They have no insight into the business they lose by this approach except, for those of us who have disposable email addresses, they might, if they bothered to collect the data, see some bounced spam.

          2. MachDiamond Silver badge

            Re: @Doctor Syntax

            C) sell your purchase information to a data aggregator for as much profit as they made selling the item to you.

        3. tip pc Silver badge

          Re: In other news....

          “Basically, if the password is important for me I'll keep it secure. If it's just the site being obnoxious about I'll treat it with the contempt it I think it deserves.“

          Millennials It’s all about me, me, me, me, me .........

          Some of the username password stuff is EU law mandating businesses know their customers/users. If your buying stuff it’s needed for anti fraud and money laundering protections again from the EU. Forums will use email addresses to confirm who you are for anti bullying EU mandates.

          That is why Twitter, gmail, Facebook etc want your phone number, it helps them but EU / Government demand those organisations know their users and a phone number reinforces that. I don’t think Twitter, gmail etc would stomach the media backlash otherwise.

          Lots of logging going on that most are unaware of.

          1. Doctor Syntax Silver badge

            Re: In other news....

            "Some of the username password stuff is EU law mandating businesses know their customers/users."

            Oddly enough, if I go into a real shop either they're flouting this law or it doesn't apply. As another commentard wrote, I've lost count of the number of shops who didn't ask me to create an account.

            For very obvious reasons neither Twitter nor Facebook have my phone number unless they've stolen it from someone else's contact list. I have a couple of gmail accounts for whom Google who have nothing resembling a name; admittedly one is on my mobile.

          2. Doctor Syntax Silver badge

            Re: In other news....

            "Millennials It’s all about me, me, me, me, me"

            If you're calling me a millennial you'd better get the right millennial.

            For avoidance of doubt, my banking passwords are important to me as I suspect yours are to you.

            My password on a site which demands it if I have the temerity to download an information sheet for their product isn't, nor I suspect, would yours be important to you. I doubt such a site would be able to find an explanation of why it would be important to them that would satisfy either of us.

            1. MachDiamond Silver badge

              Re: In other news....

              "For very obvious reasons neither Twitter nor Facebook have my phone number unless they've stolen it from someone else's contact list. "

              They most certainly have it as soon as they have your email address. It may come down to what they can do with it if they get it from you directly vs some big data company.

              You can see why FB and other sites are always pestering you to "share" your contact list with them. They will use it to suggest other people you may know, but that's not the real reason they want it. it's the bribe they are offering.

          3. jelabarre59 Silver badge

            Re: In other news....

            For sites that insist upon a phone number, it depends on what my usage of the site will be. If I feel I'll go back again, I'll use a Google Voice number (which doesn't get answered, and isn't even configured anyplace as a number which CAN be answered). If it's a one-time visit, I'll look up the number of their HQ office, or the HQ of a competitor.

            1. MachDiamond Silver badge

              Re: In other news....

              "If I feel I'll go back again, I'll use a Google Voice number "

              In the US there are test phone numbers that just ring. For sites that have figured out that dodge and have banned using those numbers, I use a desk number for the state tax office. If you know how most big entities set up phone numbers, it's easy to guess a few that ring directly on somebody's desk. I don't feel bad about doing that but I would not think it good practice to hand out the number of an attorney since it's cruelty to animals. I would love to see the face of somebody thinking they going to scam some schmuck and the line is answered "Law Office". It's just as good if they get "tax office, agent Bob speaking this call is being logged".

        4. MachDiamond Silver badge

          Re: In other news....

          "coronavirus updates for customers."

          I keep getting loads of those and it's one thing that I will drop them for. If it is important, they can put it on the website and I'll see it if I have a reason to visit their site. Like many people, I'm not doing as much lately so I'm not visiting those sites that I would regularly. Again, I'm going to reach out and check their web site if I think I might need their services/products. I know that many places are shut or on limited availability.

    2. vtcodger Silver badge

      Re: In other news....

      I reuse the same password on loads of sites, such as here on the Reg.

      Let me guess. "drowssaP"?

      1. Anonymous Coward
        Anonymous Coward

        Re: In other news....

        Got to be "Password1!". It's got upper and lower case, numbers and punctuation, and it's way more than 8 characters long. You can't get much more secure than that, surely.

        1. Yet Another Anonymous coward Silver badge

          Re: In other news....

          Remember to change it every 90days Password2!, Password3!.....

          1. Andre Carneiro

            Re: In other news....

            Mine at work is now up to 14...

            1. Phil Kingston

              Re: In other news....

              You've probably exceeded the policy's remembered password count, so can just cycle it back round to Password1! again and you're golden.

              1. Cuddles Silver badge

                Re: In other news....

                If you keep incrementing, it will cycle back around to Password-32767! by itself.

          2. Anonymous Coward
            Anonymous Coward

            Re: In other news....

            @Work we need to change AD passwords every month or so, which obviously is a huge PITA. (in very paranoid industry)

            My current pw is May2020!!!

            1. Yet Another Anonymous coward Silver badge

              Re: In other news....

              >My current pw is May2020!!!

              Did it warn you about repeated consecutive characters ?

          3. Jim Whitaker

            Re: In other news....

            Once had access to a HUGE (for those days) IBM mainframe in a university. Got bored with changing a password every 30 days but it had a really nice macro language which made changing the password ten times back in a ring a matter of routine.

            1. David Hicklin

              Re: In other news....

              " nice macro language which made changing the password ten times back in a ring a matter of routine."

              Which is great until they limit the number of password changes to one a day.

        2. MachDiamond Silver badge

          Re: In other news....

          "Got to be "Password1!". "

          Nope, it's Swordfish.

          Oh damn, did I share too much?

      2. bombastic bob Silver badge
        Trollface

        Re: In other news....

        correct-horse-battery-staple

        1. jelabarre59 Silver badge

          Re: In other news....

          I just use a passcode/PIN. It's 12345... Easy to remember as I have it as the combination on my luggage too.

        2. MachDiamond Silver badge

          Re: In other news....

          A string of made up names such as pharmaceuticals and company names means they aren't going to be in a standard dictionary.

      3. el_oscuro

        Re: In other news....

        How did you guess my password?

    3. I am the liquor

      Re: In other news....

      If I could give one piece of advice to web site designers about password policies, it would be this:

      Put the password policy on the log-in page.

      I come across so many sites that I fail to log in to, have to use the password reset option, wait for the password reset email, go back to the site, try to enter a new password, have it rejected, and only then find out that the reason I couldn't use one of my "normal" passwords was that this site doesn't allow punctuation, or spaces, or swears, or has odd length limits, or wants you to use at least 2 upper case letters, or something equally pointless.

      1. Steve Foster
        Facepalm

        Re: "Put the password policy on the log-in page"

        ITYM the registration page, as that's where passwords are created.

        But also make sure that pages that deal with passwords (principally the login page, the registration page and the self-service reset page) and the supporting backend processes all implement the exact same policy!

        I came across a site recently where this was not the case, so I could reset with a new password that was accepted by the reset page (and it reported success), but would then not work on the login page.

        Cue multiple rounds of resets until I found something that both elements were happy with.

        1. Persona Silver badge

          Re: "Put the password policy on the log-in page"

          ITYM the registration page, as that's where passwords are created

          I want it on the login page. That way when I'm trying to login and failing I can look at what stupidly unusual thing it needs. This would "normally" be enough for me to remember it and avoid me going round the password reset route, which would end up with me trying to reset it to to the same password I was forced to choose last time.

        2. I am the liquor

          Re: ITYM the registration page

          No, the log-in page, for exactly the reason Persona has described above.

          Occasionally you see sites that tell you the password policy as part of the error message the first time you fail to log in, which is also a fair enough way of doing it.

      2. Doctor Syntax Silver badge

        Re: In other news....

        "If I could give one piece of advice to web site designers about password policies, it would be this:

        Put the password policy on the log-in page."

        Let me suggest an even better piece of advice: don't require logins if you don't need them. The fact that marketing want a list to pester people isn't a need - just the opposite because one day that list will be conspicuously toxic when it gets leaked and until then will be quietly toxic when potential customers are put off by it.

        1. el_oscuro
          Facepalm

          Re: In other news....

          If a site requires me to create an account to buy something, I usually don't. I just go elsewhere where they accept Paypal.

          At least for me, having an account requirement is kind of like putting your merchandise in a disused basement lavatory with a sign on the door that says: "Beware of the leopard" .

        2. veti Silver badge

          Re: In other news....

          And if you do need them, give people the option to use single-sign-on with Google.

          Yeah, I know they're spying on me. So what? They're going to do that anyway, I really don't mind if they know what inane blather I'm posting on some overblown blog's comments page.

          1. EnviableOne Silver badge

            Re: In other news....

            just DONT used federated authentication, you are not protecting anything.

            Google share data with the site, and vice versa, they both have enough info, you dont need to give them more.

            same goes for amazon, facebook et. al

            1. I am the liquor

              Re: In other news....

              You are protecting your password from being stored in plaintext or weakly hashed in some unsecured database by every site you have an account on.

              Certainly it's a far from perfect solution if you care about privacy at all. But if you don't, it has a clear benefit in the context of this story about re-use of passwords.

              1. MachDiamond Silver badge

                Re: In other news....

                "Certainly it's a far from perfect solution if you care about privacy at all. But if you don't, it has a clear benefit in the context of this story about re-use of passwords."

                So you wind up with a perfect repellent for tigers that attacks every grizzly bear for miles.

        3. MachDiamond Silver badge

          Re: In other news....

          "just the opposite because one day that list will be conspicuously toxic "

          Yeah, like the time they have to admit that they've been hacked and while no payment information was leaked, all of the usernames and passwords have been compromised. All of the people that are reusing passwords all over the place are now at risk. Especially those that have forgotten they've ever registered and those that never see a notice.

      3. DemeterLast

        Re: In other news....

        Rather than berate the 7 billion people on the planet into conforming to password requirements, how about companies do a little work and spend a little money to clean up their act. The first time I was confronted with a "your password is too long" error message, I assumed I had fallen through a wormhole and arrived in the before times where 80-columns was enough for anybody.

        "correcthorsebatterystaple" has been dismissed unfairly I think. Sure, 48 characters of line noise is safer, but for quite a lot of sites 4 or 5 random words is far better and easier to remember than 7 alpha-numerics and a special character (which is almost always "!"). Sure, if a site gets their password hashes breached evildoers can gigahash through it with a couple of NVidia cards, but if the users are able to have a handful of long, yet easy to remember passwords, they're less likely to reuse them.

        In any event, if you're a developer, dropping the $3.50/mo for haveibeenpwned API access is cheap at twice the price. Want to stop password reuse? Let your users know that their sooper-sekrit password is already in the hands of the evil hacker 4chan.

        1. veti Silver badge

          Re: In other news....

          The trouble with "correcthorsebatterystaple" is, it doesn't scale. If we all start using "three or four common words strung together", then attackers will start guessing passwords in that format. There's only about 20,000 English words in common use (of which most people only use about 2000-4000 on a regular basis), so the guessing space there is not nearly as big as you probably imagine.

          As long as only a small minority uses it, it's excellent. But when attackers start expecting it, it suddenly becomes much weaker than a randomly generated string of characters.

          1. tip pc Silver badge

            Re: In other news....

            @Veti

            “ The trouble with "correcthorsebatterystaple" is, it doesn't scale. If we all start using "three or four common words strung together", then attackers will start guessing passwords in that format.”

            The idea is to increase the number of characters of the password to increase the processing time to brute force it. Doesn’t matter what words are in it, a word attack is a word attack. At least 12 characters With capitals, symbol & number it’ll take long enough to crack to put an attacker off Unless they pay for expensive cracking hardware.

            I personally just use the random password which actually looks like it follows a pattern to make input easier. Password is stored and synchronised to my keychain across phone, tablet and laptop.

            After 10 plus years I now have no clue what my reg password is but don’t need to. Email is secured with 2FA and backup codes.

            1. Peter2 Silver badge

              Re: In other news....

              The trouble with "correcthorsebatterystaple" is, it doesn't scale. If we all start using "three or four common words strung together", then attackers will start guessing passwords in that format.”

              Sure, straight forward dictionary attack. But lets consider a moderate amount of salting:-

              correct!1horse@2battery3>staple456

              So you now need to do a dictionary attack of every combination of 4 words, plus a special character and a number between every word, plus a few random numbers at the end and the number of possible combinations for just the added entropy are probably greater than most passwords to start with.

          2. Doctor Syntax Silver badge

            Re: In other news....

            "There's only about 20,000 English words in common use"

            cd /usr/share/dict

            wc -l british*

            99156 british-english

            341393 british-english-huge

            650656 british-english-insane

            OK, that includes proper nouns, possessives and borrowed words with diacritical marks although there's no reason not to include them and certainly not to stick to those in common use.

            At a conservative estimate an English word must be worth at least 16 bits.

            1. I am the liquor

              Re: In other news....

              The original research assumes just 11 bits per word, but even with a dictionary that small, it's still better than typical passwords.

          3. Anonymous Coward
            Anonymous Coward

            Re: In other news....

            But that's an English dictionary. Start using "Romaji" words, and substitute some syllables with the corresponding punctuation mark, for those syllables/words that are visually similar to particular Kanji/Hirigana/Katakana characters. Mix in numbers if there's a particular volume/season you like.

      4. Loud Speaker

        Re: In other news....

        And stop with this hiding the password while you are trying to create a new one. If someone is watching, then it is not a good time to be entering the new password twice while he watches you type it!

        Google, I am looking at you!

        1. Anonymous Coward
          Anonymous Coward

          Re: In other news....

          @Loud Speaker

          Yes and Google are also looking at you (along with everyone else). Also the unseen password twice so it's more secure thing isn't just them.

          Why I can't log into a supermarket (etc.) without always spamming my details to them for the robots thing though...

    4. Pascal Monett Silver badge

      Re: I reuse the same password on loads of sites

      I will admit that I have a throwaway password for sites that I do not consider important, yet still ask me for a login, or sites that I have no intention to return to after the reason for which I went there in the first place.

      But for anything important, I have a system that gives me at least 13 characters, and I have a database to store them in along with the URL that is concerned.

      1. veti Silver badge

        Re: I reuse the same password on loads of sites

        For sites I have no intention to return to, they get a randomly-generated string that I don't even bother to record anywhere. That's easy.

        1. MachDiamond Silver badge

          Re: I reuse the same password on loads of sites

          "For sites I have no intention to return to, they get a randomly-generated string that I don't even bother to record anywhere. That's easy."

          I try that first to see if they then want to send me a confirming email to set up the account. Now I have to give them one of my pre-made disposable emails from a domain name I have the privacy filter set on so they can't do a simple whois to check up.

          In the first case it's just easier to make up a new login than to track and look up one done previously. I only do it properly if I'll be a regular customer or it's a matter of legal consequence such as with a licensing board.

    5. Anonymous Coward
      Anonymous Coward

      Re: In other news....

      Agreed on banking websites sucking. Just got a reminder to change my password on the website for my work credit card. Password expires every 30 days (yikes). The site does have password crtieria on the pw change page. I use keepass as password manager, and our default password generator profile (including the Administrator profile) didn't meet complexity requirements.

      On the flip side, I have a personal account with the same bank. No password expiration. "Two factor" verification includes a typical set of predefined questions that could be answered by anyone creeping your facebook (one of many reasons I have no FB account).

      1. Loud Speaker

        Re: In other news....

        "Two factor" verification includes a typical set of predefined questions that could be answered by anyone creeping your facebook

        a) you should not be using Facebook, for anything, ever

        b) Never tell the truth - when they ask for "your mother's maiden name" what they actually mean is "the name of the porn star your Dad imagined he was fucking when you were conceived" (hyphenate if more than one). (Names of dogs and sheep are acceptable here).

        1. veti Silver badge

          Re: In other news....

          I don't know what your relationship with your dad is like, but I don't fancy asking mine that question.

          1. Doctor Syntax Silver badge

            Re: In other news....

            Perhaps he doesn't know who his dad is.

      2. MachDiamond Silver badge

        Re: In other news....

        "have a personal account with the same bank. No password expiration. "Two factor" verification includes a typical set of predefined questions that could be answered by anyone creeping your facebook (one of many reasons I have no FB account)."

        The worst thing is when they verify you by the mobile you are calling from. If I were somebody nicking mobes, the first thing I would do is go after bank/financial targets. What does somebody do if they are out and their phone is taken? So many people have all of their information on the phone and have gone paperless so they have to hope they have some sort of statement from the bank with their account information on it at home so they can all in and get the account locked. That delay can be more than enough time to empty accounts and change passwords for others. For these reasons, I don't keep sensitive information on my phone. I don't even keep my complete contact list on it as some people I know are well known and I would feel really bad about exposing their information. A couple are listed with pseudonyms so I know it's them if they call.

    6. Andrew Moore

      Re: In other news....

      Earlier today I have up registering an account (for a software service) because it

      a) demanded a complex password (>10 characters, digits symbols upper and lowercase)

      b) my browser let me store the password but the site spoofed the browser so it would not offer the password

      c) did not allow me to paste the password

      1. Anonymous Coward
        Anonymous Coward

        Re: In other news....

        I want to play too.

        I work for the South Bananistan government (soon to be turned into a theocracy). One of the government systems have an authentication page that uses a "virtual keyboard" for a simple, 8-digit password, but the system 1) asks you to change it every two weeks; 2) blocks you if you don't change it in two weeks and 3) require an authorization from HR to reset it. All this for "security reasons".

        The system is used every 2 months to authenticate vacation requests, I never bother to write it down or save it. I just try to log in, fail and send a message to HR.

        Must be the most annoying password-based login system in the world (let us know!)

    7. Grogan

      Re: In other news....

      I am of a mind that security that foils the legitimate user is NFG.

      A password that I can't remember is NFG to me.

      So what I do, is mix and match different (hard) password phrases, so I just have to remember four 8 character phrases. If I forget what I used on some site or service, I know it's a combination of 2 of those 4. I can always get it before exhausting 5 failed login attempts :-)

      The end result is pretty strong 16 character passwords.

    8. MachDiamond Silver badge

      Re: In other news....

      I reuse passwords as well, but not the ones that I use for banking/finance or sensitive personal information.

      If somebody were to hack my credentials here on El Reg, I'd send a message to the admins that my account was compromised and not worry about it. I'm not using the same user name everywhere and I'm not a member of the usual social media data collection sites. I also would never use "Log in with your XXXX account" options.

      One of my favorite games is since I have control over my domains, I can create and delete accounts when a site insists on a real email address to send a verification email to add a user. I make a throw-away account, milk the site for what they are offering and then delete the account. Sometimes I leave them active for a few months to see if the original site is selling data as I expect they are. Friends, family and customers get different email account addresses that I don't use for anything else.

  2. RyszrdG

    If you don't ..

    You will only have yourself to blame when your are pwned. A different password for each app may seem a faff but there are ways around that. The main upside is that it becomes very easy to track which account has been exposed and to take appropriate actions..

    1. Andrew Moore

      Re: If you don't ..

      A good trick is to use the same password but different usernames

      1. Loud Speaker

        Re: If you don't ..

        A good trick is to use the same password but different usernames

        I would, but I always forget which username is on which system

    2. bombastic bob Silver badge
      Devil

      Re: If you don't ..

      "different" works if you do this:

      correct-horse

      horse-correct

      h0r5e+CoRR3ct

      etc. (to crack these would require human intervention and some social engineering, and knowledge of one of them, and a good guess as to where the others might get used).

      but yeah a password manager to track the HUNDRED or so passwords is probably a good idea. LONG ago I'd write them down. The page got full. Then I discovered KeePassXC [NOT the C-pound one WITHOUT the "XC" at the end, but the C language one WITH the 'XC' at the end, that builds properly on Linux and FreeBSD _WITHOUT_ _MONO_ - the LAST thing I need is MONO DEPENDENCIES on my Linux and FreeBSD systems]

      in any case my master password is SO long I often make typing mistakes entering it...

      (if the password is long enough, chances are you will NOT be "social engineered" to discover all of your derived passwords based on one that was obtained by cracking some 3rd party web site)

      1. el_oscuro

        Re: If you don't ..

        I have a script which generates a list of passwords from /dev/random and a word list of my choosing. I can specify the delimiters, capitalized, number of words/characters, added numbers, etc, that will match any arbitrary password requirements while still being easy to type. I just pick the one I want from the list and since it came from /dev/random, it isn't going to be easy to guess.

        I use these for accounts where I have to actually still type the password, but for everything else I use bitwarden.

      2. EnviableOne Silver badge

        Re: If you don't ..

        no human intervention, it just needs the cracking lists to be set-up correctly

        run correct-horse through unix-ninja's leetspeak rule and you will get all of them out.

      3. Anonymous Coward
        Anonymous Coward

        Re: If you don't ..

        For a master password I just use some character names from a book I'm writing, appropriately munged. And since I'll never get my shit together to finish it, no one will ever know who they are anyway.

  3. Tim J

    OK, sp which password manager to plump for?

    LastPass, 1Password, Dashlane etc?

    1. Jamie Jones Silver badge
      Coat

      Re: OK, sp which password manager to plump for?

      My passwords.txt

      1. lglethal Silver badge
        Trollface

        Re: OK, sp which password manager to plump for?

        Hey how did you get on my computer?

      2. Anonymous Coward
        Anonymous Coward

        Re: OK, sp which password manager to plump for?

        For increased security, rename it sdrowssaP.txt.

        1. el_oscuro

          Re: OK, sp which password manager to plump for?

          You must have accidently added a unicode U+202e Right-to-Left Override in your comment.

    2. Anonymous Coward
      Anonymous Coward

      Re: OK, sp which password manager to plump for?

      Since your on-line access to everything is going to be dependent on it, ideally you want the one that guarantees they will never go out of business, bump up the price, or start pissing you off with ads, and will always fully support any new browser or platform you want to browse the web from. Good luck.

      1. vtcodger Silver badge

        Re: OK, sp which password manager to plump for?

        Oh yeah, and in addition to all those things, your password manager has to be perfectly secure since any security flaws in your password manager will likely result in ALL it's user data being sold as part of a 50Gb file on the dark web.

      2. Doctor Syntax Silver badge

        Re: OK, sp which password manager to plump for?

        "ideally you want the one that guarantees they will never go out of business, bump up the price, or start pissing you off with ads, and will always fully support any new browser or platform you want to browse the web from. Good luck."

        No luck needed. The password manager is kept locally. It's also synced to my home Nextcloud server. So unless I go out of business in a very personal manner or lose my marbles to the extent that I can't remember my master password that's not a problem.

        1. Jamie Jones Silver badge
          Happy

          Re: OK, sp which password manager to plump for?

          or lose my marbles [ ... ] that's not a problem.

          Huh. Maybe not a problem for you... Show-off!

    3. JakeMS
      Pirate

      Re: OK, sp which password manager to plump for?

      I use KeePassXC, because:

      - Still in active development

      - Fully open source (Peace of mind...)

      - Fully offline by default - no internet/cloud required

      - Includes a built-in password generator which can be adjusted/altered to match a sites particular requirements

      - Integrates with your desktop keyring - useful for apps such as evolution storing passwords

      - Not owned by a corporation - Your passwords won't be sold...

      - No risk of simply "vanishing" if a business stops operating

      - Included in pretty much every distro, so installing is quick and simple - no hunting for binaries.

      - Mobile applications exist in f-droid for reading your DB on a mobile device.

      - Many other reasons - but if I continue I start to sound like a sales bod.

      1. Doctor Syntax Silver badge

        Re: OK, sp which password manager to plump for?

        "Many other reasons - but if I continue I start to sound like a sales bod."

        There's the thing. So many people won't use something unless it's sold to them by a sales bod - or even worse - they're allowed to use it free and it's they who are being sold.

        Yes, KeypassX.

    4. Doctor Syntax Silver badge

      Re: OK, sp which password manager to plump for?

      KeepassX.

      Synced by NextCloud to any device where I might need a copy.

      1. Loud Speaker

        Re: OK, sp which password manager to plump for?

        NextCloud to any hacker in a third world country

        FTFY

        1. Doctor Syntax Silver badge

          Re: OK, sp which password manager to plump for?

          NextCloud on the Pi on my desk and definitely not accessible from outside.

    5. bombastic bob Silver badge
      Devil

      Re: OK, sp which password manager to plump for?

      Hiow about something a) open source and runs on Linux/FreeBSD, b) *NOT* written in C-pound, c) does *NOT* have a boatload of unique dependencies (which is why I don't want something written in C-pound).

      keepassXC comes to mind - which is the MAINTAINED open source version of keepassX that builds on Linux and FreeBSD.

      1. Hubert Cumberdale

        Re: OK, sp which password manager to plump for?

        I get it, there's little love for C#. But over here we'd have to call it C-hash. C£ doesn't really work as a UK-based snark.

        1. MachDiamond Silver badge

          Re: OK, sp which password manager to plump for?

          "I get it, there's little love for C#. But over here we'd have to call it C-hash. C£ doesn't really work as a UK-based snark."

          Or as musicians would call it "C-sharp"

      2. el_oscuro
        Linux

        Re: OK, sp which password manager to plump for?

        Bitwarden?

    6. AdamWill

      Re: OK, sp which password manager to plump for?

      I like Bitwarden. It's open source, has lots of ways to access it, good 2FA support, and works well.

    7. DemeterLast

      Re: OK, sp which password manager to plump for?

      I like pass,(passwordstore.org). May take some effort to set up for multiple users, but very flexible. Great if you spend a lot of time on the command line.

    8. Claverhouse Silver badge

      Re: OK, sp which password manager to plump for?

      Just use Enpass.

      On your computer. Not entrusted to The Cloud.

      They make back-ups to keep on other drives as well.

  4. Rogerborg 2.0

    Why would an investor think that a bunch of passwords is worth multiple billions of dollah? How are they planning to monetise them?

    1. Neil Barnes Silver badge
      Coat

      Hey! Psst! Wanna buy a password?

    2. Doctor Syntax Silver badge

      "How are they planning to monetise them?"

      Wring question.

      How are they planning to monetise the users?

  5. Anonymous Coward
    Anonymous Coward

    scott

    tiger

    1. Anonymous Coward
      Anonymous Coward

      Re: scott

      Isn't it jack/jack these days?

      1. Doctor Syntax Silver badge

        Re: scott

        If it's root/toor remember to change it at first login.

    2. el_oscuro

      Re: scott

      welcome1 is the new hotness

  6. Zolko

    mean ≠ median

    I use always the same 3-4 passwords, because else I don't remember them. And also because most of the times I don't care about the site (seriously: what if my account on ElReg gets hacked ?). And for those sites that I DO care, I use a different browser and a unique password. Which means that in 95% of the occasions, I use always 3-4 passwords and a generic browser, so if such a survey only looks at the number of occurrences, it's going to have a very bad representative image of how secure/unsecure my use of passwords and Internet is.

    And for me it's still very few passwords to remember.

    1. Doug_S

      Absolutely!

      For 95% of sites, I don't care if someone gets my password. I get those spam emails about once a week where they tell me my "standard password" in the subject line trying to scare me and I just ignore them. I use a real password for banks and other financial stuff, plus a few other places where it matters to me.

      For the rest I use the same one or a simple variation to meet rules like punctuation or whatever. Using a password manager so I can have a different password at The Register than I do at a different online forum is stupid, no one wants to steal my account on a web forum.

  7. John Sturdy

    Surely that should be .netrc?

  8. Pete 2

    protect what you value

    > they knew it was risky to recycle passwords or light variations on a theme

    People reuse passwords on so many sites because it is of no consequence to them if those accounts get compromised.

    For example, if you joined, or were forced to join, a website or forum because you ONE TIME wanted some information that was only available to members, it is quite reasonable to use abc123 as a universal password.

    The same if you wanted support from a user forum. Join - ask question - get ignored as a noob - leave.

    If the account gets hacked and your password is stolen, it's no big deal (you've probably forgotten about it anyway). There is no risk as nothing of value is being risked.

    1. GlenP Silver badge

      Re: protect what you value

      Agreed.

      I have a generic password that I know has been compromised but is still in use on a few sites where it really, really doesn't matter. Eventually I'll probably catch up and change them to something equally obvious.

      For anything that is important I use totally unique passwords and a password manager.

      1. MachDiamond Silver badge

        Re: protect what you value

        "For anything that is important I use totally unique passwords and a password manager."

        I think a good analogy is putting a $600 lock on your collection of bugs you've found in your garden rather than just fastening the clasp on the box. Then effort needs to match the level of security you really need.

        I'm not bothered with spending more time accessing my financial accounts online, but I am when I just want to dash off a witless comment on a forum.

    2. Flocke Kroes Silver badge

      Re: protect what you value

      If you have to register to get a data sheet, try "User Name" and "Password". Sometimes someone else has already save me the trouble - or Mr Name makes no effort keeping his account secure.

    3. Steve Foster

      Re: protect what you value

      Isn't that what BugMeNot is for?

    4. jelabarre59 Silver badge

      Re: protect what you value

      For example, if you joined, or were forced to join, a website or forum because you ONE TIME wanted some information that was only available to members, it is quite reasonable to use abc123 as a universal password.

      For those one-time usages I'm forced into, my chosen password is a bit "coarser"...

  9. Filippo

    A while ago there was a browser extension called BugMeNot that would quickly provide a login for a large number of sites that demanded registration for no good reason. That login would be the same for every user of BugMeNot. I wonder if it's still around.

  10. Highinthemountains

    Check your password here

    I use https://haveibeenpwned.com/Passwords to see if a password I want to use has been compromised somewhere else.

    1. Zolko

      Re: Check your password here

      Mandatory XKCD image:

      https://xkcd.com/2228/

  11. Chris Miller

    I use the same password for many sites that I consider low-risk. I can't really get too exercised over whether someone can post as me on this site.

    I don't use the same password for home banking!

    1. grizewald
      Facepalm

      If my bank's online banking system used something as crude and insecure as a password to identify me, I would be switching to a bank that understands security issues pronto!

      1. MachDiamond Silver badge

        "If my bank's online banking system used something as crude and insecure as a password to identify me,"

        How about if they are using your mobile number to "verify" you when accessing your account?

  12. Neil Barnes Silver badge
    Holmes

    I suggest that the main reason for so much password reuse

    Is the huge number of online sites that insist on a password login when it is really inappropriate - for example: you want to pay a pencil? Certainly sir, you just need to log in first.

    I've lost count of the times I've had to not log in to make purchases in the real world...

  13. ratfox Silver badge
    Meh

    On the other hand, I use the same password for many websites because I couldn't give a rat's ass about people hacking into, say, my commentard account on The Register. Of course, I don't use that password for more important matters...

    1. Nunyabiznes Silver badge

      But, The Reg is the single most important website I go to!

      "Pssst. Where's my gold badge?"

    2. fidodogbreath Silver badge

      I couldn't give a rat's ass about people hacking into, say, my commentard account on The Register

      Shirley you're not suggesting that commenting on Reg articles is somehow unimportant? How else will randos know that a bunch of other randos don't trust Google / Facebook / *cloud* / MS / gubmint and that IoT is shit?

      1. el_oscuro

        Thanks. You gave me a word list where my commentard account can generate Markov Chain comments like those used in The Automatic Donald Trump

        https://filiph.github.io/markov/

  14. Nunyabiznes Silver badge

    Useful

    I like it when these articles come out, usually annually or a little more often. There is always useful info in the comments, if not in the article itself (no offense).

  15. Doctor Syntax Silver badge

    Let's not forget that half the problem isn't reuse of passwords, it's reuse of user IDs. That's because so many sites want an email address as an ID - and perhaps reinforce that by sending an email to confirm and most people only have one email address. It doesn't matter so much if your password's Pa$$word when you user ID's UsSnkbi32tGdxTFP or '@"p3a@}%3e%Ngud

    1. Claverhouse Silver badge

      Even more annoying when the email address is no longer accessible to you.

      A lot of email providers end the email if not used after 6 months.

      1. MachDiamond Silver badge

        "A lot of email providers end the email if not used after 6 months."

        You get what you pay for. My accounts would only end if I weren't to pay the hosting company. In the mean time, I have lots of email accounts and can generate new ones at will.

  16. nxnwest

    The Best method

    The best method I've found is "Post-It"... (sarcasm)...

  17. Eclectic Man

    El Reg

    OK so the article states:

    "The standard password advice, repeated by LogMeIn, is to use a password manager to remember your passwords for you; enable multi-factor authentication (MFA), so if someone else does obtain your password they can't easily log in and steal your account – though 20 per cent of respondents to the survey said they didn't know what MFA was; and stay vigilant."

    So where is the MFA for my extremely valuable El Reg account? At present I use a password and e-mail address but anyone could steal my password and instead of my pearls of wisdom start spouting nonsense at this highly erudite and learned audience.

    Indeed, there is currently an extortion e-mail going around claiming to have embarrassing video footage of the 'user', the subject line contains an actual password (in my case it was for the BBC iPlayer)*. They wanted USD2000 for 'not' showing a non-existent video of me (there is tape over the lens, even NASA hasn't got the image enhancement tech to get a picture form my computer, not that I do that sort of thing in the lounge anyway). Fortunately I didn't use that password anywhere else (and don't any more).

    *If you get the e-mail (courier font, claiming to have installed malware on our computer, with an address for a bitcoin 'donation') do report it to Action Fraud in the UK, they want to know how prevalent it is.

    1. MachDiamond Silver badge

      Re: El Reg

      " there is currently an extortion e-mail going around claiming to have embarrassing video footage of the 'user',"

      I get lots of those dropping into mostly my spam catcher accounts that I've generated and used to register at dodgy websites and place I know are going to resell every scrap of data they collect.

      What these scammers don't know is that my desktop doesn't have a camera at all and my taste in porn is very mainstream. Am I sharing too much?

      If they did get my contacts, which would be a feat as I don't use the built in contact manager, I'd probably start getting inquiries about where to find the best "movies" since most the people I know and most certainly my "water brothers" aren't too uptight about those sorts of matters. Mom would just have a good laugh.

      If you don't want to be spied on, disable the camera and block the mic. Zuckerberg does on all of his portable devices. BTW, blue-tak works a treat for the mic and is removable if you insulate the mic hole with a bit of cling film first. Put some cello tape over the blue-tak so it doesn't get everywhere.

  18. John Lilburne

    Nope cant be arsed.

    To much of a burden remembering passwords I'll keep using 12345678 for the foreseeable future. And some sites I've not changed since 2001.

    Use a better system than passwords.

    1. Anonymous Coward
      Anonymous Coward

      Re: Nope cant be arsed.

      That's not your password for the Register. ;-)

      1. el_oscuro
        Coffee/keyboard

        Re: Nope cant be arsed.

        No comment required

      2. John Lilburne

        Re: Nope cant be arsed.

        Thankfully work have just changed the stupid 90 day churn to a 1 year churn.

  19. Joe Gurman

    A few years back....

    ....I was convinced by friends more ITSec-conscious and I to go beyond the 4-character smartphone passcode and take advantage of the phone OS's option for longer password. So now my fondletoy has a longish password with all the bells and whistles. But the current fondletoy has face recognition, which is much more convenient.... until the days of facemasks arrived. Do I yank down the mask for a couple of seconds so I can NFC my purchase, whilst smiling at the checkout person through the plexiglass, or do I fumble, through my nitrile gloves, at tapping in my now rather inconvenient passcode while the next lucky shopper is stewing 2 m away?

    1. HellDeskJockey
      Facepalm

      Re: A few years back....

      Just do what I do and avoid stores at all costs. Walmart grocery and amazon are your friends. It's so unpleasant to shop these days.

      The latest idiocy, when you come into a store. Please lower your mask so the camera can ID you. Farewell reason I knew thee well.

    2. MachDiamond Silver badge

      Re: A few years back....

      Now what I would do is wait until you've unlocked your phone while out somewhere and set it down to respond to the person doing the distracting for me and have it off you in a jiffy. I'll keep fiddling the screen to keep it alive until I can plug in a little widget to keep the phone charged and active so it doesn't relock.

      Use cash. If somebody picks your pocket, all you lose is what's on you. If somebody nicks your phone and can do what I describe above, they have your whole bank account which sort of sucks if yesterday was when your direct deposit posted.

      For the record, I don't steal from people, but did sleep at a Holiday Inn last night. Actually, my guilty pastime is watching pen testing vids and hackercon presentations on YouTube/Vimeo. I've had a debit card get cancelled while traveling and never go anywhere without the cash to buy enough petrol to get home and some meals. Having cash in pocket also makes me stick to budgets much better. No cash, no coffee.

  20. Teiwaz Silver badge

    I'm only slightly concerned over this.

    The bigger concern is the outfit you are signing into leaving all the private details supposedly secured by said passwords open to the entire e-feeing internet due to stupid, lazy and 'we haven't a clue and haven't really made a profit yet, but next quarter, maybe'.

  21. Richard 51

    re-use passwords - busted

    In my defence the really important sites like my bank are protected with 15 character passwords generated by BitWarden, but the sites like theReg and BBC where I don't give a toss whether someone impersonates me, get the basic password I have used for years which itself is 8 characters with all the bells and whistles. But re-used on all the lesser websites.

    These kind of articles are only useful for drumming up business for the password app vendors and I guess giving the rest of us an opportunity to feel smug. We started this saga with passwords of 5 - 6 characters then had to add in upper case and numbers, then special characters and the length has increased each year.

    I agree passwords are so 20th century and for god sake lets come up with a better solution soon before we are all having to enter 99 character passwords to access the local news.

  22. HarryCoh

    My standard password has worked well for the last 25 years, why shoudl I change it now?

  23. Jamie Jones Silver badge
    Coat

    logmein

    I can't be the only one wondering why a German Company would call their product "my log"

  24. James Anderson Silver badge

    Passwords are sh*t but what’s the alternative

    In my work fincial personal and domestic live I have close to 100 passwords to rememberer somehow manage.

    It’s impossible, I am pretty good about this I use password safe for the important stuff but the rest mostly relies on my fading memory, the browsers memory or the “forgot your password” link.

    The banks have forced two factor authentication on me , which is pretty much a good thing ... but I am glad I was not finalising a house purchase when I ( something to do with wine) left my phone in the back of a taxi.

    You need to establish a hierarchy of what’s important work, banks and the email where your “forgot your password” gets sent to. Forget about the rest, if you cannot remember a password you made up good luck to anyone else.

    P.S, You really need to change and remember your router password. It’s a PITA to do the hardware reset just to change your WiFi password.

  25. bigtreeman

    the reg is important

    I used to use my "standard" password on The Reg, my old dogs name and a bit more,

    but it now has a real 10 mixed characters password,

    reflecting the respect I have for The Reg (gag),

    more likely The Reg's poor security.

    Crap sites get my crap password.

    I used to use 8 mixed characters, now 10, in the future ?

    I'm still generating pseudo random passwords with pwgen.

  26. Anonymous Coward
    Anonymous Coward

    An article where the people commenting are actually talking SENSE!

    These guys have a fiscal interest in selling Last Pass subscriptions! Which is pretty lousy on my smartphone it keeps prompting me over and over again to re-enter a long tens of digits long master password.

    A lot of the time password requirements and even WITH password managers like Last Pass there can still be limitations like entering passwords on a phone or tablet inside of apps rather than websites for example or requiring a really long master password to be entered.

    Chrome used to be a great solution to sync with Android apps for me until the password sync started not working and Google provide no solution. Although it was also tied to me using Google Chrome.

    I'm almost to the point where I'm going back to writing passwords down on paper in a book at home and keeping it to that. The downside is when I'm out and I want to actually be able to buy stuff online.

    I don't think there is any silver bullet for password management to be honest.

    1. Anonymous Coward
      Anonymous Coward

      I always never have the perfect solution whether its KeePass, LastPass, or what I use a lot now Avast Passwords because it has some mobile app password sync capability and doesn't constantly prompt me for a master password on my phone. Each app I've come across has its own limitations which I could talk endlessly about.

      I don't think there ever will be I think we need to use different solutions selectively for different situations.

  27. Sherrie Ludwig

    Depends on the site

    For logging in to sites that are trivial and do not involve money, like a recipes site, or news site, I reuse a fairly simple one. For anything involving transfer of money like shopping or bill paying, it's a password generator and password keeper lodged on my computer only.

  28. Bruce Ordway

    Memory

    As a visual learner, I like using keyboard patterns for passwords rather than the text.

    I remember a starting point and some pattern from there... lefts, rights, ups, downs and trailing cap(s)

    As my password backup for more serious "stuff"

    I use a text file on a local encrypted file, like others have mentioned.

  29. Eclectic Man
    Facepalm

    Notebook

    Actually, I write all of my passwords down in a nice notebook I bought form Waterstones, it is bright red and has the words "internet address & password logbook" on the front cover in big friendly letters.

    That has got to be ok, hasn't it?

    Curiously, it no longer seems to be available on the web site, must have sold out..

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020