Pages

Friday, August 12, 2011

Why Password Reuse is a Bad Idea

Password reuse is an issue that I seem to battle with constantly. Password reuse is, just as the name implies, using the same username and password combination for more than one website. I understand why people are prone to do this but I would like to take a few minutes to explain why it is a bad horrible idea.

It seems logical to reuse your password. After all, passwords are hard to remember and supposed to be kept secret. This logic makes perfect sense except for one scenario: What happens when you lose control of your password?

Imagine for a minute that you have followed my past advice. You have picked your complex, difficult to remember password and committed it to memory. It is 16 characters long and no one is going to guess it because you have mixed case, numerals, and special characters. You feel very comfortable with your uber-secure password and start making the rounds on the Internet. You change your passwords for online banking, email, Facebook, and Amazon.com as well as your work email and user accounts. You make them all the same, after all this is a really good password. You continue on this route, signing up for online forums, webmail, coupons, and a shady shopping site and use the same password. Everything is great, no one is going to hack you! Your password is unguessable!

One day, one of these sites get compromised. It might be a forum, email, or that shady shopping site. It might be the coupon site you signed up for and forgot all about. In any case, your ONE uber-secure password is now out in the open. Did you notice that? I put an emphasis on ONE. I did that for a reason.

It should not be difficult to figure out what happens next. Your information is out and the gig is up. The bad guys now have access everything you secured with that password. Everything! They can drain your bank account and credit cards or impersonate you on Facebook and email. You now have to scramble to change your password on every site. Unfortunately, you probably will not find out you have lost your password until something bad has happened. It could be money missing from your bank account or someone impersonating you through email and Facebook. Had you simply used different passwords for each account then you would be safe, having only lost control of the single compromised account.

Hopefully this post will help you understand why reusing passwords is a bad idea. In a sense, it is even worse than using a simplistic password. As always, comment below if this was helpful.

6 comments:

  1. One thing that I have recommended in the past, is that if you must use a similar password, change it just a bit per site. For instance...

    Super Secure password: 5up3r$ecr37

    gmail: 5up3r$ecr37gma
    facebook: 5up3r$ecr37Fac3
    bank: 5up3r$ecr37$$$
    yahoo:5up3r$ecr37hoo

    Change it just a little bit per site, but also keep the added characters different enough to where they wouldn't be easily guessed, but easy for you to remember. Typically, I recommend using a utility like Keepass, and using completely random passwords for each account, but that can be difficult to manage across several machines. There is also something to be said for using passphrases...

    ReplyDelete
  2. Weston,
    Hey, how did you know all my passwords! :)

    Excellent points and I could not agree more. Changing just one character is probably be enough to deter any would be script kiddies. They will just move on to the next and easier target.

    BTW, I'm working on a reviews for LastPass and KeePass. I should have them posted in the next few days. I also have some thoughts on pass phrases that I will try to work in to a coherent idea and post.

    Marshal

    ReplyDelete
  3. It will also help avoid a visit from the "hamster hacker"

    ReplyDelete
  4. There might be an untold story behind Tim's comment. :)

    Marshal

    ReplyDelete
  5. Perhaps he is referring to:

    http://erratasec.blogspot.com/2007/08/sidejacking-with-hamster_05.html

    Though, if that is the Tim I think it is, he is a weird dude. He may very well have a hamster that he has trained in the arts... :)

    ReplyDelete
  6. The only thing I can tell you is it involved password reuse, an over worked sysadmin in need of a laugh, and this site, www.hampsterdance.com.

    The rest of the details will not be shared here. :)

    Marshal

    ReplyDelete