Recycling is a must, but why would you reuse your password

Security writer at ESET, Tomas Foltyn, discusses the dangers of poor password practices.

Tomas Foltyn, Security Writer at ESET

World Password Day, celebrated on the first Thursday of every May, is a timely reminder of the fact that our passwords are the key to a wealth of personal information about us.

It would be nice to imagine that if the various contenders for “inventor of the password” had known how much of a hassle its computer variety would end up posing centuries later, they would never have bothered. Or maybe that inventor – perhaps a Gileadite or Roman soldier – just didn’t care about the tradeoff between security and convenience that would plague us in the internet era. Either way, the legacy of the military watchword is here to stay.

Quipping aside, the routine works like this: you sign up with your username and password that only you know, and you’re golden. To log in again, you just need to recall and input your login credentials. Of course you knew this would happen, so you took some “precautions”: you set up the account with an easy-to-remember password.

And therein lies the problem. “Easy-to-remember” most often equates to short and simple, as well as easy to guess. That’s especially true for password-cracking software doing the bidding of an operator intent on brute-forcing his way into your account. Such software can open the trove of treasures just as magically as the phrase “Open Sesame!” does with the mouth of a cave in a well-known folk story.

On the flip side, a password that is long, complex and random is harder to crack, but also harder to remember. And therein lies the problem (yes, again!). Recalling many impossible-to-guess passwords and being able to remember to which particular online service each belongs is just too much of a tall order, unless you have the memory of an elephant.

Indeed, passphrases – say it with me, “I LOVE to Read WeLiveSecurity!” – may help both in terms of security and convenience (the latter being simply a proxy for memorability). However, is it reasonable to expect every user to remember a distinct passphrase or password for each and every online account?

Something’s got to give

What many people do – at least those who are not elephants – is skimp on their security, use an atrocious password (“123456”, anyone?) and go on their merry way. Until their accounts are hacked and their online personas are compromised or, worse, their identities and money are stolen. After all, it is human nature to disregard risk until disaster strikes.

Indeed, it feels like you can’t have it all; that is, many online accounts, each of which has a supremely strong, unique and memorable password or passphrase. It is little wonder that our patience wears thin and we take mental shortcuts. Enter another coping strategy that greases the wheels of hacking – password reuse.

While being antithetical to userland security, you can bet your last dollar that password recycling is invariably right up there with all the other most frequent and ill-advised offenses committed by users in the realm of authentication. Passwords created with another oft-used strategy, which involves slightly modifying the password for each account (“partial reuse”), tend to be predictable and, thus, just as easy to crack.

Why is password reuse so risky?

The neighborhood that is the internet can be rather less than neighborly in many ways, doubly so when data breaches are a reality of our age. The breaches often expose login details that – if you use them to access multiple accounts – can be successfully exploited for attacks known as credential stuffing. This becomes particularly troubling when an attacker uses stolen or leaked access credentials that belong to one account in order to break into another – often higher-value – account. Thanks to frequent password dumps, user/password combinations are easy to come by, and often at little-to-no cost at that.

If a breach hits and the credentials aren’t stored with advanced salted-hash functions (think, for example, a hack against Adobe in 2013), a strong password, or even a passphrase, may not be enough to thwart an account-takeover attack if you use that password to access multiple online services.

Factoring in another factor

Many account-takeover attempts can be foiled with two-factor authentication (2FA). An added authentication factor provides an extra layer of defense beyond the simple passcode/password/passphrase and, in a way, fixes some of the inherent human foibles that are routinely exposed by our poor password choices.

So far so good. However, many online service providers have yet to implement 2FA into their authentication schemes. (You can check the status of various websites vis-à-vis 2FA here: https://twofactorauth.org/.) Additionally, as shown by a recent report about the adoption rate of 2FA among active Google accounts (lower than 10 percent), even if such an option has been available for years, most users simply don’t take advantage of it, be it that they’re unaware of it or apparently have bigger fish to fry.

There are other forms of authentication, of course, that may take some of the weight off our shoulders (and brains), be it biometrics (e.g. fingerprint or iris recognition) or algorithms to measure behavioral characteristics (e.g. typing rhythm) or others. Their availability and, by extension, adoption are nowhere near widespread, however.

Is there another way, then?

Well, yes, although it actually flies in the face of much advice dispensed by security folks. In 2014, Microsoft Research released a paper that suggested a different tack. In thinking of various online accounts as somewhat of a continuum, the paper averred that some degree of password reuse is inevitable, but that it should be reserved for low-risk, low-value services. Put differently, the reasoning went that all accounts are not born equal and should, therefore, be divided into groups according to value. ESET Senior Research Fellow David Harley weighed in on this approach, while hinting at its potential pitfalls, in this insightful piece.

On a different note, chances are that you won’t cull your online accounts all the way down to whatever number you can manage easily with unique and strong passwords or passphrases. Nor will you probably be willing to engage in some serious mnemonics or aspire to eligibility for a memory competition.

With that in mind, the easiest thing to do is, arguably, to put all of your passwords (strong and unique, of course) into a kind of digital safe. That vault is dedicated password management software that, ideally, encrypts and stores all of your passwords locally and offline.

Indeed, password managers are all the rage in password security and, intuitively, it is hard to deny their merits. In addition, recent research found that password managers benefit both password strength and uniqueness, although apparently this strategy works only if the passwords are generated by the software.

Either way, assuming that you trust the implementation of your password manager – and you wouldn’t use it if you did not, right? – then its security is largely determined by the robustness of your master password. That’s doubly relevant if you consider that you’re effectively putting all your eggs, including some made of gold, into a single basket. That basket could, in fact, become a single point of failure.

They shall not pass

To be sure, passwords are flawed. Except that, in our internet era, there’s no other ubiquitous method of user authentication. Having their impending demise predicted back in 2004, passwords may well have outstayed their welcome. However, it appears that it will still be some time before they go the way of the dinosaurs.

All told, some things in computer security are beyond the control of a regular user, but why not go and fix those that are? In a way, the persistently poor password practices of many other people give you a chance to be ahead of the pack. What’s not to like?