Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    The biggest security headache that consumers face on a regular basis may well be… the password. You need one to do just about anything online nowadays. This makes them very valuable targets of theft – as the news that “1.2 billion” passwords were stolen highlights. Unfortunately, remembering passwords for all the sites that people use every day can be a challenge.

    With that in mind, I was interested when I heard about a paper that discussed how users manage multiple passwords. Unfortunately, this paper from Microsoft and Canadian researchers doesn’t actually provide very good advice, and may in fact promote dangerous practices.

    Let me summarize the paper for those who haven’t read it: they suggest that users are incapable of following both of the key tenets of password security: that passwords must be secure (i.e., not easily found with a dictionary-based search), and that they must not be shared. The researchers suggest that users decide which accounts need to be protected with secure passwords; the other accounts can be protected with ordinary passwords that don’t have to be unique or secure.

    This idea only works if you accept as a fact that the user is incapable of remembering secure passwords. However, that’s why password managers exist. This idea that a user must rely on their unaided memory is simply wrong. The computer – whether it’s a PC, tablet, or smartphone – is an extraordinarily powerful tool. Why not use it?

    Yes, these managers are not perfect. Just last month, another group of researchers found vulnerabilities in several online password managers. However, they’re still a significant improvement over trying to remember passwords by rote memory, and it’s a gigantic improvement over using poor passwords. The perfect should not be the enemy of the good.

    I try to make the advice I give as clear as possible. Whether or not that was their intention, studies like this muddle the water and send the message that bad passwords are okay. It depends on the user discriminating between what needs to be secure and what isn’t. However, many users are likely to trade convenience for security and choose weak passwords instead. It’s human nature to do so. Sadly enough, the users most likely to choose weak passwords are also the ones who are likely to fall victim to various online threats.

    Let’s say, however, that someone really doesn’t want to use a password manager. That doesn’t mean you need to use a bad, recycled password. Consider this procedure:

    1. Choose a simple password you already use. Let’s take “Snoopy2″ as an example.
    2. Create an algorithm in your mind that uses the full domain name of the website you’re protecting. So, for example, it can be: “two first letters, two last letters and the number of letters it has, first letter in uppercase”. “” becomes “Twer7″. It can be any algorithm you want, so long as you remember it.
    3. Choose a number has means something to you. Your birthday, the age at which you met your husband, whatever. Let’s say I use the number “32”.
    4. Put it all together. My password for twitter would be “Twer7snoopy232″. My next password for “” would be “Awum19Snoopy232″. If I ever need to change it, just add one to the last number… or 7. It’s up to you.

    The bottom line is: one day we won’t have to use passwords to log into sites anymore. That day, however, is not today. We’re still stuck with passwords, and we need to provide the best advice to users on how to create good passwords. A mixed message – like the one promoted by these researchers – is unhelpful at best, and wrong-headed at worst.

    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon

    • Mark

      While I agree that passwords are here to stay, and that passwords unequivocally suck, I disagree with your position that this paper is making the situation worse. As you stated in your summary, the paper bases their advice on the belief that users can’t be expected to follow the most basic advice of “choose unguessable passwords and don’t share them.” Guess what? Despite the fact that people have been harping on that for years, users still don’t follow that advice. Each of the data sets from a breach in recent history shows that people definitely are still choosing awful or otherwise easily guessable passwords.

      I feel that the aim of the paper was to gain additional recognition for the tiered password model which provides at least minimal compartmentalization, which is still far better than the zero compartmentalization provided by users using the same password everywhere. There is a risk that some users who are following better advice might get the wrong idea and degrade their own practice, but I doubt that–if they were aware or clever enough to use differing passwords for each site, they’re likely not going to be swayed by one paper from Microsoft research. The real issue here is not that the paper exists, as I believe the audience was intended to be people like you and me who are interested in security–people who advise others about safe, manageable practices to enhance their security. The larger issue is that security professionals still somehow believe that repeatedly harping on users about using complex passwords and not reusing them is going to somehow change their behavior. Users don’t do what we recommend unless it’s also easy, or unless they believe the consequences for not doing what we recommend are something they want to avoid, and the cost of avoiding the consequences doesn’t exceed the cost of the consequences themselves (check out “So Long, And No Thanks for the Externalities:The Rational Rejection of Security Advice by Users”). Using unique, complex passwords isn’t easy.

      Using a password manager makes it easier to manage a set of complex, unique passwords, but I wouldn’t say it makes it easy. Do you know how I know that saying “use a password manager” over and over again doesn’t solve the problem? It’s because people already tried that, and the problem still isn’t solved.

      I use a password manager, and I don’t recommend it to my family because I still have yet to find one that is completely seamless, especially in our mobile world where even my least-technically-savvy family members and friends often have multiple devices that they use that need to synchronize these sorts of things. LastPass is good, maybe even great, but it’s still far from grandma-proof. My family members don’t currently call me about passwords, and they also don’t regularly have account compromises. I am willing to bet that if I started recommending PasswordSafe or LastPass or OnePassword or KeePass, my “call volume” would increase, which I don’t have time for. Can I send their calls to you?


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice