The Rationality Of Re-Using Passwords

Internet security vendor BitDefender recently published the results of a study that found, unsurprisingly, that “75 percent of social networking username and password samples collected online were identical to those used for email accounts.” The SecurityWeek story reporting on the BitDefender study also noted that the report “advised users to be extra careful while creating passwords for social networking and email accounts and avoid using the same password just for the sake of convenience.”

The key word here is convenience. From the perspective of most consumers (and many enterprise employees), re-using the same password produces the most economic utility. This is the “Poor Man’s Single Sign-On” strategy (PM-SSO). It costs nothing to implement, requires the user to learn no new technologies or change habits, and is a relatively error-free operation. Moreover, the downside risks are low. With respect to identity theft, for example, most credit card issuers will refund your money if they determine your identity was stolen online. So speaking rationally, why wouldn’t you do this instead of fooling around with CardSpace, Norton Identity Safe, OAuth, OpenID, Facebook Connect or any number of enterprise SSO tools? Exactly.

Of course, from the security practitioner’s viewpoint, this is a rotten idea. It is insecure! It exposes you to risks! And it places you at the mercy of identity thieves, scammers and those nasty people that BitDefender (not to mention Mr. McAfee and Mr. Norton) has been talking about for years. Plus it is just not the right thing to do! ...somehow.

Facetiousness aside, as a student of security I agree that re-using passwords is a bad idea. I do not follow the PM-SSO strategy myself, because I am paranoid. I use a tool called 1Password, which generates unique passwords for each website, and keeps them in vault protected by my machine password. It integrates nicely into my desktop computer’s browser. I consider it a feature that I don’t actually know any of the passwords to the 200+ sites I belong to. The downside is that 1Password requires a little bit of setup for each website, and a whole lot of discipline. It also prevents me from logging into websites on my mobile phone, because I cannot share the 1Password database with the native browser on the device. But these are minor quibbles; on the whole, it works very well and helps me sleep at night.

But not everyone is paranoid, or a dork. Most people want to do the easy thing. That is why Poor Man’s Single-Sign-On is such an appealing strategy, in spite of the plaintive warnings from practitioners and security vendors that it is unsafe, ill-advised or the very opposite of a “best practice.”

Two things need to happen for this picture to change. First, the security industry needs to invent easier-to-use, lower-friction alternatives to re-using passwords. And no, CardSpace is not it. Neither is 1Password: although I like it a lot, it isn’t for everyone. Second, the true economic costs of PM-SSO need to be pushed back onto consumers and employers to make staying with the current strategy more painful. If they feel more pain, they will be motivated to change their behavior.

Because neither of these conditions look likely to hold, I fearlessly forecast that passwords will continue to be the most popular (and most abused) authentication scheme for the foreseeable future. I have a bet riding on this: Jim Manico, Dave Aitel, Ed Bellis, Ivan Ristic and a few others have all taken positions on whether passwords will continue to be the dominant method of authentication. I think it will be. On January 21, 2020, we will check in and see how we did.

Categories:

Comments

A way to generate unique passwords — and remember them

I used to employ a similar browser tool like the one you are describing here to manage my passwords. It did have it's downsides, and a colleague of mine taught me a trick that I have now put to good use.

I have written a short blog post about it, check it out and leave a comment if you like:
http://ht.ly/2r1nK

Passwords will be around for a long time...

Andrew, I agree with your observatiion that passwords will remain a part of our lives for the foreseeable future. In a business context, there are advances being made with federated authorization and login approaches, but the vast majority of applications and securely accessed websites still use username / password to authenticate. When you pile on the fact that each website or application typically has their own password policy, things get extremely complicated for users. Here at Conformity, we've tried to pivot on the "user convenience" aspect but provide a solution that also meets the needs of business users. It also addresses the comment you made of having easy access to all you logins from anywhere... not just on your on local PC. Check out our ConformityConnect product at: http://bit.ly/aelYwr

history is...history

Interesting perspective. You did not mention built-in password cache convenience already found in most software such as browsers. You also did not mention proxy and password cache solutions offered on USB and other removable media. These alone would meet your criteria:

"costs nothing to implement, requires the user to learn no new technologies or change habits, and is a relatively error-free operation"

That seems to entirely deflate the problem as you describe it. A new problem emerges and I see a very different trend in user behavior than you, but then again maybe it is because I would not propose a phrase like "Poor Man's" to represent more than just poor men and I am looking at a broader (pun not intended) set of data.