The thousand-dollar penalty for reusing passwords

[Kathleen Atkins]

TOP STORY The thousand-dollar penalty for reusing passwords By Woody Leonhard You can find no end of advice on creating strong passwords, using clever tricks, stats, mnemonics, and such. But all too frequently we (and I include myself in this rebuke) tend to reuse little passwords at what we think are inconsequential sites. It's a big mistake — here's why. The full text of this column is posted at WindowsSecrets.com/top-story/the-thousand-dollar-penalty-for-reusing-passwords/ (opens in a new window/tab). Columnists typically cannot reply to comments here, but do incorporate the best tips into future columns.

[chatman]

Surely his mistake here was to use his "low-risk" password for his email account. If he had a decent password for his email account he could use 12345678 for as many low-risk web sites as he wanted without getting his bank account hacked.

[DancingFool]

Yeah, the thing to stress here is not the password for the other, throwaway account. It's the email account problem. People treat email accounts way too casually, when these days they are the keys to your identity. This is even more so when web based email accounts these days encourage you to keep all your mail forever - just searching through them looking for join up messages, newsletters etc gives you a list of places to go to for password resets.

It's going to be much easier to convince people they should use a special, never repeated password on their email than to convince them to create different passwords for all the other places they go to, no matter how many tools there are to make it easy.

[Woody]

Surely his mistake here was to use his "low-risk" password for his email account. If he had a decent password for his email account he could use 12345678 for as many low-risk web sites as he wanted without getting his bank account hacked.

In this specific case, that's true. But the same principle applies to other kinds of sites - even ones that don't appear, at first glance, to be terribly important. Case in point: Twitter or Facebook accounts.

It's tough to tell, in advance, when a site is completely innocuous...

[Barc777]

I, for one, do use AI Roboform. However, there are some sites for which you want to actually know the password, and not have to rely on Roboform, which is not installed on your relative's PC when you're visiting them from out of town. I do trust some people not to have keystroke loggers on their machines. But Roboform's randomly generated passwords are not easily remembered. So you need something that's apparently random, but also actually able to be recalled. Those may be thin on the ground. Yes, I know. Initial letters (or something else, like 1st letter, 2nd letter, 3rd letter) of successive words in a sentence. The fun part is connecting the sentence with the site. Maybe a formulaic way of doing that, too....?

[encia]

Please, do I get it right - the password "Joe" used for the mail was the same as the password for the news-site?
If so, the problem is not media sites, but that one must keep e-mail account password on top level, of these reasons:
1. The described recovery of forgotten password on bank sites.
2. Also that among your mail there are many about health and other private matters for friends, family and yourself. Pictures that are very private from parties etc.
3. Mail is also have things that you do not want share, like if applied for other work etc.
4. Your address book may come in the hands of spam or fraud persons.
5. They can mail with youe account - and people may hold you responsible.
6. There is more, but think if they use that mail to open Facebook or other social network profiles in your name, publish some from your mail, even photos.

[Woody]

I, for one, do use AI Roboform.

Have you tried AI Roboform2Go? You can take your Roboform database with you on a USB drive. Very slick. http://www.roboform.com/platforms/usb

[Woody]

Please, do I get it right - the password "Joe" used for the mail was the same as the password for the news-site?

Yes, he used 12345678 as his email password as well. Which is why I disguised his name. And you're correct - email passwords need to be kept safe; they aren't throw-away passwords.

[qwertz]

Thanks for the article. I too was guilty of doing just as you said, using common passwords for "light" accounts and using my PassPack program account (www.passpack.com) for "heavy" accounts such as banking. Thanks for the "kick in the a_s"!

[DavidToronto]

I use LastPass as my password manager, but I don't let it provide me with random passwords, and I do use the same password at a number of low-security sites (not so much my email account). Here's why. Every once in a while, quite rarely, I find myself having to type in a password by hand. I'm not sure what the circumstances are, they're odd and unusual, but it does happen (sometimes, I think, it may happen after a re-design of a site). What would I do then with an unrememberable password? I suppose I could first go to my LastPass "vault" and search for the password, but that that vault is really not an easy thing to navigate. So I re-use passwords. Also, I'm not sure I can use LastPass on my mobile device; in fact, I don't think I want to, because it's so much more likely to be lost. Finally, what happens if LastPass goes out of business?

[RonReves]

An Amazing Thing Happened While Reading the Article. on the thousand dollar password.
I am reading the article about how Joe lost his shirt because he had a "poor" password process. when I got an email from Identity Guard, an internet security firm, offering to protect my children from ????? whatever evil lurks on the web. I am not sure how they got my email, but it was very strange that I opened WS, and a few moments later got an email from a firm I never heard of, nor I have knowingly ever opened their website. VERY STRANGE, did they just happen to find my email address at that moment, or did my address leak into their server from some "cloud" or did you sell my address?

Ok, I may have made a wrong assumption, I use GMAIL, and since I got the email about the password security, I have noticed a marked increase in sidebar ads concerning internet security. And I know that GMAIL sells email addresses.
My apology for jumping the gun,, and making unfounded accusations.
I have been a WS for many years and value the articles. Keep up the good work.

[OddOne]

KeePass on a USB flash drive works for me. I dropped a copy of the database onto my computers so that I can invoke it with comparative ease on machines I control, and for other machines the portable form is always on me.

Everything gets its own password (which is always 128+ bits of randomized printable characters), including sites I access on a daily basis, and I deliberately avoid trying to memorize anything but the primary access password to get into KeePass. This does pose an increased risk of getting locked out of places should the USB drive die, etc. but I have enough redundancy and multi-site backups of the password database (and backup copies of KeePass) that the risk is as negligible as the laws of probability and unintended consequences permit.

Short of using an individual's DNA, this is about as strong as password-based security is likely to get, IMO.

[jman037]

I recently downloaded and installed LastPass (because free beats paying for Roboform, which I can no longer pay for). The first gotcha was on setting a master password. When I put one in (generated off their website), the program immediately closed every browser window and cleared the Windows clipboard, preventing me from copying it to save on my system. The 2nd gotcha was when I tried to reset the master password from the website. This action FAILED because some plugin was not installed. What a minute... Did not the installation of the software run properly? (there were ZERO errors on completion of the installation). The 3rd gotcha was when I tried an alternate method to change the password - again failure. As per the support instructions, I cleared the browser cache and restarted my computer. Again, the password reset failed and again, it said "plugin not installed". I could not find this special plugin anywhere on the LastPass website. I tried reinstalling the software and still the process failed and for the same reason. I sent an email to their support. A couple minutes later I got a Delivery Status Notification - Failure. I had clicked on the email address provided by the website, but for some reason I could not contact their support. So I was alone with my issue. Out of frustration I went back to firefox and did something that you should NOT have to do - I searched mozilla for addons and specified LastPass. It found that plugin and installed it. The 4th gotcha is when I tried this process again - this time, although I had the plugin installed, I was informed that "this process will fail if you proceed". And indeed, it failed again. I again reinstalled the software and created a new account. This time I manually typed a password in for master password. A word of warning here - you MUST use 32 characters. Not more, not less (or THIS process will fail until you get the amount of characters correct). I made VERY certain this time to copy the password BEFORE clicking anything. As per the instructions about roboform, I downgraded from 7 to 6 and ran the export process they instructed. This saved an HTML file which I imported into lastpass. This worked fine. I then began to test various logons at random. At this point, the only issue I had was one time where it refused to autofill my entire google account name - it only filled in half even though the edit box showed the correct and complete logon name. Summary - even though this software (at the moment) seems to be functioning, I cannot suggest it to other people. The process is NOT user friendly and you get ZERO support.

[t8ntlikly]

Great column Woody. Makes one think a little. I too am guilty of using the same password on several non essential sites. However I do not use that same password for my e-mail account. That is just plain dumb. I also use a password generator Steganos Password Manager for ALL essential sites such as banking etc. I also don't use my primary e-mail address for those non essential sites. Works wonders too. I know that if I get an e-mail that came from someone promoting something that is addressed to me from one of the essential sites on my "throw away" account, it is spam.. No muss, no fuss....

[Scott Ewing]

Hey David, I use LastPass also and share your concerns. I do let LastPass generate unique long complex passwords for most web sites. What I do is copy those passwords into a password protected document on my local hard drive. I also use a long complex password for LastPass itself. That takes care of the worry about LastPass going out of business. On those rare occasions where LastPass does not autofill the password for me I still have to get the password from the LastPass vault or from my password protected document.