Is Using The Same Password For Everything Really That Bad? (BitchBuzz Tech)

Is Using The Same Password For Everything Really That Bad?

By Vikki Chowney

Believe it or not, ‘Hackers’ is my inspiration for today’s post (after watching it for possibly the millionth time on Saturday night). Just after Fisher Stevens had chastised Lorraine Bracco’s character for using one of the four most commonly used passwords, I started thinking about the likelihood of that information actually being true.

Unsurprisingly, the passwords quoted - god, love, secret and sex - were inaccurate. And yes, the film was released in 1995 so it’s dated, but back then the same would have been true. I’m not just being cynical either, technical consultant Eric Coley agrees – and he was the one that advised the filmmakers on hacker ‘subculture’ in the first place.

But back to the point, I’m always curious about the reliability of these ‘most used’ lists. The most common method of creation is to use an aggregate sample of passwords – but how has the data been sourced? Has someone simply polled a group of people, and asked them to hand over information about old logins? Well, that in itself would mean the results would be obsolete, as they would no longer be in use.

If the sample had been asked for current passwords, how many people do you think are likely to give out current, active data? I guess the most sensible way would be for one of the big email players to set up an opt-in list, and review lists of passwords separately – with no associated address or user data attached. After all, we all know that a password out of context is useless, so there wouldn’t be any privacy issues.

This all probably stems from a survey I once took part in, focussed on just this topic. I was asked to review a list of about 100 key words/phrases, and highlight whether I’d ever used one of them. Astonishingly, none of my past or present passwords appeared on the list. But imagine that they had hit the jackpot and a small group of people had made same choice. That would mean that that particular word or phrase automatically becomes the ‘most used’, regardless of whether it’s truly representative. There could have been a larger percentage of people using a password that wasn’t on the list.

All this goes toward my thinking that you just can’t create a definitive list of ‘most used’ passwords. It’s an impossible task, much like saying; ‘we’re going to collate a league of the most used phrases in the English language’. You could talk to 1,000 people and come up with a top ten, but it’s simply not exhaustive enough. The same goes for passwords.

And on the ‘most commonly used’ note, I basically use the same password for all of my accounts. It’s just easier. But is that a bad thing? I think it’s pretty common practice, but does this have an effect on my likelihood to be targeted by fraudsters? I decided to talk to a man who knows a lot more about security than I do, and called Dave Stanley from Proofpoint. Even though his game is email security, he’s been working in this space for a long time.

Lo and behold, after a quick chat, we were in agreement that nowadays a large number of people are almost forced into using a single, easy to remember password. So I’m not alone. There will always be savvy people who have more complex passwords to protect high value data. But when you need a password for every service imaginable, there are many more people who just can’t remember multiple login details and opt for a solitary version.

Everyone is aware that security is an issue, but don’t always take it seriously. Dave pointed out that at any time you could probably walk into your friend’s house, turn their computer on and talk to their contacts as them on IM, auto-login to email or cause general havoc. Now, I’m fairly sure none of my friends would want to do that to me, but it’s certainly a good example of how blasé we can all be.

I think the bottom line is that having a single password for multiple accounts doesn’t make you more of a target – but puts you at a greater risk should it be discovered. It’s part of the reason I don’t trust single login systems. They are certainly easier, but if your password is compromised - its taint amount to loosing your wallet. Everything is gone in one swift hit.

A final little tip courtesy of Dave; he suggests that a really easy way to protect yourself is to choose an alphabetical password, and substitute vowels for numbers. This way, you can create multiple variations for different sites, but all based on a single theme. And happily, that gets around the annoying ‘you must include at least one number’ catch that’s included in so many sign ups today.

POSTED IN: TECH

Mon, 18 Aug 2008 16:00 (GMT+00)

4 Responses

It's good to hear that I'm not inviting trouble by using pretty much the same password for everything. I was wary about doing it at first, but there was just NO WAY I was going to remember a different password for every single login I have. I felt like if I came up with something that would be pretty hard to figure out in the first place I'd be okay. Official sigh of relief breathed.

Also...Hackers is absolutely brilliant in its cheesiness! Hooray for Fisher Stevens on a skateboard!!!

rosina rubylips

Mon, 18-Aug-2008 18:01 GMT

Running a few websites, you learn a few things... for example that literally thousands of people will have the password: "password" or "qwerty" or "123456" or "arsenal". The other common one is their last name, or their boyfriends name.

The other scary thing is the amount of sites that dont encrypt their passwords... that basically means the site owners can see your password. But the real kicker is if you supplied an email, and you use the same password for both, they can just log right in to your email, once they have access to your email, can request passwords for other sites and have them sent to the email account that they have access to.

A good test to see if a site uses encryption, say you forgot your password and have it requested, if they reset it and send you a new one, chances are its probably safe, if they just send the old one by email (also a bad idea) they most certainly don't encrypt it and can be see by anyone who has access to the database.

Number one rule: look after your email password!

PS: one this site we encrypt your passwords!

iain

Mon, 18-Aug-2008 20:47 GMT

I LOVE Hackers! I have the biggest crush on Johnny Lee Miller in that red PVC outfit that Angelina Jolie makes him wear. A true classic...

Jane

Tue, 19-Aug-2008 09:23 GMT

Thanks guys. I also think that neglecting to sign out when on a publicly shared computer is a classic mistake as well. There are so many times I've logged on in an Internet cafe, and been faced with someone else's hotmail account etc. Scary.

And just to reiterate, Fisher Stevens...total legend! ;)

Vikki

Tue, 19-Aug-2008 19:05 GMT

Add Comment

Note: Your email address will be verified but will never be published on the site.

If you are a registered user, please Sign In.

Name:
Email:
Comment:

The opinions expressed by the author and commenters are their own and do not necessarily reflect the opinions of BitchBuzz or any employer or organisation. The aforementioned are not responsible for the accuracy of content published.

social feed

@BitchBuzz: Happy Saturday to all of our fabulous followers. Hope you're enjoying it! Don't forget to relax.
31 Jul @ 11:14 GMT

search

buzz we love

Bitchin' Lifestyle
ButchBuzz
Mademoiselle Robot
Sarah Haskins
Bake & Destroy
Fixation Video
Silicon Stilettos
Sarah Lacy
LoveBeer@Borough
Vegansaurus
Good Girls and Geeks
The Boss of You
Everyday is a Holiday
Style Rookie
Huddle
Cupcake Provocateur
MyEhive
The Urban Housewife
Meantime Brewery
Techettes
Girls 'n Gadgets
Women Who Tech
Make and Do with Perri
All Things Cupcake
The Make Lounge
TechFluff.tv
TechCrunch
Etsy
Girl w/ a One Track Mind
The Luxury Spot
Bust
FabSugar
College Candy
Almost Famous
The Onion
WomenCo
Method
Dogs Trust
Your Tango
Kitten Vixen