As the Internet has matured users find they are asked to create, remember and use longer and longer lists of passwords—all unique, strong and never to be used again—resulting in ungainly lists, or people simply ignoring all the advice about security. Now, a combined team of researchers from Microsoft and Carleton University has come up with what they believe is a sound strategy for managing online user passwords: use simple passwords repeatedly for accounts that aren't that valuable and more sophisticated ones non-repeatedly for accounts that are.
The researchers have done a lot of math to come up with what appears to be a simple strategy, one that balances security risk against the ability of people to remember difficult-to-remember passwords and use them when needed.
The strategy reveals something else too—that most of us don't really need an individual password for every site we visit. After all, what will it matter if someone discovers your login and password to site you don't even pay for? Of course that assumes you don't use the same password for your bank account or PayPal. And that's the gist of what the researchers have found. They suggest it doesn't really make much sense to try to remember a bunch of passwords for accounts that have little real value. But it does for those that do.
What if, they wonder, users began using just one password for pretty much every site they visit, except those that hold real value, e.g. bank, credit card. If someone manages to find out your password, the worst they can do is log onto a site as you—granted, for some that might be problematic if the hacker starts posting to your Facebook account making threats against the president, or something equally horrible.
For that reason, the researchers propose a group of short lists, one for all your email for example, another for your social media, and on and on—it might be the best option. Bank accounts and such would still each get their own. In this scenario, individuals would be at limited risk, all while maintaining a relatively small number of passwords—a scheme that would clearly be better than simply using "123456" or "password" for all accounts, as research has shown many have resorted to using as a coping mechanism.
Explore further: SplashData's annual list shows people still using easy-to-guess passwords
Password Portfolios and the Finite-Effort User: Sustainably Managing Large Numbers of Accounts, PDF: research.microsoft.com/pubs/217510/passwordPortfolios.pdf