Microsoft suggests new approach for users to manage web passwords

Jul 18, 2014 by Bob Yirka weblog
Credit: Wikipedia.

As the Internet has matured users find they are asked to create, remember and use longer and longer lists of passwords—all unique, strong and never to be used again—resulting in ungainly lists, or people simply ignoring all the advice about security. Now, a combined team of researchers from Microsoft and Carleton University has come up with what they believe is a sound strategy for managing online user passwords: use simple passwords repeatedly for accounts that aren't that valuable and more sophisticated ones non-repeatedly for accounts that are.

The researchers have done a lot of math to come up with what appears to be a simple strategy, one that balances security risk against the ability of people to remember difficult-to-remember passwords and use them when needed.

The strategy reveals something else too—that most of us don't really need an individual password for every site we visit. After all, what will it matter if someone discovers your login and password to site you don't even pay for? Of course that assumes you don't use the same password for your bank account or PayPal. And that's the gist of what the researchers have found. They suggest it doesn't really make much sense to try to remember a bunch of passwords for accounts that have little real value. But it does for those that do.

What if, they wonder, users began using just one password for pretty much every site they visit, except those that hold real value, e.g. bank, . If someone manages to find out your password, the worst they can do is log onto a site as you—granted, for some that might be problematic if the hacker starts posting to your Facebook account making threats against the president, or something equally horrible.

For that reason, the researchers propose a group of short lists, one for all your email for example, another for your social media, and on and on—it might be the best option. Bank accounts and such would still each get their own. In this scenario, individuals would be at limited risk, all while maintaining a relatively small number of —a scheme that would clearly be better than simply using "123456" or "password" for all accounts, as research has shown many have resorted to using as a coping mechanism.

Explore further: Four steps to a simpler, safer password system

More information: Password Portfolios and the Finite-Effort User: Sustainably Managing Large Numbers of Accounts, PDF: research.microsoft.com/pubs/21… sswordPortfolios.pdf

add to favorites email to friend print save as pdf

Related Stories

Recommended for you

Saving lots of computing capacity with a new algorithm

Oct 29, 2014

The control of modern infrastructure such as intelligent power grids needs lots of computing capacity. Scientists of the Interdisciplinary Centre for Security, Reliability and Trust (SnT) at the University of Luxembourg have ...

User comments : 10

Adjust slider to filter visible comments by rank

Display comments: newest first

adam_russell_9615
4.9 / 5 (8) Jul 18, 2014
Ive used that strat for years. If someone hacks my posting account at washingtonpost.com so what?
Dr_toad
Jul 18, 2014
This comment has been removed by a moderator.
Whydening Gyre
5 / 5 (7) Jul 18, 2014
Seems common sense enough. But one thing we need remember - common sense isn't all that common...
That a "reminder" such as this is posted on a science news site does seems a little awkward, though...
antialias_physorg
5 / 5 (4) Jul 18, 2014
After all, what will it matter if someone discovers your login and password to site you don't even pay for?

Here's what happens: They use the login/password on an automated list of all online sites to try and get in. That way they have a perfect entry point for their spambots (which would fail automated registry attempts due to captchas, etc.)

Don't reuse passwords. Even for sites that "don't matter". Use a simple, personal mnemonic to alter your password for low value sites (e.g. have a constant, hard part like hG&/_!fúm8 and add the third and fourth letters of the site name at the end.)
Pattern_chaser
3 / 5 (2) Jul 18, 2014
What about Password Safe --- http://passwordsa...rge.net/ --- and similar utilities?
rp142
1 / 5 (1) Jul 18, 2014
An approach based on risk management and keep track of where an individual password is used is news? Today, more people have grown up with a basic understanding of why their passwords are important and the most of the rest have been educated repeatedly in password security. Much of the world has used PINs on their credit cards for 10+ yrs (20+ yrs?). There have been frequent warnings from many sources of the dangers of using one password across many sites.

Smart phones with password management applications allow us to have a long list of hard to remember passwords, stored securely encrypted, in our pockets. There really are no excuses now for not having unique and not easily guessed passwords.
trylogic
2.3 / 5 (3) Jul 19, 2014
A combined scientific effort by Microsoft and Carleton University… WOW
Captain Stumpy
3.7 / 5 (3) Jul 19, 2014
Seems common sense enough. But one thing we need remember - common sense isn't all that common...
That a "reminder" such as this is posted on a science news site does seems a little awkward, though...
@W Gyre
well, you are right about common sense not being common... but there is more.

you would be shocked at how phenomenally stupid most computer users are. truly shocked!

some of the stories really aren't made up!

I've seen an old lady actually use the CD burner as a cup holder ...

I've seen people complain about lack of service and ability to use the computer when the power is out...
and so much more that is shockingly stupid (like throwing a keyboard into the dishwasher to wash the dust and coffee stains out... then wondering why it will not work)

then you have people like the NOOclear engineer beni-haha who can't tell the difference between site contact links, PM's, e-mails, and administrative messages to your log-in...

it takes all kinds. and most are scary ignorant
DoieaS
2 / 5 (2) Jul 19, 2014
use simple passwords repeatedly for accounts that aren't that valuable and more sophisticated ones non-repeatedly for accounts that are. The researchers have done a lot of math
I dunno, what these people are all about, but they apparently think, the people who are paying such a "research" are complete idiots.
Captain Stumpy
3.7 / 5 (3) Jul 19, 2014
What about Password Safe --- http://passwordsa...rge.net/ --- and similar utilities?
@Pattern_chaser
do your homework and make sure you are getting a safe one.

Some are good, and some are not. For a person who has serious trouble remembering passwords, it can be a great thing. This is for AVERAGE users...

IF you are worried about being hacked and losing precious data... just remember that with a password safe, they only need to hack ONE password, not all of yours, and they can access your data...

Again, it depends on the user, the abilities of the user, your level of paranoia and/or security (you should NEVER use password safe's if you have sensitive or classified information stored- like national security, government jobs or R&D with high corporate espionage levels)

My wife needs a password safe. I don't I use methods like AA_P (antialias_physorg) above...

nsgaga
not rated yet Jul 19, 2014
I was expecting something like a..."solution" ?
Dr_toad
Jul 19, 2014
This comment has been removed by a moderator.

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.