

75 Percent of Individuals Use Same Password for Social Networking and Email - securls
http://www.securityweek.com/study-reveals-75-percent-individuals-use-same-password-social-networking-and-email

======
aptimpropriety
Isn't email the only password that 'really' matters?

Barring super-secure sites like banks, if you have the email password, you
have every 'forgot my password' link available - which will typically either
let you reset the password, locking the user out, or even send you the
password itself!

This fact made me stop caring too much about varying individual 'random site'
passwords - I just make sure to use a unique for my email.

~~~
someone_here
Email passwords matter more, but it's not the only one. If you use the same
password for a random forum as you do for Facebook, that could still get you
in a fair amount of (social) trouble.

------
lee
My method of "remembering" passwords, yet not using the same password for
everything, is that I created a simple hash function which I can compute in my
head.

I take the name of the website I'm visiting as the input for the hash.

Probably not the safest method of creating passwords, but it's practical in
that I get a unique password per site... and I access my list of unique
passwords anywhere I go.

~~~
jacquesm
Sounds risky. After all there is at least one website where they now know that
strategy and have access to your password for that site.

~~~
lee
It's not perfect.

But given a seemingly random string of characters, is it easy to deduce the
exact hash function that I use?

~~~
jacquesm
I don't know, let's have some examples ;)

------
jaxn
"Additionally, the study revealed that 87 percent of email IDs, user names,
and passwords gathered from various sources were still active."

That is a pretty strong case of using an OAuth account that can show you
everything that is authorized. I have no idea how many old "jaxn" accounts
from the Web2.0 phase are active and forgotten.

I would imagine that 75% figure is pretty close to the percentage of people
who use the same password for pretty much everything. I would also imagine
that at least 75% of HNers are in the other 25%.

------
NathanKP
I don't use the same password for every website, but I do use slight
permutations. (For example, adding extra numbers or letters onto the end of a
longer random letter and number root password that I have memorized.)

Of course this is probably not the best technique, but its probably secure
enough. In addition, I do use alternate passwords for sites that I don't
trust. So, for example, I would never use a permutation of my email password
for a random site on the internet.

~~~
jaxn
I take a slightly different approach. I use the permutation method for most
websites, but then I have long, random, and unique password for the key stuff
like banking, primary email, and servers.

------
Legion
KeePassX + Dropbox = no more need to remember passwords.

Although KeePass is annoyingly fussy about concurrent access to the database.
I should investigate if there are other options that also will work across
Linux, Mac, iOS, Android, and Windows.

~~~
maukdaddy
1Password just announced a Windows version to complement their existing,
amazing Mac program. They also have iPhone/iPad versions. Doesn't help you
with Linux though.

<http://agilewebsolutions.com/products/1Password>

------
yardie
I use a system of increasingly difficult and unique passwords.

Level 1: Social networks, forums, etc. simple 8 character alphanumeric.

Level 2: iTunes, ebay, amazon. Longer alphanumeric with variations unique to
each site.

Level 3: Paypal, email, banking. Longer alphanumeric + special characters and
completely unique for each site.

Others: Some sites, like my ISP and bank send the password only by snail mail
(I had to change my password once for DSL. It was not pretty). This goes into
a lockbox.

I'm looking into applications like 1Password.

------
indy
I use <http://supergenpass.com/> which generates a password by hashing a
single password with the website's domain name (and since it's all in
Javascript you can host the code from your own domain)

~~~
roofone
Pwdhash is another option. There's a firefox plugin for it that I use.

------
Niten
Just throwing the solutions I've found onto the suggestion heap... I prefer to
keep all my passwords in an encrypted flat text file, for one thing because I
keep more than web site passwords in there, so web-specific password managers
don't meet all my needs.

If you're an Emacs user, as of version 23 or so GNU Emacs can transparently
read and write GnuPG-encrypted .txt.gpg (or .org.gpg, or...) files. Not that
there aren't plenty other ways to save encrypted text, but it's nice to have
something that's integrated into the program you spend half your time in
anyway...

If you use Windows but not Emacs, Steganos LockNote is a free, minimalist
program offering symmetric AES encryption — it's a standalone .exe containing
both the program and your data, so you just double-click on the .exe
"document" to open your encrypted file in a Notepad-like interface. I doubt it
has been vetted to the extent that GnuPG has, but it's surely enough to keep
your average laptop thief from getting all your passwords.

------
darrikmazey
I use a unique generated password for every instance. Then I store these
passwords in yaml files on an encrypted partition on my harddrive that is
unlocked by a keyfile on a usb stick. I wrote a little script that searches
these yaml files and automatically copies the password found for a given key
(usually a site nickname, like "hn") to the clipboard, so I can just paste it
in. This is both convenient and allows me to use a unique, strong password for
every site and service I use.

------
edanm
I'm not surprised; I used to do the same.

A few months ago I started using KeePass for storing _everything_ , and it's
worked out really well for me (I wrote a post about it, plus some tips n'
tricks, here: <http://www.loopycode.com/solving-sign-up-anxiety/.>)

~~~
Gormo
A nice side-benefit of KeePass is that it enables you to use randomly-
generated answers to mandatory "security" questions.

I can put a 32-character alphanumeric string as my answer to "what is your
mother's maiden name?" or "what city were you born in?" and store the answers
in the KeePass entry.

The only downside is that since I also create a unique email address for
everything, it can become a bit tedious to sign up for a new service and
generate the email address and password.

------
jpdbaugh
If you use a Mac...

<http://agilewebsolutions.com/products/1Password>

Absolutely fantastic.

------
pclark
I use the same password for everything - just me?

~~~
michael_dorfman
Definitely not just you-- that's the point of the article.

Most people aren't aware of the dangers, though. Are you?

~~~
pclark
yea. password managers suck though. and remembering numerous passwords is
really hard.

~~~
jaxn
Hence the suggestions for passwords that are a variation on a theme:
PclarkYcombinator123$%^

    
    
      PclarkGmail123$%^

~~~
TimMontague
The problem with that approach is that once someone figures out 1 of your
passwords "PclarkUnsecureWebsite123$%^", it becomes easy for them to guess
"PclarkGmail123$%^".

~~~
jaxn
Yes, but that is if someone is looking at it. It is not easy for them to
script if they stole a database of accounts and passwords.

I am under the impression direct, targeted attacks are pretty rare, and that
most of the purpose of a password is to prevent wide-spread automated attacks.

------
ndimopoulos
I am not surprised the least about this article.

There are ample examples on the Internet on how hackers manage to exploit one
vulnerability, obtain a password, and then cause all sorts of damage since
people tend to use the same password almost everywhere.

Getting someone's information and exploiting it has become so easy with social
networking, it is frightening. This article <http://l.niden.net/identitytheft>
demonstrates how someone can use your social circle to steal your identity. It
is definitely not a far fetched story - it is reality and most people seem to
ignore it.

Let us not forget the debacle of Rock You (<http://l.niden.net/rockyou-
cleartextpasswords>) where they were storing passwords in clear text. Once the
hacker got in, he had everyone's password for that service and for many others
I'm sure.

I would be very interested to see what is the percentage of Facebook users
that use passwords like: 'password', '123456', 'letmein' etc. I know my
brother in law was one of them....

I wonder if any people from that 75% have heard of services like LastPass?
(<http://lastpass.com>).

