
Password Reuse - billswift
http://www.xkcd.com/792/
======
RiderOfGiraffes
<preamble> I initially posted this as a comment on a duplicate submission, not
realising it was a duplicate. So I've moved it here to the original. For some
reason someone down-voted it there - no idea why - so I hereby give them the
chance to down-vote it again, but ask for a reason.

</preamble>

Usually submitting XKCD is frowned on, but I'm pleased to see this one
submitted. This attack vector is so seldom recognised as a real potential
problem. It neatly explains the problem of password re-use.

As an aside, it's known that One-Time-Pad is provably secure. What's less well
known is that during WW2 OTP systems were occasionally broken, because in the
real world they ended up being Two-Time-Pads. People re-used a pad because
they didn't get a new pad in time, _etc._ This was going to be one of my
greybeard stories, but I'm still getting closer to the information source.

<http://news.ycombinator.com/item?id=1333934>

<http://news.ycombinator.com/item?id=996250>

<http://news.ycombinator.com/item?id=994358>

<http://news.ycombinator.com/item?id=1001262>

I really have to find time to go back and organise them properly.

------
taitems
This reminds me of the good old days of searching Limewire for "password .txt
.rtf .doc". It's incredible what folders and documents people would foolishly
share.

But the most important thing I learned is this: email account passwords are
worth their weight in gold! As soon as you have an email address and password,
you have access to a searchable list of logins and password confirmations.

This is even more worrying than the example the comic utilises. You still have
to (manually or automatically) go to these sites and guess the username (is it
bob101 or is it 101bob this time?) and try the various passwords. As soon as
you're into an email account you have quite the dangerous list. All of which
are confirmed and ready to go.

\-- This is entirely a work of fiction, and in no means describes my teenage
years.

~~~
VMG
also most sites have a "forgot password?" link that works by sending you an
email. In this sense, the email password is the master password.

~~~
nodata
and the e-mail password is recoverable by guessing the answer to a weak
security question, so in a sense a weak security question answer is the master
password.

------
westi
A friend an I have considered a number of times setting up something like
<http://ismypasswordsecure.com> and just collecting passwords that way.

This is of course pure evil and we never figured a way in which it had a
return apart from publishing lists of common passwords.

~~~
AngryParsley
Instead of collecting the passwords, have the submission button show a page
about sane password practices. (Something similar to
<http://ismycreditcardstolen.com/>)

~~~
westi
I just wouldn't want to actively encourage anyone to enter their password in a
webpage like that.

We need to train people to behave more securely.

------
nostrademons
Actually, a company-wide Starcraft 2 tournament is more likely. Oh wait, we
just finished one of those last week. And then had HDStarcraft come and cast
the finals.

------
jasonkester
The fun part is that password complexity makes this problem _worse_ , not
better.

People use the same user/pass combo for every site they visit, except when one
of them forces them to use a complicated password that they can't remember. So
they send themselves an email with the site name, username and password so
that they can find it next time they need to log into their bank.

So once your registry cleaning website has their email password, you also have
a nice list of all their strong passwords too.

Adding to the irony, most people know that they need a different password for
their bank, so if you just let them pick one without forcing complexity,
they'll choose something they can remember, and their bank account will be
safe.

~~~
dstik
But letting them pick a password without forced complexity makes it
significantly easier to crack their password using one of the various,
comprehensive, easy to find and download wordlists or dictionaries.

~~~
jasonkester
In the real world though, passwords aren't cracked nearly as often as they're
read off a post-it note stuck to somebody's monitor.

Loosen complexity and you can eliminate that post-it. That's a huge overall
win.

Complexity in itself isn't actually that bad. It's _arbitrary_ complexity that
spawns all those post-its. You can come up with a strong password that you and
only you can remember, but it's useless if your bank rejects it due to its own
silly complexity policy. There are sites out there that I regularly fail to
log in with using my standard "strong" passwords, and it's not until I make it
all the way through the Reset Password process to where it tells me its
complexity requirement that I'm reminded which password I must have used last
time I went through the process.

The only real solution is to let people use the word "password" if they really
want. It's still orders of magnitude safer than having them keep a
file/email/post-it full of plain text passwords sitting around in plain view.

~~~
Deestan
Fully agree with the first post-it point, but I disagree with:

> The only real solution is to let people use the word "password" if they
> really want. It's still orders of magnitude safer than having them keep a
> file/email/post-it full of plain text passwords sitting around in plain
> view.

If I have "password" as password for my work webmail/remote login, it can be
broken by any yokel on the internet with five minutes free time. If I have
"ge.9u30!ey0" written on a post-it note on my desk, it can only be "cracked"
people with physical access to my office.

Also note that people who have physical access to my office already have
security privileges similar to mine own, mitigating the actual risk - they
can't do _much more_ damage with my password than they could without. And if
they wanted my private stuff, they could just as well nab my harddisk.

Not that I'm justifying passwords on post-its in any means whatsoever, by the
way. :-)

------
AndyKelley
I thought of this 9 years ago, and got stuck at the same step as the hat guy.
Once you have the login details, then what? The only thing you can really do
with the information is be a giant douchebag, and that's not cool.

~~~
tomjen3
Steal the accounts, use it to make money and blow it all on high class
escorts.

People claim money won't make them happy. That is because they buy the wrong
things...

~~~
Dove
Have you observed this purchase to actually cause happiness?

~~~
tomjen3
Not really - most people tend to end up in gaol.

------
forensic
I often wonder why this hasn't already happened on a massive scale.

I figure a bunch of Russian and Chinese hackers are skimming off cents at a
time or something because they don't want to kill their golden goose by being
too overt.

~~~
mfukar
Who says it hasn't?

------
albertzeyer
Well, exactly that is the reason why we should adopt something like OpenID. Of
course, if someone catches the password of your OpenID provider, you are also
fucked. But all OpenID consumers (i.e. any random site) will not get it that
way. Also, you can easily globally change your password for just everything if
you know that your old one has become insecure.

------
loewenskind
Why do people remember passwords? We've had browsers that can remember them
for you, password1, etc. for years now. I make up a new password for every
single site I have to log into and let the browser remember it.

~~~
KoZeN
Mainly because most people log into these sites from more than one computer.

It's imperative for me to recall all of my passwords as I need them both at
work and at home. Currently I am rotating between three different passwords
but this is an area I am becoming increasingly paranoid over.

~~~
billswift
If you have relatively few passwords, use Bruce Schneier's advice and write
them on a piece of paper that you keep in your wallet - safe and available.

~~~
malyk
until you lose your wallet.

------
tommynazareth
Can anyone suggest decent password manager that would have the advantages of
being cloud based without the risk of someone stealing my passwords?

~~~
brown9-2
PasswordSafe on a dropbox shared folder works great:
<http://passwordsafe.sourceforge.net/>

~~~
nodata
Can I ask how this works?

Is the binary stored at dropbox, or the data file? If you store the binary at
dropbox how can you be sure it hasn't been modified?

~~~
brown9-2
I store the data file on dropbox, so it is replicated across different
machines I use. Each machine has the PasswordSafe program (binary) installed
on it.

------
danbmil99
problem is, Google will not remain non-evil forever. The public market has a
way of corrupting the soul of a company.

~~~
jrockway
What are they going to do after they turn evil? Play CoD4 on the lobby TV?
(Yup, I read _all the way_ to the end.)

