You'd be giving the attacker the keys to the kingdom.
No, the people who use a common password gave out the keys.
There is simply no excusing it. The apologism for it has to stop. NEVER use the same password across multiple services. If one service gets compromised, the extent of their culpability is their own service. Anyone whose password exposes other things was the cause of their own demise.
EDIT: I will not back down from this (and you shouldn't feel too ashamed for reusing passwords and falling in the above buckets, desperately hitting down arrow. Just correct your mistakes). It is utter idiocy to constantly defend the habit of shared passwords, when people give it to services of zero trust, and with unknown habits and practices. When some service of no consequence stores your password in plaintext, that is them being dumb. If you then complain because it's the same password used elsewhere, that is you being dumb.
I'm not going to presume to know anything about you, but as soon as your system interfaces with human beings, your system needs to adapt to human nature. You can't say "there's no excusing it" and "cause of their own demise". Humans act as humans tend to do - why should the security of your system rely on humans changing their natural behavior?
You can't say "there's no excusing it" and "cause of their own demise".
Yes, you absolutely can and should say that. This isn't human nature, but is simply accepted and defended behavior that gets caught out again, and again, and again. I have absolutely no doubt that many visitors to HN are guilty of this, and instead of confronting the reality of their insecurity, pretend it's someone else's fault.
Each time some random, irrelevant message board has a password exploit, everyone who should know better rushes forth to pillorize the operator because of the greater danger, yet the operator may have been sharing those passwords on the black market for time eternal. The operator may have been putting their plaintext backups on a compromised FTP site for years. They may have engaged endless contractors who made their own backups and are busy buying stuff on Amazon for it.
But instead we argue pretend security measures, when the horses have not only bolted, they're several states away.
It is complete idiocy to use passwords across services. Utter insanity. It is the worst possible practice imaginable, and is never, ever excusable.
If you used the same password across sites, you simply must assume that since day one it has been compromised, and it is your own doing.
But here we excuse it. And then, in excusing it and defending it and supporting it, claim that it's "human nature". It isn't human nature at all.
How To Hack 60% of Hacker News: Create a service requiring users to create logins, submitting it as a show HN. Harvest email/passwords from very foolish people and enjoy their access everywhere else.
I agree with you - using the same password in multiple places is a dumb thing to do. However, you seem to be totally missing the point made in the previous post, namely that people are, on the whole, pretty dumb. The vast majority do not share your understanding of computers and security and hence see no real issue, although this is very very slowly changing.
I disagree entirely with your statement that:
"This isn't human nature, but is simply accepted and defended behavior that gets caught out again, and again, and again."
This is patently false - remembering a different password for every single system, device and site you interact with is not a feasible proposition for the vast majority, especially if you require these passwords to be in any way meaningfully secure.
There are ways of sidestepping this problem, such as 1password and the like, but the ones that are most seamless are paid for services and hence the adoption rate among technically illiterate people is pretty small (I'd imagine, no stats here).
The real issue is that passwords are a broken way of authenticating. End of. Passwords that are easy to remember are trivial to crack, and passwords that are difficult to crack are hard to remember. This is the issue here.
People may do dumb things, but it is far easier to change your system than it is them.
However, you seem to be totally missing the point made in the previous post, namely that people are, on the whole, pretty dumb.
The whole discussion revolves around a fundamental principal that is simply broken to begin with, akin to "How to try not to die when you eat rotting meat".
Don't eat rotting meat. Use a fridge. Etc.
In the case of passwords-
-Use a shared authentication platform
-or on sign-up implore that your users do not use a shared password. Education
-or offer, or force, a generated password
But instead we'll discuss the risk that shared passwords get lost, when they were in the wild the moment you used them on a second site.
This is a disingenuous analogy - the reason people keep eating rotting meat is because there isn't a usable alternative for the vast majority. Fridges are unknown, to hopelessly overload the metaphor, to the masses and those that are aware of them are reluctant to shell out for the cost.
The problem needs to be solved at a more fundamental level - people should not have to be forced to perform a function that they are demonstrably bad at. Mitigation strategies like having randomised passwords and storing them in a shared authentication platform are only masking the reality that passwords are a bad way of performing authentication.
Not that I'm clever enough to come up with an alternative mind you, and not to suggest that I don't agree with your premise that using a password in multiple places is a bad idea.
I love this analogy. But, to continue it a little further, the article and discussion are about "preventing meat from rotting during transportation," and you seem to be saying, "screw it, the customer should know not to buy the meat if it's gone bad." Going even further: most countries have consumer protection laws that prevent things like selling rotting meat.
If you have given an untrusted third party site the credentials that you use on other sites, that meat is complete fetid. It is now deadly.
This whole discussion is arguing about what to do once the meat is rotten, rather than daring to maybe discuss not selling rotten meat in the first place.
When a site gets compromised and the passwords may get stolen (because of weak or no cryptography), the site should send out password reset emails en mass, and that should be the end of the whole issue. Instead it's moralizing about how they put everyone at risk because of other sites where the same credentials work. No, the user put themselves 100% at risk. But it is never discussed that way, and instead we continue this ignorance train.
As an aside, I marvel that some defensive imbecile keeps coming deep into this thread to downvote me.
It is complete idiocy to use passwords across services. Utter insanity. It is the worst possible practice imaginable, and is never, ever excusable.
It's one thing to argue for improving people's password practices, but please don't pretend that there's no reason for their behavior. The vast majority of people who share passwords between sites experience no repercussions from their choice. And choosing not to create a new password for every site saves them time and potential frustration.
That's the human nature part, to assess the risk of behavior and change it only if future experiences show that the costs associated with that behavior are too high. Since most people don't experience the disadvantages and do experience the benefits this behavior continues.
We can encourage more people to avoid this behavior by explaining the potential impacts and providing accurate estimates of the risk they're taking. We can offer alternatives to password reuse, like using a password manager. But ultimately they are still going to weigh their perception of the risk and benefits to make their own decision.
I'm a software developer, but I'm done trying to remember passwords for every single site.
What do I do?
I just don't use the sites.
I've restricted, and continue to pare down, the sites that I use on the internet.
It's the truth.
I do keep my amazon.com account, so I can order paper and cardboard books the local bookstores don't carry, and read them on the sofa at my house, next to my floor lamp.
there is a few solutions. use a password manager like lastpass or keepass or something like that. it generates passes for you and you don't have to remember them.(bonus: it logs you in automatically if you go to the vault and click login)
use throwaway passwords for one off services and just use the password reset feature when you want to use it.
The vast majority of people who share passwords between sites experience no repercussions from their choice.
More accurately, they have no awareness of the reprecussions from their choice. Yet endlessly on HN we hear stories of mysterious iTunes access, Steam takeovers, even Amazon AWS account compromises. It is no big mystery when this happens given this common, grossly insecure behavior.
But ultimately they are still going to weigh their perception of the risk and benefits to make their own decision.
I absolutely agree, absolutely and completely, but think that the risk portion is hugely underestimated. Among people who should know better there is a tendency to under-estimate what is an enormous, worst-possible-exploit problem. No one ever talks about education. No one wastes time trying to help users enjoy better behavior.
Instead we argue about whether some site operated by an unknown number of people of unknown trustworthiness, on a platform that might have been exploited and owned by hacker groups for years, properly hashed our password after we passed the keys to all services through plaintext. It is insanity.
No, the people who use a common password gave out the keys.
There is simply no excusing it. The apologism for it has to stop. NEVER use the same password across multiple services. If one service gets compromised, the extent of their culpability is their own service. Anyone whose password exposes other things was the cause of their own demise.
EDIT: I will not back down from this (and you shouldn't feel too ashamed for reusing passwords and falling in the above buckets, desperately hitting down arrow. Just correct your mistakes). It is utter idiocy to constantly defend the habit of shared passwords, when people give it to services of zero trust, and with unknown habits and practices. When some service of no consequence stores your password in plaintext, that is them being dumb. If you then complain because it's the same password used elsewhere, that is you being dumb.