Quipping aside, the routine works like this: you sign up with your username and password that only you know, and you\u2019re golden. To log in again, you just need to recall and input your login credentials. Of course you knew this would happen, so you took some \u201cprecautions\u201d: you set up the account with an easy-to-remember password.<\/p>\n
And therein lies the problem. \u201cEasy-to-remember\u201d most often equates to short and simple, as well as easy to guess. That\u2019s especially true for password-cracking software doing the bidding of an operator intent on brute-forcing his way into your account. Such software can open the trove of treasures just as magically as the phrase \u201cOpen Sesame!<\/a>\u201d does with the mouth of a cave in a well-known folk story.<\/p>\n On the flip side, a password that is long, complex and random is harder to crack, but also harder to remember. And therein lies the problem (yes, again!). Recalling many impossible-to-guess passwords and being able to remember to which particular online service each belongs is just too much of a tall order, unless you have the memory of an elephant.<\/p>\n Indeed, passphrases \u2013 say it with me, \u201cI LOVE to Read WeLiveSecurity!<\/a>\u201d \u2013 may help both in terms of security and convenience (the latter being simply a proxy for memorability). However, is it reasonable to expect every user to remember a distinct passphrase or password for each and every online account?<\/p>\n What many people do \u2013 at least those who are not elephants \u2013 is skimp on their security, use an atrocious password<\/a> (\u201c123456\u201d, anyone?) and go on their merry way. Until their accounts are hacked and their online personas are compromised or, worse, their identities and money are stolen. After all, it is human nature to disregard risk until disaster strikes.<\/p>\n Indeed, it feels like you can\u2019t have it all; that is, many online accounts, each of which has a supremely strong<\/a>, unique and memorable password or passphrase. It is little wonder that our patience wears thin and we take mental shortcuts. Enter another coping strategy that greases the wheels of hacking \u2013 password reuse.<\/p>\n While being antithetical to userland security, you can bet your last dollar that password recycling is invariably right up there with all the other most frequent and ill-advised offenses<\/a> committed by users in the realm of authentication<\/a>. Passwords created with another oft-used strategy, which involves slightly modifying the password for each account (\u201cpartial reuse\u201d), tend to be predictable and, thus, just as easy to crack.<\/p>\n The neighborhood that is the internet can be rather less than neighborly in many ways, doubly so when data breaches are a reality of our age. The breaches often expose login details that \u2013 if you use them to access multiple accounts \u2013 can be successfully exploited for attacks known as credential stuffing<\/a>. This becomes particularly troubling when an attacker uses stolen or leaked access credentials<\/a> that belong to one account in order to break into another \u2013 often higher-value \u2013 account. Thanks to frequent password dumps, user\/password combinations are easy to come by, and often at little-to-no cost at that.<\/p>\n If a breach hits and the credentials aren\u2019t stored<\/a> with advanced salted-hash<\/a> functions (think, for example, a hack against Adobe in 2013<\/a>), a strong password, or even a passphrase, may not be enough to thwart an account-takeover attack if you use that password to access multiple online services.<\/p>\n Many account-takeover attempts can be foiled with two-factor authentication<\/a> (2FA). An added authentication factor provides an extra layer of defense beyond the simple passcode\/password\/passphrase and, in a way, fixes some of the inherent human foibles that are routinely exposed by our poor password choices.<\/p>\n So far so good. However, many online service providers have yet to implement 2FA into their authentication schemes. (You can check the status of various websites vis-\u00e0-vis 2FA here: https:\/\/twofactorauth.org\/<\/a>.) Additionally, as shown by a recent report about the adoption rate of 2FA among active Google accounts (lower than 10 percent<\/a>), even if such an option has been available for years, most users simply don\u2019t take advantage of it, be it that they\u2019re unaware of it or apparently have bigger fish to fry.<\/p>\n There are other forms of authentication<\/a>, of course, that may take some of the weight off our shoulders (and brains), be it biometrics (e.g. fingerprint or iris recognition) or algorithms to measure behavioral characteristics (e.g. typing rhythm) or others. Their availability and, by extension, adoption are nowhere near widespread, however.<\/p>\n Well, yes, although it actually flies in the face of much advice dispensed by security folks. In 2014, Microsoft Research released a paper<\/a> that suggested a different tack. In thinking of various online accounts as somewhat of a continuum, the paper averred that some degree of password reuse is inevitable, but that it should be reserved for low-risk, low-value services. Put differently, the reasoning went that all accounts are not born equal and should, therefore, be divided into groups according to value. ESET Senior Research Fellow David Harley weighed in on this approach, while hinting at its potential pitfalls, in this insightful piece<\/a>.<\/p>\n On a different note, chances are that you won\u2019t cull your online accounts all the way down to whatever number you can manage easily with unique and strong passwords or passphrases. Nor will you probably be willing to engage in some serious mnemonics or aspire to eligibility for a memory competition.<\/p>\n With that in mind, the easiest thing to do is, arguably, to put all of your passwords (strong and unique, of course) into a kind of digital safe. That vault is dedicated password management software that, ideally, encrypts and stores all of your passwords locally and offline.<\/p>\n Indeed, password managers are all the rage in password security and, intuitively, it is hard to deny their merits. In addition, recent research<\/a> found that password managers benefit both password strength and uniqueness, although apparently this strategy works only if the passwords are generated by the software.<\/p>\n Either way, assuming that you trust the implementation of your password manager \u2013 and you wouldn\u2019t use it if you did not, right? \u2013 then its security is largely determined by the robustness of your master password. That\u2019s doubly relevant if you consider that you\u2019re effectively putting all your eggs, including some made of gold, into a single basket. That basket could, in fact, become a single point of failure.<\/p>\n To be sure, passwords are flawed. Except that, in our internet era, there\u2019s no other ubiquitous method of user authentication. Having their impending demise<\/a> predicted back in 2004, passwords may well have outstayed their welcome. However, it appears that it will still be some time before they go the way of the dinosaurs.<\/p>\nSomething\u2019s got to give<\/strong><\/h2>\n
Why is password reuse so risky?<\/strong><\/h2>\n
Factoring in another factor<\/strong><\/h2>\n
![\"\"](\"https:\/\/blog.eset.ee\/wp-content\/uploads\/2018\/03\/PasswordDay_2FA-1024x762.jpg\")
<\/p>\nIs there another way, then?<\/strong><\/h2>\n
They shall not pass<\/strong><\/h2>\n