A paper from Microsoft Research and Carleton University, Ottawa, Canada has come to a surprising conclusion about passwords that completely contradicts conventional information security advice, including our own.
Password Portfolios and the Finite-Effort User: Sustainably Managing Large Numbers of Accounts says that Internet users, rather than using unique passwords for each online account they hold, are actually better off re-using weaker but more memorable passwords for unimportant accounts.
Acknowledging that users ‘find managing a large password portfolio burdensome’, the study concludes that users will more likely be able to remember unique passwords if they limit their use to their high-value accounts.
At first glance this seems sensible enough. If you’ve got different passwords for all of your online accounts it can be a pain to have to remember them all and to remember which passwords match which accounts. Surely it would indeed be easier just to use strong passwords for the important accounts.
But how do you decide which accounts are unimportant?
Email accounts, e-commerce accounts, online banking, Cloud storage accounts, social media accounts, file sharing sites, blog sites, job sites, news sites and forums… they’re all important. They all contain your personal data. You wouldn’t want to risk their being compromised. Would you?
So what does that leave? Well, there’s… uh… wait a minute… there’s… No. No, there’s nothing that I can think of. If you’ve created an account with any website it’ll hold some of your personal data – and any account that stores or processes any personal information is worth securing properly. Why risk it? Remember that it’s not just the account itself that’s at risk of compromise; it’s all the other accounts that could be linked to it that you’re protecting too.
At IT Governance we always recommend that you use a strong password to secure your data. A strong password is one that is made up of at least six alphanumeric characters, and contains a mix of uppercase and lowercase letters and at least one symbol.