Some sites need strong PWs; others do not... ?

Please refer me to an existing thread on this topic as it surely exists :-)

I probably have 100 PWs and the vast majority are for sites that I could care less if they are compromised. For example, the Samsung site that sends me product information on a TV.

For these sites, I just use a very simple (e.g. 1234...) PW. Only for my important sites such as banks, brokerage houses, credit cards, etc, do I take the time to work with more complex PWs.

Is this a reasonable approach?

Thanks

Comments

  • danco
    danco
    Volunteer Moderator

    I took that approach, but recently changed.

    If you are using 1PW, there's no advantage in simple passwords. Once you have let 1PW create a password and save it (a very small effort), it will entr your password just as easily for a complex one as for a simple one. The only gain is if you are not using 1PW for some reason (prhaps on a mobile device).

    I decided to make the change mostly to deal with the highly unlikely risk that someone could coordinate info obtained from the various sites.

  • PWChinook
    PWChinook
    Community Member

    At least once a day, I get an email for someone who's computer has been "hacked" by a virus; almost always by someone using a PC. I understand having more secure PWs will not prevent this, i.e., it's a totally different problem. Am I correct in this?

  • khad
    khad
    1Password Alumni

    That's correct. Using strong, unique passwords for all your sites is the secure way to go, and 1Password makes it easy — as danco described. But it does nothing to prevent spam sent from others' compromised machines.

    When you have time, I'd encourage you to read Troy Hunt's excellent post which explains password reuse as well as how and why 1Password protects against it:

    The only secure password is the one you can’t remember

    I hope that helps. Please let us know if you have any other questions or concerns. :)

  • danco
    danco
    Volunteer Moderator

    Troy's article suggests that if one used a simple password it may be guessable based on known information about you (such as partner's or child's name).

    I've often wondered about this. Obviously that would be a serious risk if someone actually targets you specifically. But suppose a bad guy steals a password file. How likely is it that they (or their computers) would then trawl the internet for all those details? Ive never seen this aspect discussed.

  • khad
    khad
    1Password Alumni
    edited March 2013

    You are correct. A targeted personal attack could use much more information in a cracking attempt. However, the real issue is that password crackers already know about pretty much all the systems that people use to come up with passwords. Humans are notoriously bad at coming up with anything truly random, and anything short of random makes it that much easier for a computer to crack.

    Dan Goodin wrote a great article explaining what Steve Gibson ended up calling "the death of clever" because it helps us see that no matter how clever we think our password creation scheme is, chances are good that the crackers are at least as clever:

    The RockYou list, and the hundred-millions-plus passwords that have collectively been exposed in its aftermath, brought to light a plethora of other techniques people employ to protect simple passcodes from traditional dictionary attacks. One is adding numbers or non-alphanumeric characters such as "!!!" to them, usually at the end, but sometimes at the beginning. Another, known as "mangling," transforms words such as "super" or "princess" into "sup34" and "prince$$." Still others append a mirror image of the chosen word, so "book" becomes "bookkoob" and "password" becomes "passworddrowssap."

    Passwords such as "mustacheehcatsum" (that's "mustache" spelled forward and then backward) may give the appearance of strong security, but they're easily cracked by isolating their patterns, then writing rules that augment the words contained in the RockYou dump and similar lists. For Redman to crack "Sup3rThinkers", he employed rules that directed his software to try not just "super" but also "Super", "sup3r", "Sup3r", "super!!!" and similar modifications. It then tried each of those words in combination with "thinkers", "Thinkers", "think3rs", and "Think3rs".

    Such cracking techniques have existed for a decade, but they work far better now that the crackers possess a more intimate understanding of the ways people choose passwords.

    In short, computers are getting better at cracking passwords much faster than we humans are getting better at creating them. The solution is to use randomly generated passwords for all your online services. As we've said elsewhere, the strength of a password creation system is not how many letters, digits, and symbols you end up with, but how many ways you could get a different result using the same system. And there really isn't a better system at this time than a randomly generated password of the sort that 1Password's generator creates. That way there is no "shortcut" an attacker can employ when trying to crack it.

    For something like your 1Password Master Password (which is key strengthened with PBKDF2 to protect against sophisticated, targeted attacks), we recommend Diceware. It's a great option for creating strong passwords that are still memorable. But for everything else that 1Password can remember on your behalf, you were correct when you stated above that 1Password "will enter your password just as easily for a complex one as for a simple one". So why not use the longest password each site will allow? :)

    It is great that you are thinking about these things. Keep the questions coming.

This discussion has been closed.