The thousand-dollar penalty for reusing passwords

Topic

New Reply

	TOP STORY The thousand-dollar penalty for reusing passwords
	By Woody Leonhard You can find no end of advice on creating strong passwords, using clever tricks, stats, mnemonics, and such. But all too frequently we (and I include myself in this rebuke) tend to reuse little passwords at what we think are inconsequential sites. It’s a big mistake — here’s why.

---

The full text of this column is posted at WindowsSecrets.com/top-story/the-thousand-dollar-penalty-for-reusing-passwords/ (opens in a new window/tab).

Columnists typically cannot reply to comments here, but do incorporate the best tips into future columns.[/td]

[/tr][/tbl]

Reply | Quote

Replies

Surely his mistake here was to use his “low-risk” password for his email account. If he had a decent password for his email account he could use 12345678 for as many low-risk web sites as he wanted without getting his bank account hacked.

Reply | Quote

Surely his mistake here was to use his “low-risk” password for his email account. If he had a decent password for his email account he could use 12345678 for as many low-risk web sites as he wanted without getting his bank account hacked.

In this specific case, that’s true. But the same principle applies to other kinds of sites – even ones that don’t appear, at first glance, to be terribly important. Case in point: Twitter or Facebook accounts.

It’s tough to tell, in advance, when a site is completely innocuous…

Reply | Quote

Surely his mistake here was to use his “low-risk” password for his email account. If he had a decent password for his email account he could use 12345678 for as many low-risk web sites as he wanted without getting his bank account hacked.

I agree 100%. Joe’s mistake was using the lame password for email, or any other site he cares about. Certainly using 12345678 for a newspaper site would never be a problem.

It’s tough to tell, in advance, when a site is completely innocuous…

Why? Anyone with any common sense should be able to determine which sites need a real password and which sites do not. (sorry Joe)

Reply | Quote

Yeah, the thing to stress here is not the password for the other, throwaway account. It’s the email account problem. People treat email accounts way too casually, when these days they are the keys to your identity. This is even more so when web based email accounts these days encourage you to keep all your mail forever – just searching through them looking for join up messages, newsletters etc gives you a list of places to go to for password resets.

It’s going to be much easier to convince people they should use a special, never repeated password on their email than to convince them to create different passwords for all the other places they go to, no matter how many tools there are to make it easy.

Reply | Quote

I, for one, do use AI Roboform. However, there are some sites for which you want to actually know the password, and not have to rely on Roboform, which is not installed on your relative’s PC when you’re visiting them from out of town. I do trust some people not to have keystroke loggers on their machines. But Roboform’s randomly generated passwords are not easily remembered. So you need something that’s apparently random, but also actually able to be recalled. Those may be thin on the ground. Yes, I know. Initial letters (or something else, like 1st letter, 2nd letter, 3rd letter) of successive words in a sentence. The fun part is connecting the sentence with the site. Maybe a formulaic way of doing that, too….?

Reply | Quote

Please, do I get it right – the password “Joe” used for the mail was the same as the password for the news-site?
If so, the problem is not media sites, but that one must keep e-mail account password on top level, of these reasons:
1. The described recovery of forgotten password on bank sites.
2. Also that among your mail there are many about health and other private matters for friends, family and yourself. Pictures that are very private from parties etc.
3. Mail is also have things that you do not want share, like if applied for other work etc.
4. Your address book may come in the hands of spam or fraud persons.
5. They can mail with youe account – and people may hold you responsible.
6. There is more, but think if they use that mail to open Facebook or other social network profiles in your name, publish some from your mail, even photos.

Reply | Quote

Please, do I get it right – the password “Joe” used for the mail was the same as the password for the news-site?

Yes, he used 12345678 as his email password as well. Which is why I disguised his name. :rolleyes: And you’re correct – email passwords need to be kept safe; they aren’t throw-away passwords.

Reply | Quote

I, for one, do use AI Roboform.

Have you tried AI Roboform2Go? You can take your Roboform database with you on a USB drive. Very slick. http://www.roboform.com/platforms/usb

Reply | Quote

Thanks for the article. I too was guilty of doing just as you said, using common passwords for “light” accounts and using my PassPack program account (http://www.passpack.com) for “heavy” accounts such as banking. Thanks for the “kick in the a_s”!

Reply | Quote

I use LastPass as my password manager, but I don’t let it provide me with random passwords, and I do use the same password at a number of low-security sites (not so much my email account). Here’s why. Every once in a while, quite rarely, I find myself having to type in a password by hand. I’m not sure what the circumstances are, they’re odd and unusual, but it does happen (sometimes, I think, it may happen after a re-design of a site). What would I do then with an unrememberable password? I suppose I could first go to my LastPass “vault” and search for the password, but that that vault is really not an easy thing to navigate. So I re-use passwords. Also, I’m not sure I can use LastPass on my mobile device; in fact, I don’t think I want to, because it’s so much more likely to be lost. Finally, what happens if LastPass goes out of business?

Reply | Quote

An Amazing Thing Happened While Reading the Article. on the thousand dollar password.
I am reading the article about how Joe lost his shirt because he had a “poor” password process. when I got an email from Identity Guard, an internet security firm, offering to protect my children from ????? whatever evil lurks on the web. I am not sure how they got my email, but it was very strange that I opened WS, and a few moments later got an email from a firm I never heard of, nor I have knowingly ever opened their website. VERY STRANGE, did they just happen to find my email address at that moment, or did my address leak into their server from some “cloud” or did you sell my address?

Ok, I may have made a wrong assumption, I use GMAIL, and since I got the email about the password security, I have noticed a marked increase in sidebar ads concerning internet security. And I know that GMAIL sells email addresses.
My apology for jumping the gun,, and making unfounded accusations.
I have been a WS for many years and value the articles. Keep up the good work.

Reply | Quote

Heh heh heh. Nope, we don’t sell any email addresses.

One thing’s highly likely though: your name’s on somebody’s list…

Reply | Quote

KeePass on a USB flash drive works for me. I dropped a copy of the database onto my computers so that I can invoke it with comparative ease on machines I control, and for other machines the portable form is always on me.

Everything gets its own password (which is always 128+ bits of randomized printable characters), including sites I access on a daily basis, and I deliberately avoid trying to memorize anything but the primary access password to get into KeePass. This does pose an increased risk of getting locked out of places should the USB drive die, etc. but I have enough redundancy and multi-site backups of the password database (and backup copies of KeePass) that the risk is as negligible as the laws of probability and unintended consequences permit.

Short of using an individual’s DNA, this is about as strong as password-based security is likely to get, IMO.

Reply | Quote

I recently downloaded and installed LastPass (because free beats paying for Roboform, which I can no longer pay for). The first gotcha was on setting a master password. When I put one in (generated off their website), the program immediately closed every browser window and cleared the Windows clipboard, preventing me from copying it to save on my system. The 2nd gotcha was when I tried to reset the master password from the website. This action FAILED because some plugin was not installed. What a minute… Did not the installation of the software run properly? (there were ZERO errors on completion of the installation). The 3rd gotcha was when I tried an alternate method to change the password – again failure. As per the support instructions, I cleared the browser cache and restarted my computer. Again, the password reset failed and again, it said “plugin not installed”. I could not find this special plugin anywhere on the LastPass website. I tried reinstalling the software and still the process failed and for the same reason. I sent an email to their support. A couple minutes later I got a Delivery Status Notification – Failure. I had clicked on the email address provided by the website, but for some reason I could not contact their support. So I was alone with my issue. Out of frustration I went back to firefox and did something that you should NOT have to do – I searched mozilla for addons and specified LastPass. It found that plugin and installed it. The 4th gotcha is when I tried this process again – this time, although I had the plugin installed, I was informed that “this process will fail if you proceed”. And indeed, it failed again. I again reinstalled the software and created a new account. This time I manually typed a password in for master password. A word of warning here – you MUST use 32 characters. Not more, not less (or THIS process will fail until you get the amount of characters correct). I made VERY certain this time to copy the password BEFORE clicking anything. As per the instructions about roboform, I downgraded from 7 to 6 and ran the export process they instructed. This saved an HTML file which I imported into lastpass. This worked fine. I then began to test various logons at random. At this point, the only issue I had was one time where it refused to autofill my entire google account name – it only filled in half even though the edit box showed the correct and complete logon name. Summary – even though this software (at the moment) seems to be functioning, I cannot suggest it to other people. The process is NOT user friendly and you get ZERO support.

Reply | Quote

KeePass on a USB flash drive works for me. I dropped a copy of the database onto my computers so that I can invoke it with comparative ease on machines I control, and for other machines the portable form is always on me.

I use KeePass also and have for 5+ years. It works great on desktop, laptop, phone and is very secure. When I update the password database I pop it in dropbox and distribute it between all my devices so they are all up-to-date. Easy breezy.

Reply | Quote

Hey David, I use LastPass also and share your concerns. I do let LastPass generate unique long complex passwords for most web sites. What I do is copy those passwords into a password protected document on my local hard drive. I also use a long complex password for LastPass itself. That takes care of the worry about LastPass going out of business. On those rare occasions where LastPass does not autofill the password for me I still have to get the password from the LastPass vault or from my password protected document.

Reply | Quote

Good article on passwords.

I also use Lastpass and find it pretty indispensable. Another tip is to not save your critical online banking and online trading passwords with password wallet software. These log in credentials are just too important to have saved on my computer or out in the cloud.

I found a site that has some useful security tips including one article on passwords.
http://www.safegadget.com/

Reply | Quote

About throw-away email addresses:

If you want updates on your comments, or if you subscribe to a site’s newsletter (as here at Windows Secrets), this strategy is not available. You will want to receive these updates and subscriptions.

About Pay-Pal and other sites like it:

Amazon.com and the iTunes Store hold your credit card information permanently by default. This makes password security all the more important at these sites. Pay-Pal is not quite so risky, but users should be extra-careful about their passwords there as well.

-- rc primak

Reply | Quote

The alternative to having hard security for every website you log into, is having email addresses with various levels of security. I suggest using several different e-mail addresses.

[*]An address for low level/ no level security is for websites (such as Window Secrets) where you don’t really care if somebody hacked in as “you”. Worst case, they sign in and make idiotic comments using your user name.
[*]An address where, yes you might be embarassed if a troll got in and used it, but beyond that you have no assets at risk. Think Facebook & other social sites. This would be the one for personal correspondence. Worst case, somebody poses as you and your friends get hacked. Not really your problem? Again a weak password should be plenty. I wouldn’t combine categories 1 & 2 just because #2 is so much smaller than number 1.
[*]An address for one off financial transactions, i.e., occasional credit card charges. Each merchant that you sign up with buy something with a credit card would send to this e-mail. Each merchant should be securing your credit card information on their end. Depends on how paranoid you are/ how stupid you think your vendors how secure you think the password(s) need to be regarding transactions with this e-mail address.
[*]Finally have an address that you use only for financial transactions. Only financial institutions with whom you have accounts would have this e-mail address – and each financial institution would have a unique account name and unique password.

The password discussion reminds me of the TSA approach to airline security. The ironclad random, impossible to remember passwords for every internet account that you have is akin to TSA x-raying every last passenger. Sure it works, but it is a lot harder than it needs to be. We could have pilots lock themselves into the cockpit (and arm them) and skip everything but superficial security checks on the passengers … but that would be too easy. Different email accounts based upon security level is easier than using one wide open email account for everything.

Reply | Quote

About throw-away email addresses:

If you want updates on your comments, or if you subscribe to a site’s newsletter (as here at Windows Secrets), this strategy is not available. You will want to receive these updates and subscriptions.

There are different types of disposable email addresses. For instance, I have used a service at http://www.spamex.com for years ($10/year), that gives me the ability to allocate up to 500 email addresses that can exist until I delete them. So they could last for minutes or for years. I’m registered here and on many other forums and email lists with a spamex email addr. Works great.

Reply | Quote

First of all an excellent analysis of what happens and what you can do!

Second of all the bit bucket on this subject is enormous. I see three pages of messages. This is about the 500 e+06 article on the subject of passwords each with it’s 3 pages of discussion. Yet it never changes. Why? That is the question someone needs to address before even another single 1 or 0 is heaped on this subject clamoring for our attention. Ooops, I take that back — somebody already tried to address that too! :o:

Oh well never mind!

Reply | Quote

Great column Woody. Makes one think a little. I too am guilty of using the same password on several non essential sites. However I do not use that same password for my e-mail account. That is just plain dumb. I also use a password generator Steganos Password Manager for ALL essential sites such as banking etc. I also don’t use my primary e-mail address for those non essential sites. Works wonders too. I know that if I get an e-mail that came from someone promoting something that is addressed to me from one of the essential sites on my “throw away” account, it is spam.. No muss, no fuss….

Reply | Quote

The take-home lesson is that an all-purpose password is only as secure as the least secure site you’ve ever used it at.

Email and social media accounts are not “throwaway” accounts by any means, and should be taken as seriously as financial accounts. I use strong passwords (actually an easy-to-remember multi-word phrase) that I don’t use elsewhere. Passphrases like Im@igersfan and mysonsnameis$am, for example, are secure yet easily memorized. For each site, I systematically add a digit and a few extra symbols, in a manner that’s easy to recall (but impossible to deduce, even if one password does get compromised.)

Reply | Quote

The take-home lesson is that an all-purpose password is only as secure as the least secure site you’ve ever used it at.

Email and social media accounts are not “throwaway” accounts by any means, and should be taken as seriously as financial accounts. I use strong passwords (actually an easy-to-remember multi-word phrase) that I don’t use elsewhere. Passphrases like Im@igersfan and mysonsnameis$am, for example, are secure yet easily memorized. For each site, I systematically add a digit and a few extra symbols, in a manner that’s easy to recall (but impossible to deduce, even if one password does get compromised.)

Agree completely. The example was one of a not so deep thinker! 🙂 Firefox does the job for me without giving Roboform my money, and yes you can argue it’s not as convenient or does not have all the features. It works for me.
Also agree with the previous post. Weak or strong had nothing to do with it. The story and examples are not logical. Conclusion is lacking in logic but could sell some software.

Reply | Quote

You mentioned some password storage/retrieval tools for Windows. We Mac users have a few decent options as well. I personally use 1Password and couldn’t work without it. They offer a Windows version as well.

https://agilebits.com

Reply | Quote

Woody mentions throw-away passwords, but how about a throw-away email address? I use mailinator.com; as you register for a forum or online news account, you dream up a bogus username on the spot, like joeblow@mailinator.com. No need to create it first at mailinator.com.

Reply | Quote

Was that slow down in internet response time the result of numerous WS subscribers logging on to change their passwords?

At some point, Joe’s Daily Planet account fell into disuse; he rarely thought about it.

So, how do we find and delete/fix all those forgotten login IDs? Is there a best practice for dealing with online sites that require an account to do anything on them?

THAT would be a 5-star article.

Reply | Quote

Was that slow down in internet response time the result of numerous WS subscribers logging on to change their passwords?

So, how do we find and delete/fix all those forgotten login IDs? Is there a best practice for dealing with online sites that require an account to do anything on them?

THAT would be a 5-star article.

I guess that has been said already, by suggesting the use of a password manager.

Reply | Quote

Great Article, What do you think about the built in password manager in the new Firefox?

That saves passwords and synchs them between my work and home computers. Seems much easier than some add on.

Do you think that is riskier than RoboForm?

Reply | Quote

how do we find and delete/fix all those forgotten login IDs?

No need. Just make sure the important sites you use [email, finance, social media etc] have recently generated strong logins.

Iow, if your old forgotten logins are hacked, they’re of no use to the hackers.

Lugh.
~
Alienware Aurora R6; Win10 Home x64 1803; Office 365 x32
i7-7700; GeForce GTX 1060; 16GB DDR4 2400; 1TB SSD, 256GB SSD, 4TB HD

Reply | Quote

I use PassPack.com for passwords…every one. I have over 300 passwords, all randomly generated. PassPack is web-based, which means you can use it everywhere, even on mobile devices. Lose your device? You do use a PIN or password to unlock the screen right? Anyway read up on PassPack’s security measures at http://www.passpack.com/en/best-password-manager/. Yes, it’s more trouble to use a password manager than just remembering 2 or 3 passwords, but losing one’s bank account is even worse.

Reply | Quote

It’s taken me 4 goes to understand this rather convoluted story! :blink:

I think this is what happened. The guy:

1. Used an email with a particular password at a news site.
2. Used the same password as his login password for that news site.
3. Used the same email on a financial site.

The news site site got hacked so his email address and login password became known.

The login password was also his email account password.

So when the hacker went to the financial site, entered the email address and clicked the “lost password” button, the hacker could log in to the email account, read the new password and get access to the money (baht – probably :rolleyes:).

The lesson to learn, then, is never use the password for your email address as the site’s login password.

In this particular case, it was irrelevant how strong or weak the password was.

PS. I use “Password Safe” from SourceForge: http://passwordsafe.sourceforge.net/ with a 26 character p/w to unlock the database. It currently holds 447 entries in 23 folders.

There is also a USB stick variant, but I haven’t used it.

Nil illigitimi carborundum

Reply | Quote

The lesson to learn, then, is never use the password for your email address as the site’s login password.

In this particular case, it was irrelevant how strong or weak the password was.

That’s precisely correct. You can find lots of tips online about how to construct hard-to-break passwords. There are plenty of reviews of password generating and storage programs. But people tend to forget that it all goes to dreck if you re-use the same password in the wrong circumstances.

Reply | Quote

Years ago, Joe signed up for a Daily Planet account, using JoeKewl as his user name and JoeSumthinErAnother@yahoo.com for his e-mail address.
———-
So I am assuming that the email addr was part of the data that the hacker dumped in that one table?

This should also be a warning for why WEBSITES should not use the email address as the login ID. The users email addr should ideally be hidden from everyone.

Reply | Quote

So I am assuming that the email addr was part of the data that the hacker dumped in that one table?

This should also be a warning for why WEBSITES should not use the email address as the login ID. The users email addr should ideally be hidden from everyone.

Correct on both counts. But note that such sensitive sites as PayPal use email addresses for login IDs.

Reply | Quote

Correct on both counts. But note that such sensitive sites as PayPal use email addresses for login IDs.

Which is why I not only use a disposable email addr but also a 26 char generated password with PayPal/eBay AND a Verisign secondary logon LCD code generator.

Reply | Quote

Woody

Why have you not named and shamed the site involved? When the likes of Sony and Play.com made this mistake forumswriters etc were not slow in naming them.

Is this fictitious Daily Planet the same as mine because if so I was one of the folks whose details were sent to lots of other folks.

Here is a copy pasted from mail

Hello

This morning the name and email address you used to register for *** ********
(name withheld due to your reluctance in your naming your example) was mistakenly sent to 3,521 individuals, also readers of *** ********. (my bold lettering)

We’ve contacted them asking them to delete the email and respect your privacy.

We are of course terribly sorry for this error and have reported
ourselves to the ICO. Our initial statement is here:

(I have removed the links that were in the mail that also shows their name as you seem to have an aversion to naming them – MY ITALICS)

The actual figure of the number of folks involved can be seen when a link in the so called apology mail is clicked as quoted here

My BOLD lettering

Between 8:58 and 10:20 BST this morning we sent an email to 3,521 of you that contained the names and email addresses of 46,524 of our readers.

Obviously, this was an error. The two-stage send process that is the norm for all of our mailers was over-looked because someone was in a hurry.

We would like to offer our genuine and humble apologies for the error.
If you would like to vent at that someone, their email address is here: (The e-mail address here purportedly enabled you to send an e-mail to the person responsible – I leave it to the reader to decide as to whether this went straight into the junk folder or was actually read by someone)
We are in the process of blowing the whistle on ourselves to the ICO over the matter. ®

Even if this is a differing occurrence I believe that you SHOULD name and shame. I am quite willing to name the site in my example. I have of-course changed all my details with this site (Password & E-mail address) as well changing the password of the original mail registered with them. And NO I diddo not use the same password for both e-mail and log-in with this, or any, site.

Finally, when will it be safe for me to assume that I will not be getting spamjunk mail because of this? At present I only get 3 or 4 per month. What will I now start getting?

Reply | Quote

Woody

Why have you not named and shamed the site involved?

It’s a newspaper site in a large city. I haven’t named the site because I don’t want to put the people with stolen passwords in more danger than they’re already in. It’s a tough call, but I wouldn’t feel comfortable hassling innocent bystanders any more than is absolutely necessary.

The incident you’re referencing is from The Register. Interesting twists on that one. See http://it.slashdot.org/story/11/10/25/0411213/the-register-email-address-blunder

Reply | Quote

It’s a newspaper site in a large city. I haven’t named the site because I don’t want to put the people with stolen passwords in more danger than they’re already in. It’s a tough call, but I wouldn’t feel comfortable hassling innocent bystanders any more than is absolutely necessary.

The incident you’re referencing is from The Register. Interesting twists on that one. See http://it.slashdot.org/story/11/10/25/0411213/the-register-email-address-blunder

Thanks for the reply Woody. And I now understand why you did not name and shame.

And yes mine was from The Register. As you say interesting twists.

A warning to others though. Some of the posts in Woody’s link have words that (IMO) should never be used in a forum. I can cuss like the best of them but there is a time and place and forums are not one of them.

Reply | Quote

Some of the posts in Woody’s link have words that (IMO) should never be used in a forum. I can cuss like the best of them but there is a time and place and forums are not one of them.

Yeah, Slashdot commenters can get a little… well, a LOT…. obscene.

Reply | Quote