Company researchers say it becomes very hard to manage difficult passwords

Jul 16, 2014 06:24 GMT  ·  By

Hack attacks, data breaches, and user details leaks are common things these days and everyone with the minimum computer knowledge heard at least one advice from a security expert who recommended to use a different password for each account.

The idea is as simple as it could be: if a hacker manages to break into one account, he might then use the same login credentials on other websites, thus managing to compromise more of your data. Take it as damage control, some said, explaining that we shouldn't allow hackers to access more data than they already had.

Two Microsoft researchers have a completely different idea. Dinei Florencio and Cormac Herley, together with Paul C. van Oorschot of Carleton University, Canada, published a paper called “Password portfolios and the Finite-Effort User: Sustainably Managing Large Numbers of Accounts” (PDF viewer required) that discusses the problem of different passwords to the very smallest detail.

In short, they believe that users should actually stick to a very easy password for websites where only few personal details are stored and go for much complex ones on banking websites and shopping services.

The researchers say that organizing websites in categories is pretty much the easiest way to do this, so you won't find it too difficult to manage passwords. They claim that if a hacker manages to break into one account, second attempts might follow on other websites too, but that shouldn't worry you given the fact that no sensitive details are hosted on these pages.

“The rapid decline of [password complexity as recall difficulty] increases suggests that, far from being unallowable, password re-use is a necessary and sensible tool in managing a portfolio,” they said according to The Register. “Re-use appears unavoidable if [complexity] must remain above some minimum and effort below some maximum.”

“We note that while password re-use must be part of an optimal portfolio strategy, it is no panacea. Far from optimal outcomes will result if accounts are grouped arbitrarily.”

As far as password managers are concerned, researchers say that they could indeed help, but there are two major differences that should really be taken into consideration when choosing such an app.

“Password managers may improve us- ability and reduce some risks, but remain vulnerable to Class I attacks (e.g.,client-side malware). Managers that store passwords only on the client improve resistance to Class II attacks, since they can choose better passwords and eliminate re-use. However, in storing only on the client this gives up one of the major advantages of passwords, i.e. portability,” they concluded.