Microsoft Researchers Cormac Herley and Dinei Florencio, the same guys who previously wrote "Sex, Lies and Cybercrime Surveys" to explain why cybercrime loss estimates are a bunch of bunk, are not afraid of directly challenging “accepted wisdom and conventional advice.” The duo was joined by Carleton University's Paul Van Oorschot to explore “how to manage a portfolio of passwords.” Their advice may surprise you since they claim “Password re-use can be part of a coping strategy.” Password Portfolios and the Finite-Effort User: Sustainably Managing Large Numbers of Accounts (pdf) will be presented at the 23rd USENIX Security Symposium in August.
Realistically, we have to keep track of too many passwords, so “password strategies that rule out password re-use or the use of weak passwords are suboptimal.” In fact, considering that “an active web-user may have a hundred or more password-protected accounts,” it’s naive to believe they have 100 strong and unique passwords for those accounts. Recent analysis revealed that even hackers use pathetic passwords. Despite all the security advice against it, people continue to use weak passwords and re-use passwords, making both “valuable tools in balancing the allocation of effort between higher and lower value accounts.”
As a password portfolio strategy, the trio of researchers suggested grouping passwords of unequal strengths such as “group together accounts with high value and low probability of compromise; and group together accounts of low value and high compromise probability.”
That doesn’t mean a password on your “disposal” email account should be reused on your banking account. “We note that while password re-use must be part of an optimal portfolio strategy, it is no panacea. Far from optimal outcomes will result if accounts are grouped arbitrarily,” they wrote.
After page upon page of math formulas, it seems that the researchers are, in essence, suggesting that several “throw-away” accounts without all your real info matter little and could be protected with the same password; then reuse another for several shopping sites and yet another for banking.
At one point in the paper, the researchers suggested:
Despite violating long-standing password guidance, writing passwords down is, if properly done, increasingly accepted as a coping mechanism. Other strategies to cope with the human impossibility of using strong passwords everywhere without re-use include single sign-on, use of email-based password reset mechanisms, and password managers. Such “password concentrators”, a form of password re-use, allow access to many accounts from one master access point, with account passwords stored either locally or in the cloud.
The main threats when re-using passwords “are client-side malware (all accounts fall), and various Class II attacks such as guessing, phishing, sniffing wireless links and server breaches (all accounts in the same sharing group fall).”
A password manager with a password-protected cloud-based store "trades one set of risks for another,” the paper states. “The use of random and unique passwords in such a system reduces both the risks related to any single manager-chosen password being stolen and those related to re-use in the face of server compromise. However, it introduces severe new risks: if the master password is guessed or used on any malware-infected client, or the cloud store is compromised, then all credentials are lost.”
If you are still inclined to use an online password manager, then know that other researchers found critical vulnerabilities in several popular web-based versions.
Insecure password managers
Researchers from the University of California, Berkeley, analyzed the security of five password managers that run in a web browser – LastPass, RoboForm, My1login, PasswordBox and NeedMyPassword – and found critical flaws in them all. In four of five, the researchers said "an attacker could steal arbitrary credentials from a user’s account."
The root causes of the vulnerabilities were diverse, they wrote, "ranging from logic and authorization mistakes to misunderstandings about the web security model, in addition to the typical vulnerabilities like CSRF and XSS." Their analysis should serve as a “wake-up call for developers of web-based password managers.” The Emperor’s New Password Manager: Security Analysis of Web-based Password Managers (pdf) will also be presented at USENIX.