Password reuse opens doors for cyber criminals

End-users must have a different password for every website and security domain

1 2 Page 2
Page 2 of 2

Combine end-users' propensity to reuse passwords with the aforementioned success of phishing attacks, the security ramifications become clear. No one should reuse passwords across any security domain or website; when the weakest and most poorly protected location is compromised, they all are "fucxed." Malicious hackers routinely reuse passwords they capture on unimportant sites on Web vendors that are likely to store credit cards, such as Amazon, iTunes, and so on.

Store your passwords safely
Today, I make sure I never reuse the same password on any site or among any two security domains, although I include a common root word in all of them, to make life easier. Say my root word is "frog" (it isn't). For Amazon, my password may be "Amazonfrog220." For iTunes it may be "iT220Frog," and so on.

When I store my passwords, I write "Amazonf220" and "iT220F"; that way, I won't have any of my passwords written down in plaintext for easy stealing if a password storing method (or smartphone) gets compromised. Sure, the attacker could guess at my root word, except that my root word is really a complex passphrase that would be more difficult to break than most people's passwords alone.

One of my very smart work colleagues, Laura A. Robinson, makes my method seem Cro-Magnon. She uses Bruce Schneier's free Password Safe tool. Using very strong Twofish encryption, it not only very securely stores passwords, it also allows her to double-click on a stored password and paste it into a password-requesting form. It generates long, complex, and unique passwords, as well. Laura said it surprises most people that she doesn't even know what most of her passwords are.

Sure, there are a few places she still has to manually type in passwords, such as on the Xbox and the TiVo, but most of the password work is done very securely. Laura uses Microsoft's Live Sync to sync her Password Safe database (itself very securely protected using a long and complex password) across all her computers and in the cloud.

However you accomplish it, make sure you don't share passwords across security domains or among websites. Make sure your company's password policy says the same and that end-users are educated about the dangers. Otherwise they're just passwords blowing in the wind.

This story, "Password reuse opens doors for cyber criminals," was originally published at Keep up on the latest developments in network security and read more of Roger Grimes' Security Adviser blog at For the latest business technology news, follow on Twitter.


Copyright © 2011 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
The 10 most powerful cybersecurity companies