The Rationality Of Re-Using Passwords
Internet security vendor BitDefender recently published the results of a study that found, unsurprisingly, that “75 percent of social networking username and password samples collected online were identical to those used for email accounts.” The SecurityWeek story reporting on the BitDefender study also noted that the report “advised users to be extra careful while creating passwords for social networking and email accounts and avoid using the same password just for the sake of convenience.”
The key word here is convenience. From the perspective of most consumers (and many enterprise employees), re-using the same password produces the most economic utility. This is the “Poor Man’s Single Sign-On” strategy (PM-SSO). It costs nothing to implement, requires the user to learn no new technologies or change habits, and is a relatively error-free operation. Moreover, the downside risks are low. With respect to identity theft, for example, most credit card issuers will refund your money if they determine your identity was stolen online. So speaking rationally, why wouldn’t you do this instead of fooling around with CardSpace, Norton Identity Safe, OAuth, OpenID, Facebook Connect or any number of enterprise SSO tools? Exactly.
Of course, from the security practitioner’s viewpoint, this is a rotten idea. It is insecure! It exposes you to risks! And it places you at the mercy of identity thieves, scammers and those nasty people that BitDefender (not to mention Mr. McAfee and Mr. Norton) has been talking about for years. Plus it is just not the right thing to do! …somehow.
Facetiousness aside, as a student of security I agree that re-using passwords is a bad idea. I do not follow the PM-SSO strategy myself, because I am paranoid. I use a tool called 1Password, which generates unique passwords for each website, and keeps them in vault protected by my machine password. It integrates nicely into my desktop computer’s browser. I consider it a feature that I don’t actually know any of the passwords to the 200+ sites I belong to. The downside is that 1Password requires a little bit of setup for each website, and a whole lot of discipline. It also prevents me from logging into websites on my mobile phone, because I cannot share the 1Password database with the native browser on the device. But these are minor quibbles; on the whole, it works very well and helps me sleep at night.
But not everyone is paranoid, or a dork. Most people want to do the easy thing. That is why Poor Man’s Single-Sign-On is such an appealing strategy, in spite of the plaintive warnings from practitioners and security vendors that it is unsafe, ill-advised or the very opposite of a “best practice.”
Two things need to happen for this picture to change. First, the security industry needs to invent easier-to-use, lower-friction alternatives to re-using passwords. And no, CardSpace is not it. Neither is 1Password: although I like it a lot, it isn’t for everyone. Second, the true economic costs of PM-SSO need to be pushed back onto consumers and employers to make staying with the current strategy more painful. If they feel more pain, they will be motivated to change their behavior.
Because neither of these conditions look likely to hold, I fearlessly forecast that passwords will continue to be the most popular (and most abused) authentication scheme for the foreseeable future. I have a bet riding on this: Jim Manico, Dave Aitel, Ed Bellis, Ivan Ristic and a few others have all taken positions on whether passwords will continue to be the dominant method of authentication. I think it will be. On January 21, 2020, we will check in and see how we did.