Ignore Microsoft research: don't use weak passwords

By Nicole Kobie on Jul 20, 2014 9:38AM

In the spotlight

Announcing Pipeline 2025 tickets, theme & initial speakers

Australian MSP Index launched

End of Support for Windows 10: A guide for Channel Partners

Ingram Micro Ushers in the Age of Ultra

Don't use weak passwords for less important sites, no matter what Microsoft researchers say.

That's the message from security experts following suggestions from researchers at Microsoft and Carleton University that it's okay to use weak, easy-to-remember passwords for less important sites, and save more complicated passwords for those sites requiring more security, such as online banking or retail.

If your first thought is to ignore all that and use a password manager such as LastPass or 1Password, the researchers also warned that such tools introduce a single point of failure, trading "one set of risks for another", according to a Guardian report.

The research paper added that password managers can introduce "severe" new risks: "If the master password is guessed or used on any malware-infected client, or the cloud store is compromised, then all credentials are lost".

However, don't panic and delete your LastPass account: security experts scoffed at the idea that such managers aren't a good way to protect login credentials.

"Using a password manager is like putting all your eggs in one basket," said security consultant Graham Cluley. "But, crucially, despite it being a basket of eggs... it's still much safer in my opinion than the alternatives."

He stressed such tools aren't foolproof – noting that keylogging malware could steal your master password - but said they remain a good option. "That's why I use a password manager, and that's why I tell all my friends and family to do the same," he said.

F-Secure technical consultant Bunmi Sowande agreed that password managers are a good security tool, but that users should let the app generate the password, "since they are harder to crack than ones that people come up with". He added: "Using a word or phrase and replacing the 'E's with '3's is fooling no-one."

Weak security for some sites

The experts also disagreed with the researchers' opinion that we shouldn't waste effort coming up with strong, more difficult-to-remember passwords for less important sites.

That's not wise, since "these websites tend to be the ones with poor security in place to prevent breaches," said Sowande. "And once the website is breached, your weak password, if you have reused it elsewhere, now exposes all your other accounts."

Even if users were to adopt the simple passwords for some sites, there are still too many others that require a complex password - Sowande noted Facebook, Twitter, email, banking, your work computer, shopping, and credit card – which leaves you with the issue of having too many unique passwords to easily remember, and makes a password manager ideal.

This article originally appeared at pcpro.co.uk

Got a news tip for our journalists? Share it with us anonymously here.