Sign in with
Sign up | Sign in

Microsoft Urges Users to Use Weak Passwords

By - Source: Tom's Guide US | B 18 comments
Tags :

Security experts have spent a long time drilling password security into the average computer user's head, which is why a new report from Microsoft may leave us dazed and confused.

The researchers recommend that instead of coming up with strong, unique passwords for every single online account, you should pick weak passwords and reuse them — but only on low-impact sites.

The findings come from a Microsoft research paper in which three security experts investigated both password strength and the mental capacity it takes to keep track of dozens of different passwords. By using the same easy-to-remember passwords on sites that cannot compromise personal details, the researchers argued, users could develop and memorize more complex passwords for the accounts that really matter.

MORE: 10 Desktop Password Managers

Mathematically speaking, remembering complicated passwords represents something of a challenge. The paper gave the example of a user who has 100 accounts — not an unreasonable number, given how many email addresses, streaming services, business tools and cloud-storage options the average person has access to.

Ideally, he or she would create 100 strong passwords, but strong passwords are difficult to memorize, as is remembering which alphanumeric string goes with which service. The researchers found it would be more efficient to create unique strong passwords only for accounts that would lead to disaster if compromised — online banking, Webmail, social networks and so on — while using the same weak, easy-to-remember password for the rest.

There's no doubt that reusing passwords is not secure, and reusing weak passwords only exacerbates matters, but not every account is created equal. A user who uses the same password for his or her email, Google Play account and office computer stands to lose much more than one who uses the same password for Spotify, the IMDB forums and Hulu.

Keeping track of passwords by using a password manager or saving them all on a Word document is also not necessarily the best solution, the researchers wrote. Accessing a user's computer is harder than accessing his or her individual accounts, but doing so would effectively compromise every single password in his or her arsenal.

The paper is theoretical and based on fairly complex probability math, so you may not want to go out and change all of your passwords just yet. Still, if you insist on using the same password for every account, you may have freed up important gray matter for something else.

Follow Marshall Honorof @marshallhonorof and on Google+. Follow us @tomsguide, on Facebook and on Google+.

Discuss
Ask a Category Expert

Create a new thread in the Streaming Video & TVs forum about this subject

Example: Notebook, Android, SSD hard drive

This thread is closed for comments
  • 6 Hide
    skit75 , July 16, 2014 2:08 PM
    Most sites seem to require 8+ alphanumeric case sensitive characters with a symbol already so the choice is not really up to the end user anymore.
  • 2 Hide
    senkasaw , July 16, 2014 2:10 PM
    This is what I did for years. Now I use keepass...but I still use really easy passwords for low impact sites.
  • 3 Hide
    robochump , July 16, 2014 2:42 PM
    Only password I really need to remember is the one I set on my Excel spreadsheet with all my other passwords....heh. Sure there are Apps that do this but too lazy to transfer it all to any of them.
  • Display all 18 comments.
  • 2 Hide
    sicom , July 16, 2014 3:16 PM
    Already knew this about myself, so it's a practice I've used for years.
  • -5 Hide
    bison88 , July 16, 2014 3:34 PM
    Considering Microsoft artificially limits you to 16 characters on Hotmail/Outlook (and who knows what other of their services) this doesn't surprise me. There reasoning behind that was even shadier if you do a Google search on the topic. For a company of their size I'd expect them to be all over security issues like this.
  • 5 Hide
    amk-aka-Phantom , July 16, 2014 4:57 PM
    Quote:
    Only password I really need to remember is the one I set on my Excel spreadsheet with all my other passwords....heh. Sure there are Apps that do this but too lazy to transfer it all to any of them.


    Fun fact: IIRC, LibreOffice has a "bug" where it disregards password protection on MS Office files and reads them anyway.
  • -2 Hide
    wiinippongamer , July 16, 2014 6:00 PM
    Man lands on moon
  • 6 Hide
    icemunk , July 17, 2014 1:38 AM
    Sites that force a certain criteria are stupid. One upper case, one letter, and 8 to 16 characters; well there's the hackers criteria when writing a program to figure them out. Stop putting stupid criteria for passwords! The user should be able to pick whatever they wish. I would say the best password would be a phrase that is easy to remember; like "thereisnowayanyoneisgoingtocrackthispassword" would be something for example. The constant rules not only makes it annoying for the user, it is also a major security flaw.
  • 1 Hide
    virtualban , July 17, 2014 4:16 AM
    Quote:
    Quote:
    Only password I really need to remember is the one I set on my Excel spreadsheet with all my other passwords....heh. Sure there are Apps that do this but too lazy to transfer it all to any of them.


    Fun fact: IIRC, LibreOffice has a "bug" where it disregards password protection on MS Office files and reads them anyway.


    That bug does not work on me. I keep a plain text file. But while the account name may look familiar, the password instead has a reference that only I know. Similar to the password hint, just way too personalized and overcomplicated over the years.
  • 1 Hide
    sylentz , July 17, 2014 4:55 AM
    batteryhorsestaplecorrect -> http://xkcd.com/936/
  • 0 Hide
    Floflo81 , July 17, 2014 5:55 AM
    Use this instead: https://addons.mozilla.org/fr/firefox/addon/password-hasher/
    Chrome equivalent: https://chrome.google.com/webstore/detail/password-hasher-plus-pass/glopbmohkffbnplcjbbbfmmimfhfnhgd
    Compatible Android app: https://play.google.com/store/apps/details?id=com.ginkel.hashit
  • 0 Hide
    Durandul , July 17, 2014 7:06 AM
    Yep, as the article and others have mention, password manager. If you want to store them in a word file, but also make it secure, you can use 7-zip to compress files with a password, so it cannot be easily uncompressed without said password.
  • 0 Hide
    bourgeoisdude , July 17, 2014 7:24 AM
    Weak pass"words" are relative. The correct horse battery staple example is best for passphrase strength. I would consider it simple, but it is also hard to guess (well not THAT one specifically anymore).

    BEGIN rant
    {
    Sites that require alpha-numeric symbol punctuation space hyphen crypto stupidity passwords make it LESS likely people will create secure "passwords". So what, instead of password now they use P@ssword1! like that's much better or something. Of course the worst abomination of all is requiring security questions and only having preset ones. Yea industry let's make a counter-intuitive method that successfully weakens security for users while simultaneously making mothers and grandparents everywhere somehow feel safer about their weak password while making tech savvy users pull their hair out. It not already, it should be on the list of the 10 dumbest things in the universe.
    } //rant

    We also need to start using the term passphrase instead of password so that people will catch on that no pass"word" is secure.
  • 0 Hide
    booyaah , July 17, 2014 7:43 AM
    I have a password protected TrueCrypt partition stored on my server with an Excel file that has all my banking passwords and such which are 24 character random alpha numeric strings.

    I have an RD Gateway that I can login to from any Windows machine or the RD App on my S5 if I really need to access banking info on the go or in a pinch.

    Basic password security is three things:
    1) Make sure your password complex enough so that it isn't easily brute forceable or guessable.
    2) Do not use the same password on multiple high value sites.
    3) Don't do anything to get key logged (don't go to 'those' sites or click on 'that' email link).

    And yes, I do use the same password across multiple community sites like toms, etc.
  • 2 Hide
    RCguitarist , July 17, 2014 7:56 AM
    I'll tell you the most hack-proof way to keep your complex passwords safe and easily accessable....lean in because I don't want the nsa to hear this......write them down on a piece of paper.
  • 0 Hide
    iogbrideau , July 17, 2014 9:45 AM
    Ironic that my antivirus pops up with warnings about malicious ads on an article that talks about security.

    Anyway that's pretty much what I already do with my passwords.
  • 1 Hide
    thethirdrace , July 17, 2014 10:48 AM
    Password strategy 101 to remember unlimited number of different password:

    1- Separate each site/service into 1 of 3 categories:
    a- Official things you can't afford to be hacked
    b- Things you'd be pissed to be hacked
    c- Things you don't care to be hacked

    2- Select a pattern with good security principles. You need numbers (N), upper (U) and lower (L) case letters and at least 1 symbol (S). A good pattern would be LNUUNLLS

    3- Select numbers for each category defined at #1. For example, #1 could be 257, #2 could be 368 and #3 could be 479.

    How it all comes together?

    Say you visit NewEgg.com and we consider this a "B" type of site (pissed, but not catastrophic). You take the first 5 letters of the site and apply the pattern in #2 to get n3EW6eg!

    Say you visit EA.COM (category -> not important), you get e4AC7om!

    That way, you don't have to remember any password, you only have to remember your pattern. With this method, you can literally log into an unlimited number of sites/services without ever forgetting your password ever again. The best thing is, even if the site or service is compromised, you don't have the same password anywhere else. There's no way an hacker will take the time to find your password pattern so you can practically say you're 100% secure too.
  • 0 Hide
    groundhogdaze , July 21, 2014 10:41 AM
    Quote:

    BEGIN rant
    {
    Sites that require alpha-numeric symbol punctuation space hyphen crypto stupidity passwords make it LESS likely people will create secure "passwords". So what, instead of password now they use P@ssword1! like that's much better or something. Of course the worst abomination of all is requiring security questions and only having preset ones. Yea industry let's make a counter-intuitive method that successfully weakens security for users while simultaneously making mothers and grandparents everywhere somehow feel safer about their weak password while making tech savvy users pull their hair out. It not already, it should be on the list of the 10 dumbest things in the universe.
    } //rant


    I Agree. The preset security questions are really, really irritating to me and more than half the time, I either don't want to write the answer (if a hacker compromises the site, they can potentially be able to access your personal answers and use it against you on another site) or I don't even know the answer myself because I'm conflicted on the answers like "What's your favorite hobby"? I don't have a "favorite" anything so I'm forced to put dummy answers in.
Tom’s guide in the world
  • Germany
  • France
  • Italy
  • Ireland
  • UK
Follow Tom’s guide
Subscribe to our newsletter