Security experts have spent a long time drilling password security into the average computer user's head, which is why a new report from Microsoft may leave us dazed and confused.
The researchers recommend that instead of coming up with strong, unique passwords for every single online account, you should pick weak passwords and reuse them — but only on low-impact sites.
The findings come from a Microsoft research paper in which three security experts investigated both password strength and the mental capacity it takes to keep track of dozens of different passwords. By using the same easy-to-remember passwords on sites that cannot compromise personal details, the researchers argued, users could develop and memorize more complex passwords for the accounts that really matter.
Mathematically speaking, remembering complicated passwords represents something of a challenge. The paper gave the example of a user who has 100 accounts — not an unreasonable number, given how many email addresses, streaming services, business tools and cloud-storage options the average person has access to.
Ideally, he or she would create 100 strong passwords, but strong passwords are difficult to memorize, as is remembering which alphanumeric string goes with which service. The researchers found it would be more efficient to create unique strong passwords only for accounts that would lead to disaster if compromised — online banking, Webmail, social networks and so on — while using the same weak, easy-to-remember password for the rest.
There's no doubt that reusing passwords is not secure, and reusing weak passwords only exacerbates matters, but not every account is created equal. A user who uses the same password for his or her email, Google Play account and office computer stands to lose much more than one who uses the same password for Spotify, the IMDB forums and Hulu.
Keeping track of passwords by using a password manager or saving them all on a Word document is also not necessarily the best solution, the researchers wrote. Accessing a user's computer is harder than accessing his or her individual accounts, but doing so would effectively compromise every single password in his or her arsenal.
The paper is theoretical and based on fairly complex probability math, so you may not want to go out and change all of your passwords just yet. Still, if you insist on using the same password for every account, you may have freed up important gray matter for something else.