Choose bad passwords and reuse them often says Microsoft

Conventional security wisdom says that you should use complicated passwords which are impossible to remember and have a different one for each and every website that you visit.

However, a new paper published this month by Microsoft Research says we should go back to having a bad, easily remembered, password and using it on lots of sites. Okay, that's a bit of a simplification, but what the researchers are saying is that in order to be able to remember the difficult passwords for your bank, etc it's better to reuse simpler passwords on low-risk sites.

The report acknowledges the difficulties of having a large number of passwords and the benefits of reuse as a coping strategy. The authors say, "Despite violating long-standing password guidance, writing passwords down is, if properly done, increasingly accepted as a coping mechanism. Other strategies to cope with the human impossibility of using strong passwords everywhere without re-use include single sign-on, use of email-based password reset mechanisms, and password managers".

However they point out that whilst password managers may reduce some risk they can be vulnerable to malware attacks either against the client device or cloud servers. Storing passwords only on the client also sacrifices portability.

The research suggests dividing your passwords into two groups, the first those with high value and low probability of compromise and secondly accounts of low value and high compromise probability. The first group would include your bank, email accounts and so on. The second would be websites and forums where you perhaps need to sign in to comment but don't carry out financial transactions.

The report’s conclusion is that, "...to be realistic, efficient password management should consider a realistic suite of attacks and minimize the sum of expected loss and user effort." It also says, "We note that while password re-use must be part of an optimal portfolio strategy, it is no panacea".

You can read the full report on the Microsoft Research website. Meantime if you’d like to comment you can be safe in the knowledge it’s fine to sign in with a weak password that you've used on other sites.

Image Credit: Africa Studio / Shutterstock