A British security researcher has analyzed password data made public by Anonymous group hacks against Gawker and rootkit.com, and found that many users with accounts at both sites used the same password for their login credentials.
In fact, compared to previous research on the issue, the data suggests more and more people are reusing passwords.
Password reuse across different Websites represents a risk because all a hacker need do is crack one site to be able to access other sites the individual uses.
The requirement by many Websites that users log in with their e-mail addresses makes password reuse an even more serious issue, because it means the same username is used across multiple sites. In most cases, e-mail addresses are not confidential.
Analyzing the data, researcher Joseph Bonneau found that 456 legitimate e-mail addresses overlapped at both Gawker and rootkit.com. All the passwords were hashed (that is, encrypted), which makes decoding virtually impossible, but Bonneau used rainbow tables to uncover 54% of the Gawker passwords and 44% of the rootkit.com passwords. Rainbow tables are massive look-up databases of hashed passwords alongside their plain text versions.
A process called salting can make it much harder for a rainbow table attack to decode passwords but the rootkit.com passwords weren't salted, and the Gawker ones only minimally.
With the new data in hand, Bonneau found that 49% of users whom he was able to match across both sites had the used the same password for their login credentials. Six percent of them differed their passwords by changing capitalization or adding a small suffix (that is, something like "password" and "password1").
Previous studies have shown password reuse rates of between 12 and 20%, so the implication is that Web users are getting lazier. However, it's extremely hard to perform studies of this nature because of limited data sources; no organization will make available their live password data for cracking, and certainly no organization where the passwords protects important data (such as banks, where the question of password reuse is all the more important).
Bonneau says that if the close-to 50% rate of resuse is true, then rainbow table lookups could become a profitable use of time and resources for cybercriminals, potentially opening up a new avenue of attack.
So, what can we do to avoid getting caught-up in such a mess? Firstly, try and use a different username at every Website you visit. If a site relies on your e-mail address as a username, then contact the organization concerned to say that this raises security issues.
Secondly, and perhaps this is obvious, use different passwords across the sites you visit. This means remembering many passwords but there are tricks to get around this, and also tricks to generate good quality passwords.
One technique is to turn your password into a passphrase consisting of several words, which will be both longer and easier to remember than nonsense passwords such as "H4@vNS!3," which Websites sometimes suggest. Avoid common quotations for passphrases, though.
Visualizing a passphrase in your head will help you remember it. For example, a passphrase of "Oranges eat bananas but only on the beach" can easily be pictured in your head, even if it might be rather disturbing. Try and tie the visual image around the name of the site; for PCWorld, you could create a passphrase like, "My PC is as big as the Earth."
Alternatively, you can turn the passphrase into a mnemonic by taking the first letter of each word, except for the last word (in order to lengthen the password). This works best if you can work in numbers and symbols, along with some proper nouns (that is, capitalized words). For example, "3 dollar Seville oranges eat 9 bananas in Tahoe" becomes "3$Soe9biTahoe."
Speaking personally, I have no qualms about writing down usernames and passwords and keeping them in my wallet. Yes, there's a security risk if the scrap of paper is lost--although I try to avoid listing Website addresses alongside the passwords, relying on my own memory to know what password is used where. But the risk is considerably less than reusing the same password across various different sites. Ultimately, there's no such thing as perfect security in a world full of fallible humans. We can only do our best.
You can find Bonneau's research in a blog posting.
Keir Thomas has been making known his opinion about computing matters since the last century, and more recently has written several best-selling books. You can learn more about him at http://keirthomas.com. His Twitter feed is @keirthomas.
This story, "Password reuse is all too common, research shows" was originally published by PCWorld.