Over the past few months there has been significant discussion about what makes a password secure (relevant xkcd comic that you’ve probably seen already). One factor that’s often overlooked is the fact that people tend to use the same password across different sites. This is perhaps a more a serious problem than the cryptographic strength of a password itself. Why?
Imagine that your passphrase is “steward fan catholic impersonator.” You feel confident that it would be hard to guess it through brute force. You use it for Paypal, Facebook, … and also for somecrappysite.com. Now, one fine day somecrappysite.com gets hacked. The next time you visit, the web page has malicious code that sends your password in plaintext to someone. There go your Paypal funds, your Facebook account, your online life.
It doesn’t matter how hard we try to educate people to not reuse passwords. It’s the path of least resistance for most people, so they (we) will continue doing it. How do we solve this problem?
One possibility would be to enforce it from the browser. Google could make Chrome remember one-way hashes of passwords you’ve used. When you try to use “steward fan catholic impersonator” for the second time, Chrome would recognize the hash and tell you “sorry Dave, I can’t let you do that. You’re already using that password somewhere else.”
Of course, we can’t wait for Google to implement this. On your own site, you could do the following:
- When a user is signing up, generate a random string.
- Tell the user: your password must contain the following word: “hzru”
Obviously this is not perfect: the user could start using this password (say it’s IHateHaving_hzru_InMyPassword) for other sites. But if enough sites had a similar policy, the risk of reuse would decrease.
This post was inspired by the fact that an acquaintance of mine woke up to an empty Paypal account today, and he has no idea how it happened. To be fair I don’t know if shared the password with other sites, but this must certainly happen every day to some people who do. Nobody should have to freak out because a password leak at a site they rarely use could cause them financial harm.
Do you have better ideas? Let’s hear them.
Edit: few people seem to be getting the point of this post. Of course you could use a password manager. However, most people won’t unless they are forced to. How to enforce something like that for the masses is the point of this post.