By now, most readers know the advice cold. Use long, randomly generated passwords to lock down your digital assets. Never use the same password across two or more accounts. In abstract terms, the dictates are some of the best ways to protect against breaches suffered by one site—say, the one that hit Gawker in 2010 that exposed poorly cryptographically scrambled passwords for 1.3 million users—that spread like wildfire. Once hackers cracked weak passwords found in the Gawker database, they were able to compromise accounts across a variety of other websites when victims used the same passcode.
A team of researchers says the widely repeated advice isn’t feasible in practice, and they’ve provided the math they say proves it. The burden stems from the two foundations of password security that (A1) passwords should be random and strong and (A2) passwords shouldn’t be reused across multiple accounts. Those principles are sound when protecting a handful of accounts, particularly those such as bank accounts, where the value of the assets being protected is considered extremely high. Where things break down is when the dictates are applied across a large body of passwords that protect multiple accounts, some of which store extremely low-value data, such as the ability to post comments on a single website.
via Ars Technica
Image: Florencio et al.