FA+
Shop
Reusable Passwords
14 years ago
General
#!/bin/sh
printf "%s " "shouting into the void..."
( cat << HERE
printf "%s " "shouting into the void..."
( cat << HERE
This journal entry is a personal commentary. It does not in any way represent the official positions of Fur Affinity or any of its staff, including the administrator authoring it. It's just personal (and probably barely coherent) ramblings.
Reusable passwords are a myth, a failing of basic security that makes every one of your accounts wide open to attack and complete takeover, and if that happens, you very likely have no way to prove that your account is yours.
What is password reuse? It's the tendency to use the same password (especially with the same username) for more than one site or account. It's like using the same key to unlock doors cities apart: If a thief manages to copy your key, you have to go to every single door to replace the lock, and you have to hope the thief doesn't beat you. Except that you can't know it happened until long after it's too late to do anything about it.
Your passwords are used as your keys online, and I know that too many people have been conditioned into believing they can get away with not having to make new passwords and remember only one for everything. This is a very bad practice, and it's responsible for account break-ins on dozens of sites that are otherwise not targeted for password dumps. A lot of Twitter and Facebook vandalism happened because users on compromised sites like Gawker, Sony music, movie, and game sites (especially PSN), and Hackforums (you idiots!) reused their passwords elsewhere.
Now I, having an administrator account, am quite a target. The mayhem that would be unleashed by my account being compromised would be significant. The simplest of all the defenses I have against such a compromise is to create passwords difficult to guess or brute force, to use that password for only a limited length of time, and to never, ever reuse that password here or anywhere else.
But what about you, I hear you asking. What could anyone else want from your account. Well, even if you have nothing stored in your account, the bad guys want your account itself. You have relationships with other users, and you've established trust with them to one extent or another. Imagine the secrets a stranger could learn from your friends if he could pretend to be you, or the secrets you'd share with that stranger if you didn't know your friend's account was broken into. Suddenly, that worthless account of yours isn't so worthless anymore, is it?
And the simplest thing you can do to protect it is not to use the same password everywhere.
Your password doesn't have to be an actual word. It can be a phrase or acronym that only you know. If you worry that you won't remember it, then write it down and guard it as closely as you guard your real keys and cash.
Personally, I think it's a tad less secure but loads more convenient, but you can also have your computer remember your passwords for you. Just keep your registered email address current, and guard the password to your email accounts so that you, and not someone trying to break into your site account, can use a site's password reset feature if you ever need to get back into your account that way. Here on FA, you'll need to give your registered email address as part of the password reset procedure, so take a moment right now to make sure it's current and what you think it is.
Reusable passwords are a big reason why a lot of sites are harmed by other sites being compromised. Reusable passwords are a convenience that actually harms security. Reusable passwords are a lazy habit, a bad habit.
If you have this habit, then don't say a thing, don't draw attention to yourself, and just resolve to yourself to break that habit.
Reusable passwords are a myth, a failing of basic security that makes every one of your accounts wide open to attack and complete takeover, and if that happens, you very likely have no way to prove that your account is yours.
What is password reuse? It's the tendency to use the same password (especially with the same username) for more than one site or account. It's like using the same key to unlock doors cities apart: If a thief manages to copy your key, you have to go to every single door to replace the lock, and you have to hope the thief doesn't beat you. Except that you can't know it happened until long after it's too late to do anything about it.
Your passwords are used as your keys online, and I know that too many people have been conditioned into believing they can get away with not having to make new passwords and remember only one for everything. This is a very bad practice, and it's responsible for account break-ins on dozens of sites that are otherwise not targeted for password dumps. A lot of Twitter and Facebook vandalism happened because users on compromised sites like Gawker, Sony music, movie, and game sites (especially PSN), and Hackforums (you idiots!) reused their passwords elsewhere.
Now I, having an administrator account, am quite a target. The mayhem that would be unleashed by my account being compromised would be significant. The simplest of all the defenses I have against such a compromise is to create passwords difficult to guess or brute force, to use that password for only a limited length of time, and to never, ever reuse that password here or anywhere else.
But what about you, I hear you asking. What could anyone else want from your account. Well, even if you have nothing stored in your account, the bad guys want your account itself. You have relationships with other users, and you've established trust with them to one extent or another. Imagine the secrets a stranger could learn from your friends if he could pretend to be you, or the secrets you'd share with that stranger if you didn't know your friend's account was broken into. Suddenly, that worthless account of yours isn't so worthless anymore, is it?
And the simplest thing you can do to protect it is not to use the same password everywhere.
Your password doesn't have to be an actual word. It can be a phrase or acronym that only you know. If you worry that you won't remember it, then write it down and guard it as closely as you guard your real keys and cash.
Personally, I think it's a tad less secure but loads more convenient, but you can also have your computer remember your passwords for you. Just keep your registered email address current, and guard the password to your email accounts so that you, and not someone trying to break into your site account, can use a site's password reset feature if you ever need to get back into your account that way. Here on FA, you'll need to give your registered email address as part of the password reset procedure, so take a moment right now to make sure it's current and what you think it is.
Reusable passwords are a big reason why a lot of sites are harmed by other sites being compromised. Reusable passwords are a convenience that actually harms security. Reusable passwords are a lazy habit, a bad habit.
If you have this habit, then don't say a thing, don't draw attention to yourself, and just resolve to yourself to break that habit.
But if he uses that written-down password on more than one site, then that's the huge no-no I rambled on about above.
To brute force one of those pass words will take a professional set up with three computers working round the clock. The passwrods rang between 8-18, are a mix of caps, lowers, numbers, symbols, and random spaces.
I have only been compormised once and i happened on the morning i was to rotate pass words.
after that i made a new list and I keep it in a place no one can get to it
I used to pick a random word from a dictionary and add some numbers and symbols. If you use a site often enough you'll remember it, otherwise if it's some garbage account go ahead and have standard username/pass combos.
Also while similar, I would say your thief analogy is almost but not quite accurate, as traveling to different cities is a lot different from sitting in your chair using the Internet.