Traditional Password Advice: Not to be totally discarded

There is a paper that talks about how traditional advice on creating and maintaining secure passwords is somewhat dated.  The hypothesis of the paper is that since phishing and key logging is so rampant, it is no longer necessary to maintain super secure passwords.  A secure password is just as easily used by a bad guy as a weak password if the consumer gives a way the password through phishing or it is observed through a key logger.  Instead, it’s important to have a semi-secure password so that it is not vulnerable to password guessing.

The paper also talks about the need to have more secure userIDs postulating that bad guys are moving towards horizontal password attacks (guessing the same password against large numbers of accounts).  Strong userIDs is helpful in protecting accounts.

One other thing I want to mention is that it is still important to have different passwords for all of your online accounts.  If the bad guy phishes the password for your bank account, you don’t want them to automatically have access to your social network account, etc.   Even in the case of key logging, if you haven’t logged in to a particular account in a while, if you don’t use the same password across all accounts, the bad guys won’t be able to try your standard password(s) on other accounts.

So, while some of the old password adages may not apply as much any more, some of them are still very appropriate.  Please use different passwords on all of your online accounts!

July 13, 2009 Posted by Laura Mather | Fraud, Online Fraud, Phishing, Uncategorized | key logging, password security, Phishing | No Comments Yet