Microsoft Research says there's nothing wrong with using weak passwords

Discussion in 'Chit Chat' started by Windows user, Jul 22, 2014.

  1. Windows user

    Windows user MDL Senior Member

    Sep 11, 2012
    Passwords are something we all have to deal with on a daily basis, and the advice has long been to use complex passphrases, to use unique passwords for each site and service, and to change them on a regular basis. But Microsoft Research has different ideas. A paper published by researchers Dinei Florencio and Cormac Herley and Paul C. van Oorschot from Carleton University, Ottawa, Canada suggests taking a rather different approach.
    The paper recognizes that users now have a large portfolio of passwords to remember, and goes on to say that "mandating exclusively strong passwords with no re-use gives users an impossible task". What does this mean? Essentially, the researchers are saying that by encouraging, or even forcing, users to select complex, lengthy, unique passwords, the likelihood of forgetting them is greatly increased.
    The researchers admit that their findings "directly challenge accepted wisdom and conventional advice", but continues to say that "portfolio strategy ruling out weak passwords or password re-use is sub-optimal". The use and re-use of simple passwords for low-risk websites is not only not discouraged by the paper, but actively encouraged. Strong, difficult-to-remember password should be reserved for sites and services that pose a high risk.
    The aim is to overcome the problem of poor memory. If you have super-strong, unique passwords for every site and services, sure you'll probably keep out the bad guys, but there's a high chance that you'll also lock yourself out when you ultimately forget them. You could write them down, but this defeats the purpose of a password. Password managers are another solution, but they are not perfect and can be vulnerable to attack. There is also the problem of the "finite-effort user" to take into account -- users can only be expected to be willing to do so much in the name of secure access.
    While the advice of the paper comes across as slightly counter intuitive to start with, with a little consideration it is easy to understand the thinking behind the advice -- which boils down to the question "why make life any harder than it needs to be?" It's a trade-off between the level of security you want, and the amount of effort you want to put in.

  2. Hadron-Curious

    Hadron-Curious MDL Guru

    Jul 4, 2014
    That's interesting. I think they have a point there.
  3. imgwhirl

    imgwhirl MDL Novice

    Jul 13, 2014
    i was once spooked into using strong password but after countless forgetting & discovering no https of various low risk sites i've been using, i just turn back to lame pass like 12344321 or qwerty .. LOL
  4. R29k

    R29k MDL GLaDOS

    Feb 13, 2011
    #4 R29k, Jul 23, 2014
    Last edited: Jul 23, 2014
    Bullsh*t from Microsoft, rather than recommend more security they tell you to lower it, must be the NSA guiding them!
    How to use complex passwords without forgetting!
    Associate the text part of the pass with the service in use and add numbers and symbols. Example for a Microsoft service, which I highly don't recommend using! Remove every second letter so you get Mcoot . Now have a system with the way you add the other elements eg add only even numbers to every letter so you get M2c4o6o8t10 , now just add 2 decided on symbols at the front and end of the pass eg. $#M2c4o6o8t10%^.
    Now test it here
  5. Rosa Green

    Rosa Green MDL Novice

    Aug 12, 2014
    I use RoboForm to memorize our accounts and passwords.