Password security

The way that people get your password, is by using the fact that
people cannot remember 100 different passwords. And unimaginative
security people have been telling users "don't write your
password down", because that's what someone told them when they
went on the two-day Security Essentials course.

But security people have rarely said "don't use the same password on
mutliple places", because it's only rather recently that ordinary
users have wanted logins to several dozen places.

And he has understood that he can't use "password" for his password,
or "letmein". He's taken on board that he needs to use something
hard to guess, like qidGR63*n12dskwian

So, Joe K User uses his email address as his username, because why not?
joekuser@gmail.com. And he uses the same password for Ebay, Paypal,
his bank, and every web site that he visits that asks for registration.
He can just about remember qidGR63*n12dskwian; no way could he remember
a hundred passwords like that.

And no-one told him "don't use the same password on
mutliple places".

Username joekuser@gmail.com
Password qidGR63*n12dskwian

Except me. I've been telling people for 25 years, "Use a different password
each time you need one, and remember them by writing them on a
piece of paper, that you carry in your wallet". And I give a few simple ways
to avoid getting a problem if someone steals that paper. Like, for example,
the way I remember my PIN numbers. I write them down, carry the paper
in my wallet, but what I write down is different from the real number
by a fixed amount, so all I need to remember is my fixed amount. I also
have the code for my bike lock. I'm useless at remembering things.

So, one day he logs in to "kittensarecute.com", registers his username
joekuser@gmail.com and password qidGR63*n12dskwian

And looks at all the cute kittens.

But what he doesn't know, is that kittensarecute.com is run by some
Bad People, and the Bad People are building up a list of usernames
and passwords, and they sell them to Other Bad People, who run
through the list on Ebay, or Paypal, and several banks.

And, of course, they get hits. Despite the fact that Ebay, and
Paypal, and the bank, are all using hashing, and salting, and
peppering. And, by the way Joe User's Ebay account is linked to his Paypal
account, so you can see how that goes.

So here's the thing.

Length of password doesn't matter, if you're cracking them this way.
Complexity doesn't matter. Writing them down doesn't matter. The only
thing that matters is to use a different password on each web site.

But.

Ebay can't force you to use a different password from your bank. Because
Ebay doesn't know your bank password, and quite right too.
Paypal can't force you to use a different password from kittensarecute.com

So the answer is user education. And we all know how well that works.
Is there another answer? Sort of.

Web sites could force the user to choose a password that is very likely
to be different from the password that he uses elsewhere. For example,
force the user to have four digits included in his password. Or
force the user to have four letters chosen from [wxyz]. So that when
he chooses the password qidGR63*n12dskwian on kittensarecute.com,
he isn't able to use that password on your web site. Or insist
that the first four characters of the password are capitalised.

Does this solve all password problems? No, it doesn't. But it goes a
long way towards fixing the biggest one.