Comments on: Please stop using the same passwords!!!

By: Coach Morse

Coach Morse — Tue, 02 Mar 2010 15:00:54 +0000

Thanks for writing about this issue…
Now I have some passwords to go change. :-/

By: Dave Richards

Dave Richards — Tue, 02 Mar 2010 01:01:06 +0000

This article was very informative, because I do place myself in the category using the same or similar password for each of the websites I have to log into. I think it’s easier for me to keep track of a password that is similar since I have some many log in information to remember. I do see the harm in doing that as well so I will keep this in mind the next time I create a new password.

By: Dallas

Dallas — Thu, 25 Feb 2010 14:51:37 +0000

After reading your article I have decided that even though I do not use the same passwords for all of my internet stuff I do use it enough to be dangerous. The good news is I never used the same passwords for anything to do with finances or personal information. But all of my log ins for blogs, etc, were all the same password. I did this for expediency purposes and because it was not serious information that could be breached. For those important ones I have my password keeper program generate a longer alphanumeric pw.

By: Michael

Michael — Mon, 22 Feb 2010 17:34:06 +0000

There’s no magic bullet, Tim. Authentication is just a hard problem.

We’ve known for decades that there’s three ways (“factors”) of authenticating a user: something you know, something you have, and something you are.

So long as we stick to “something you know”, we’re subject to the limits of human memory. That means that we’ll get short, repetitive patterns, because that’s what our brains can do. It also means that we’ll continue to have social attacks (phishing, etc.) because people believe that the way to prove they know something is to disclose it.

“Something you have” will be a more secure option for the foreseeable future (key chains, etc.) because a hardware key can’t be stolen remotely. The interesting thing is how few people thing of their desktop or laptop computer as “something you have” and are unwilling to just use long random passwords stored on their local computer (with a remote sync solution for roaming access).

“Something you are” is the gold standard, used mainly for military systems and controlled-access facilities… iris scanners, fingerprints, and so forth. The surprising thing, for those in the know, is how many false positives these systems have. In practice, they always need to be combined with one of the other two.

By: Carl

Carl — Mon, 22 Feb 2010 09:27:06 +0000

This should be known to everyone allready, as for managign passwords you can use things like fingertip recognition or siganture to sign into your accounts.

By: 92% Of People Use The Same Password Across All Websites « SafePasswd Blog

92% Of People Use The Same Password Across All Websites « SafePasswd Blog — Sat, 20 Feb 2010 22:21:21 +0000

[...] is an interesting analysis on passwords: A scary 92% of people use the same password across all websites including their [...]

By: Password Protection round x • Tim Nash “stuff” Blog

Password Protection round x • Tim Nash “stuff” Blog — Wed, 03 Feb 2010 08:13:05 +0000

[...] research that we presented last year, you may remember the post it was imaginatively entitled please stop using the same passwords. Um it would appear people [...]

By: Niall Harbison

Niall Harbison — Thu, 22 Oct 2009 22:03:52 +0000

I have always wondered about this and the fact that once you crack one password you have access to pretty much everything people do online. The bggest problem is that I have 100s of online accounts and no way of keeping track of them all. I know pen ID is a good start but why isn’t there a better system for logging in?

By: Twitter Phishing Scams – Arseholes with Hooks | Cloud Mixer - Mixing New Media Ideas

Thu, 15 Oct 2009 15:45:27 +0000

[...] scammers), use different passwords for your accounts (Tim Nash made some startling discoveries on User Password Habits – Very scary!) and say informed about these scams, like the post Craig Edmonds wrote right [...]

By: Bill Marshall

Bill Marshall — Fri, 09 Oct 2009 13:34:50 +0000

This highlights an increasing problem in modern society, not just on the web. We have passwords and PINs for just about everything.

How many bank cards do you have? Hmm, 2 credit cards, a debit for each of about 5 current and investment accounts, a business account. And I suspect others will have more than that with store cards and suchlike. How do you store the PINs? What do you mean you’re not supposed to store them anywhere – can you remember 8 different numbers reliably?

Websites; far too many to think about. Do I get the browser to save them all and risk someone stealing them from malware hacking my machine? If not do I note them all down somewhere and risk that being found? Maybe the only way is to use a standard password for all the non-critical sites and only use unique ones for the most important ones like bank accounts. But even then it’s a nightmare trying to keep track of them all – the human memory just isn’t up to the job, particularly with accounts that you maybe only access once or twice a year.

We are nowhere near a satisfactory solution to this and until we are users will continue to use soft and/or universal passwords. I hate to say it but only something like iris recognition can improve matters unless someone comes up with a master password system that is truely uncrackable – and I’m not at all sure that’s possible. But I don’t like the implications of what iris tracking might let loose.