Even Password Manager Subscribers Reuse Passwords, Study Finds (pcmag.com)
- Reference: 0175186337
- News link: https://it.slashdot.org/story/24/10/03/1922259/even-password-manager-subscribers-reuse-passwords-study-finds
- Source link: https://www.pcmag.com/news/not-great-even-password-manager-subscribers-reuse-passwords
> It's not exactly breaking news that people reuse passwords, but you might expect password manager subscribers to avoid the practice. You'd be wrong, according to a new study. Dashlane's downer of a report draws on saved logins analyzed on-device by Dashlane's software across "millions" of individual and business accounts. It finds dismally high percentages of password reuse worldwide. The US and Canada rank the worst of every region Dashlane tracked, with [1]48% of passwords in individual password vaults being reused . Another 15% rate as compromised, meaning those passwords have shown up in data breaches.
>
> Combined with other security data points, the US and Canada land at a security score of 72.6 out of 100 in Dashlane's report, the lowest of all 14 regions covered in the study. The report, along with the Password Health score that Dashlane's software computes for individual users, emphasizes the longstanding problem of password reuse because that practice leaves its practitioners so vulnerable to getting hacked.Â
[1] https://www.pcmag.com/news/not-great-even-password-manager-subscribers-reuse-passwords
those are old passwords (Score:1)
Reused passwords are from the times before you start using the password manager.
Changing those passwords is a hassle. They stay unchanged and reused.
Re: (Score:3)
This. But also, even after using a password manager, there are some sites where I just don't care if it is compromised; I'd rather not have an account at all if it were an option. Plus, I've found a number of mobile sites and apps which don't play nice with password managers and disallow pasting on login screens. So yeah, I still have a few duplicate passwords, and I'm happy with my life choices.
Passwords in general are a bad solution to the problem of security. Make 2FA easier to use and to update. Ca
Re: (Score:2)
> Passwords in general are a bad solution to the problem of security
I agree but I've read articles about people trying to solve the password problem for decades now, pretty sure people were getting annoyed with online passwords by the late 90's as I recall.
There just isn't a great solution out there with how fragmented the internet has become, none of the actors that feasibly could provide a web-wide-SSO at this point are no-one anyone wants with that responsibility (USG, Microsoft, Google, Meta).
So passwords managers I think are "not great but preferable to the alternative
Re: (Score:2)
I'll get around to it eventually.
Re: (Score:2)
False. Plenty of people use password managers to handle out of sync passwords, or passwords that don't meet their complexity requirements.
What's your default password: ey7kay? Great. Now you need a password manager to remember which sites you used ey7kayKK to enforce the 8 digit + capital recommendation, or the Ey7kay&k to enforce those which require a special character. God forbid you have a password requirement that is a minimum of 15 characters to fuck you up even more.
I know lots of people who use p
Not all passwords are equally important (Score:2)
I use a password manager (RoboForm), with upwards of 400 credentials saved. Do I ever reuse passwords? Yes, sometimes. For applications that I consider important from a security standpoint, I use complex and unique passwords. For things I care less about, I may use simpler passwords which might be repeated. This is especially true for applications where I may need to enter the password manually, or on my phone keyboard. I'm aware of the risks of password reuse, and I accept those risks where I see fit.
Re: (Score:2)
Exactly this, probably most of the "guilty" users here are reusing passwords on low risk and/or throwaway accounts.
Re: (Score:2)
> I use a password manager (RoboForm), with upwards of 400 credentials saved. Do I ever reuse passwords? Yes, sometimes. For applications that I consider important from a security standpoint, I use complex and unique passwords. For things I care less about, I may use simpler passwords which might be repeated. This is especially true for applications where I may need to enter the password manually, or on my phone keyboard. I'm aware of the risks of password reuse, and I accept those risks where I see fit.
Yeah, I reuse passwords in places I don't really care if someone hacks my account. For places that are important to me, I use a password seed based on the site that I'll remember to create a semi-random password. Haven't needed a password manager so far.
Shouldn't be possible. (Score:1)
Password managers should 100% refuse to remember the same password for multiple domains. The fact that they don't do this already is pathetic.
Re: (Score:2)
No, the software should do what its users want.
Re: (Score:3)
> Password managers should 100% refuse to remember the same password for multiple domains. The fact that they don't do this already is pathetic.
It's not that simple.
There are a variety of organizations that use the same authentication system for multiple domains. Disney is one of the well-known companies to do this.
Some password managers have a notion of equivalent domains which let you deal with simple cases of this; however, the configuration of these is usually more complex than just adding a new password. It's not something that most readers of this site would find difficult to do, but it's more than you could expect some non-technical users
Re: (Score:2)
A password manager is a database. It's not a login for a system. The passwords exist on other systems. A password manager that refuses to remember your login simply because it is used elsewhere is a useless password manager, that login and password are already in place at that domain, the password manager has no say in it.
Also not everything needs a unique password. Slashdot? Reddit? Yeah I have the same password for both and I don't give a flying fuck about either account. They aren't important to me. Many
Only deserving sites get unique passwords (Score:2)
When literally every site requires a login & password, there are some not worthy of a unique password. I don't care if you login to a job portal and start applying for jobs in my name
Underestimating Risks... (Score:2)
It's easy to think "Oh, I don't need a special password for a stupid Domino's account, it's only pizza..."
But your account leaks personal info about you (namely your address and where you've sent pizzas before), and if you have a stored credit card with them, you might find a charge where you've sent a large number of pizzas to some party you were never going to be invited to...
Password reuse often happens when the perception of risk is low, but I think that is a reflection that those that reuse passwords u
Re: (Score:2)
Here the problem is not really about e-using passwords, but about storing credit cards online.
Re: (Score:2)
I've had this happen. My password was secure, but there was an authentication bypass flaw on the web site and my credit card was used for a fraudulent purchase.
It's not hard, just takes some self-training (Score:2)
As a matter of course, I have gotten to the point that opening up Bitwarden's password generator is just second nature whenever I need a password. I only adjust it if I'm forced to do so for some reason.
And, to that last point - I think some website admins are at least partially at fault here. Even now, it is unfortunately not uncommon to find websites which still follow 2005-era password practices, combined with some absurdly-short maximum password length. It takes a special kind of idiot to doggedly limit
False alerts possible? (Score:3)
I wonder how many false alerts there might be. When I was in university, I had a single password that the manager complained was shared across around a dozen sites- it didn't recognize that they were all university sites that shared the same logon and password, centrally controlled, I couldn't have differ3nt passwords for them if I wanted to.
My bank, credit cards, loan, utilities, and such all get different secure passwords. Slashdot and such I care less about.
Does it matter? (Score:2)
How many accounts are sensitive enough to protect with a custom high security password? I use ProtonPass, and I'm rather pedantic about password security, but even I reuse a few passwords on low sensitivity systems. If it stores my credit card information, or, sensitive information about me, I'll protect it, but outside of that, and you'll probably get an old favourite (not one of my passwords).
Passwords don't have to be unique, and demanding every password is unique, causes more of an issue because peo
A question of timing? (Score:2)
I wonder if this is a question of timing. I know people who adopt password managers after they already have reused passwords. They dutifully enter all those reused passwords into the app. Then, they use random generation for future passwords, but the old ones stick around due to inertia.
Thank you Dashlane! (Score:3)
Nice to know that a company specializing in credential management is taking the time to compile, analyze and report on the data they have been entrusted with from millions of individual and business accounts. Gives me the warm fuzzies.
Explanation (Score:2)
That's because for a ton of websites people would have preferred to use them anonymously but cannot as they are forced to sign up thus they (re)use simple stupid passwords.
Iâ(TM)m dubious (Score:2)
If theyâ(TM)re relying on those health reports for this, as it seems they are, then I donâ(TM)t trust this. I have a fair number of sites that are on separate domains yet use single logons. E.g., a health insurance provider and its captive pharmacy. My password manager complains about these, but itâ(TM)s as designed. It also happens following mergers, while the old site is still supported.
I reuse passwords, a lot (Score:2)
Many of my oft-reused passwords have also appeared in data breaches.
So what?
There are sites that manage a lot of valuable or sensitive information for me, sites that manage none, and sites at varying levels in between. And for the sites that just don't matter at all, I use one of my "low-security" passwords, because I really just don't care. My slashdot password is one of these, actually. If someone hijacks my /. account and locks me out, fine. Might get me to stop wasting time here.
These days, the
What does it mean? (Score:2)
48% tells us nothing because there is nothing to compare it against. Presuming a goal of measuring if a password manager improves behavior would be to compare the rate for passwords created within the past year vs passwords that the users imported when they first began using a password manager.
They also need to correct for websites that share a password database such as Disney/Hulu and most corporate AD environments. They also ought to remove the local Starbucks WiFi password from their "compromised" list
Some dups are essential (Score:2)
Not all duplicate passwords are really duplicates. I have at least two cases where a single site has two distinct domain names and they are totally interchangeable. One is just two letters and the other is much longer. So, every time I run the checker in my vault, it lists these as dups.
When I was working, this was especially true for many internal and external systems that were like this. Many were anycast systems which had the anycast name (used in most cases) and a system specific name used when someone
No Good Solutions (Score:4)
If you don't have a password manager (or some master password document), then nobody who exists in the modern digital age can avoid password reuse absent savant-level memory. The number of different websites and other sundry accounts people encounter often numbers in the hundreds.
Password managers are proposed solution, but most folks don't really want to dependent on a password manager every time they want to login to Slashdot. The fact of the matter is, most online logins are relatively low risk if they are hacked. If a botnet wants to post as me on Slashdot, that's annoying but it's not going to ruin my life. So folks with a password manager may use it for their online banking but stick to a few standbys for things like internet forums. It's not the end of the world.
Re: (Score:2)
I suppose the real threat there is the temptation to cross the streams, and use your non-secure password for something that turns out to need a secure, unique password, or on something that allows teh Hax0rs to gain access to your secure, unique password.
Re: (Score:2)
I meant to say A secure, unique password, not THE secure, unique password. Of course. As if I only had one! Ridiculous. Heh. Heh heh.
Re: (Score:2)
Simple solution: I have two dogs.
Re: (Score:2)
Which dog is the secure dog?
Re: (Score:2)
> Which dog is the secure dog?
The mean one. Wait until you get bit and then enter that as your bank password.
Re: (Score:2)
So perhaps the real danger is that, with so many sources of information and so many potentially risky logins, it's fatally easy to overlook something and get hacked. We don't feel we can afford to spend a third of our time on security.
Re: (Score:3)
Unless you have a shared password you salt with some thing about each realm
Re: (Score:3)
Is this any more secure than reusing a password? If a breach determines that my Slashot password is hunter2slashdot, then guess what my Reddit password is?
Re: (Score:2, Funny)
My guess is *******reddit.
Re: (Score:2)
I prefer the password manager. It fills in the password for me, and the username. Saves me typing it, and means it's strong. I can change it as often as I like without worrying about forgetting it.
If I ever wanted to log in somewhere that doesn't have my password manager on the machine, I have it on my phone.
Re: (Score:3)
Many people these days access sites/apps with passwords from half a dozen different devices. Also, despite password managers insisting there is no way the stored passwords can be compromised, from time to time you hear about people compromising them because you are dependent on the password manager (a third party out of your control) to follow best practices.