Why a strong password doesn’t help as much as a unique one

“You may snigger when you hear that a few months after the euphemistically named AdultFriendFinder was hacked, now Ashley Madison has had its turn,” Glenn Fleishman writes for Macworld. “The site, which enthusiastically advertises its ability to connect people to have affairs, had its accounts compromised, according to security reporter Brian Krebs and confirmed by the company.”

“This site breach is the latest in a seemingly endless series of attacks against sites that have millions or tens of millions of user accounts, and in which that account information gets distributed widely,” Fleishman writes. “Crackers and white-hat hackers immediately start looking at the data, both to attack accounts and to warn users.”

Fleishman writes, “The conclusion that I draw from these breaches, and especially the recent LastPass account information compromise, is that we may be focusing too much on a strong password and not enough on unique passwords.”

Read more in the full article – recommendedhere.

MacDailyNews Take: Too many people use one password for multiple services and weak passwords at that. Once hackers guess it, they then have access to all sorts of things: cloud storage, bank accounts, Facebook, Twitter, email, etc.

You want to use unique, strong passwords. Use two-step verification for Apple ID to keep your personal information as secure as possible.More info here.

As we’ve written before: Use Apple’s Keychain Access and iCloud Keychain to create and manage them. When used properly, this system works like a dream.

SEE ALSO:
Major zero-day security flaws in both iOS and OS X allow theft of Keychain, app passwords – June 17, 2015
Many passwords are so bad they don’t even need to be hacked – January 20, 2015
The secret life of passwords – November 22, 2014
Apple’s iCloud is secure; weak passwords and gullible users are not – September 2, 2014

12 Comments

  1. I have a unique password for every site/service
    Of course it’s not perfect, becuase I like to hold my passwords in memory. If a hacker gets hold of unmasked passwords from two or more sites, they’ll work out how I construct them, and bust me wide open.

    1. A plain text file of random character PWs would be better & safer than a pattern.

      A plain text file somewhere “in view” amongst many other files is not inherently something a hacker would be looking for. Of course it could be encrypted, which is truly trivial today.

      Pattern matching & deciphering was the art of WWII’s Bletchley Park.

      A Hacker would be looking for something like 1Password or a file named Passwords or Access or something.

    1. The point they were making is if you use a strong password, but use that same password on many sites, then if it is compromised, so could be all your other accounts.

      Clearly, strong AND unique is best.

      I still have some fairly low-security passwords on some of my less-critical accounts, but on all my more critical accounts, I’m using unique and very strong, and a password manager to manage them (which I’d be screwed without).

  2. 1-Password works great…generate a very strong, unique master password and let it generate (and store) unique strong passwords for each site. You can access securely on iPhone and iPad. You can also securely share a password or library to a family member etc. Works with touch ID too. Highly recommended.

  3. One glaring weakness of iOS is that the keychain does not extend to individual apps making it over 50% useless. It’s weird how I can log into a website via Safari and keychain works flawlessly and yet using an app it doesn’t.

    Password managers are great except who’s to say that they’re not actually NSA (or some other agency’s) spyware too. Perhaps unbeknownst to you you’re just serving up all of your passwords. They’ve done far more elaborate and dastardly things in the past.

    Apple has a chance to mandate all apps to conform with keychain standards and so far hasn’t.

  4. I’ve been using 1Password successfully for years. Every single password I use is different from every other. I use (not a big admission) entirely random noise characters (not pseudo-random) for passwords. I have an encrypted text file I use for double-entering every password in case 1Password blows up or screws up. That text file’s password is in my head and nowhere else. Same goes for my 1Password password.

    ANOTHER PROBLEM:
    Bad websites that demand short passwords

    Exm: I was over at Staples.com today. Apart from their general incompetence with databases and account maintenance, the place requires passwords that are 6 – 12 characters long. That’s sooooo 20th century. In this day and age it is IRRESPONSIBLE. The starting password length should be 12 characters with a limit of 256 characters. Allowing 6,7 or 8 characters is ridiculous in the current hack-centric Internet environment.

    IOW: These companies are welcoming being hacked. Any hacker noticing that Staples allows 6 character passwords is elated. Dictionary attack HO!

  5. I use both unique passwords and unique user names for the important stuff. I may be fooling myself but having both part be unique non-words with lots of numbers and symbols makes me feel safer.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.