Researchers say the simplest passwords are useful within a strategy that saves the hardest-to-remember credentials for the most critical sites and services New research shows that “123456” is a good password after all.In fact, such useless credentials from a security standpoint have an important role in an overall password management strategy, researchers at Microsoft and Carleton University, Ottawa, Canada, have found.[The 25 worst passwords of 2013: “password” gets dethroned] Rather than hurt security, proper use of easy-to-remember, weak credentials encourages people to use much stronger passwords on the few critical sites and online services they visit regularly. “Many sites ask for passwords, but they require no security at all,” Paul C. Van Oorschot, a Carleton professor and a co-author of the research, said. “They basically want to get the email address to contact you, but there’s nothing to protect.”Strong passwords would be more likely adopted if people learned to use them only on critical accounts, such as employer websites, online banking and e-commerce sites that store the user’s credit card number. To be effective, this group should be small. Websites that hold no sensitive information and would not present a threat if hacked should get the throwaway credentials. However, people need to carefully select that sites that get those passwords.“Far from optimal outcomes will result if accounts are grouped arbitrarily,” the research says.Following the standard advice of choosing and never reusing passwords of eight characters or more that includes uppercase and lowercase letters, numbers and special characters, is “an impossible task as portfolio size grows,” the research said.Studies have shown that despite warnings, people continue to use the same weak password across websites. In 2013, the most commonly used password on the Internet was “123456,” followed by “password.”Therefore, rather than continue pushing a failed password strategy, the industry should adopt something that actually works, the researchers argue.“Our model yields detailed results; it indicates that any strategy that rules out weak passwords or re-use will be sub-optimal,” the paper says. The researchers also argued that a password grouping strategy is more secure than a password manager, which stores passwords and their corresponding site URLs in the cloud and lets people access the information using a single master password.“If the master password is guessed or used on any malware-infected client, or the cloud store is compromised, then all credential are lost,” the paper said.Indeed, researchers at the University of California, Berkeley, studied five password managers and found vulnerabilities that could be exploited to gain access to master passwords. The vendors studied included LastPass, RoboForm, My1login, PasswordBox and NeedMyPassword.Although the latest research focuses on individuals, it has implications for business. Companies are making a website or corporate network less secure if they require employees to use complex passwords that are difficult to remember and have to be changed every three months, Avivah Litan, analyst for Gartner, said.In those cases, users will counter the security measure by writing down the password or storing it in a digital address book that could get hacked.[Raising awareness quickly: A look at basic password hygiene]“You need to strike a balance between customer convenience and security and that balance is struck by having other measures besides passwords,” Litan said. Businesses should also have technology in place that monitors login behavior and user activity to watch for anomalies that would indicate malware or hackers. Related content news Google launches Google Threat Intelligence at RSA Conference The new addition to Google Cloud Security is designed to give security teams information to inform approaches to protecting against external threats, managing attack surfaces, and mitigating digital risks. By Sascha Brodsky May 06, 2024 4 mins Google Cloud Functions Cloud Security Security Software brandpost Sponsored by Elastic Search + RAG: The 1-2 punch transforming the modern SOC with AI-driven security analytics AI is modernizing how SOCs function, triaging countless alerts down to a handful of attacks that matter most. By Mike Nichols, Product for Security at Elastic May 06, 2024 3 mins Artificial Intelligence how-to Download the Zero Trust network access (ZTNA) enterprise buyer’s guide From the editors of our sister publication Network World, this enterprise buyer’s guide helps network and security IT staff understand what ZTNA can do for their organizations and how to choose the right solution. By Josh Fruhlinger and steve_zurier May 06, 2024 1 min Zero Trust Access Control Network Security news Germany blames Russian hackers for months-long cyber espionage The attacks by Russia-backed Fancy Bear used an Outlook exploit to compromise several German officials’ accounts. By Shweta Sharma May 06, 2024 4 mins Advanced Persistent Threats Hacker Groups PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe