The "security is not secure" argument seems to be getting quite popular these days, and it makes security sound awfully easy. Chad Perrin warns that when something sounds too good to be true, it usually isn't.
These days it seems like every time we turn around someone has written another article that gives "security" advice directly contradicting actual secure practice:
- Don't use strong passwords! Just use whatever you'll remember!
- It's okay to use one password for everything as long as it's a strong one!
- You don't have to use a strong password as long as it's uncommon!
Those of us with even a modicum of logic coverage in our educations should be familiar with the idea of a false dichotomy. The false dichotomy, or false dilemma, is what is known as a formal fallacy of propositional logic. When someone makes an argument based on the idea that there are only two options, thus making a case for choosing one of those options over the other, despite the fact that there are other ignored options that may be preferable, that person is indulging in a classic fallacy of the false dichotomy.
My favorite solution to all of these convenience issues with using strong, unique passwords is to use a password manager. Unfortunately, doing so is still not as easy as using
password123 everywhere, and as a result, a lot of people are willing to swallow any ridiculous swill being peddled about how bad security practice is actually "more secure."
The arguments for strong passwords are common and well documented. The most cursory searches should turn up something that will give you the gist of the idea. Unfortunately, the problem of convincing people that every password should be unique might be a little more difficult to solve. Explaining it is not too difficult; just slightly less easy than explaining the importance of a strong password, and its importance is slightly less obvious to the casual observer, so it is done less often.
The best example that comes to mind for what can happen if you do not use unique passwords goes something like this:
John and Jane each have accounts at forty different Websites. John uses the same password at all of them because it is too difficult to maintain multiple passwords in his head, while Jane uses a password manager to ensure she can use a different password for each site without having to remember any of them.
Both of them have memberships at example.com, and by some twist of fate they both end up using the same password,
OJ01GzVWR5. In fact, they both use the exact same forty Websites. Along comes Pat, a malicious security cracker. Pat manages to bypass the incredibly deficient security at example.com and download the unencrypted database of usernames and passwords.
With this database in Pat's grasp, the malicious security cracker makes a list of a hundred high-value Websites, mostly including financial institutions. Pat starts running the username and password pairs in the unauthorized copy of the authentication database.
Because Pat's strategy involves entering each username and password combination only once, a direct attempt to access each of the hundred sites once per account name is all that is needed. This neatly avoids problems like the potential of being locked out of a highly secured site. In fact, it turns most sites — however well-designed — into a trivial exercise to access under someone else's credentials, as long as some people use the same username and password everywhere.
The end result is that Jane's bank account remains secure, while John's gets cleaned out the next day, and it is all because he took the advice of some security "expert" whose credentials largely consist of a piece of sheepskin and a job at a big-name security vendor that does not actually produce anything innovative. Sometimes, though, when advice sounds too good to be true, that is because it is not true. The perfect example is when someone tells you that you do not need unique passwords to be secure.