[ LONG POST ] -- I've always wondered: Even though it's usually considered a bad idea, is it it okay to re-use passwords across multiple programs IF THE PROGRAMS ARE UNIMPORTANT? In other words, you have different "tiers" of passwords that you use for programs of different levels of importance?

Hello everyone,

I've wondered something for years now, and am hoping to have a discussion about it.

In a perfect world, we would have two or three-factor authentication on ALL programs, be they something as important as your bank account, or something as trivial as your Neopets account, and the passwords used for each account would be unique, and difficult passwords, like 2%!#gasG45$&*asd12.

In the real world, however, I have been unable to find a good system to achieve this. Sure, I can get a password manager or something like my Google Account to create a bunch of unique and difficult passwords for every account, and then hide all of that behind a single two-factor authentication system for the password manager as a whole, but this has issues. Namely, there are times when I don't have access to my main password manager account, but still need access to one of the accounts it manages.

For example, say that my password manager is on my PC at home, but I'm at a friends house, and want to log in to my Instagram account to show them a meme I saved -- there's no way to get in, unless I actually remember the password. This means I can't use unique and difficult passwords.

In other words, if I go with a password manager, I can ONLY ever log into things with my home-PC, unless the password-manager's own password is easy enough that I can remember it (which then presents its own risks, as all of the passwords under the password manager are now easily-hacked.

So, I've always wondered if there's a problem with re-using passwords across accounts for programs that don't really matter if someone hacks. I know that re-using passwords is typically looked down on, but if we're talking about something like your Runescape account, what harm is there really to your life if it gets hacked?

For obvious reasons, the example passwords I'm sharing below have no relation to my real-life passwords, except in regards to the general feel of their difficulty to memorize.

So, as an example:

--Tier One--

Programs: Youtube, ArmorGames, Reddit, Minecraft, Pinterest, etc. Accounts with no payment info on file, and which don't really matter if they get hacked.

Password: An easy password like Password123456 for all of them.

-- Tier Two --

Programs: Facebook, Instagram, Snapchat, etc. Accounts with no payment info on file, but which would have annoying temporary social consequences if hacked. Also programs like Steam, Amazon, Ebay, etc., with payment info on file, but with strong anti-fraud protections.

Password: A mix of medium-difficult passwords like 67SierraApple15!, 49HorseTango15!, and 29Bottle49Staples, spread between them (so two or three programs might share the same password, but no more than that.)

-- Tier Three --

Programs: My Bank, My Google Account, My IRS Account, etc. Accounts with mass-money implications, and/or identity-theft concerns.

Password: Medium-difficult-style passwords like 59%%FoxtrotDepressed19 that are unique to each program, with 2-factor authentication if available.

Is this an acceptable password strategy, or am I setting myself up for disaster here? I just don't see how something like a password manager is better, when it puts all of your passwords into a single basket, creating a single point of failure for every account you have. Maybe I just don't understand them, but password managers seem like a huge step backwards in cybersecurity.

Any insight or thoughts is appreciated. Thank you for your time!

submitted by /u/--Ty--
[link] [comments]

from hacking: security in practice https://ift.tt/kyu6BsI

Comments