On 11/30/10, imelda <
mueni0@gmail.com> wrote:
> John and Jane each have accounts at forty different Websites. John uses the
> same password at all of them because it is too difficult to maintain
> multiple passwords in his head, while Jane uses a password manager to ensure
> she can use a different password for each site without having to remember
> any of them.
>
> Both of them have memberships at
example.com, and by some twist of fate they
> both end up using the same password, OJ01GzVWR5. In fact, they both use the
> exact same forty Websites. Along comes Pat, a malicious security cracker.
> Pat manages to bypass the incredibly deficient security at
example.com and
> download the unencrypted database of usernames and passwords.
>
> With this database in Pat’s grasp, the malicious security cracker makes a
> list of a hundred high-value Websites, mostly including financial
> institutions. Pat starts running the username and password pairs in the
> unauthorized copy of the authentication database.
>
> Because Pat’s strategy involves entering each username and password
> combination only once, a direct attempt to access each of the hundred sites
> once per account name is all that is needed. This neatly avoids problems
> like the potential of being locked out of a highly secured site. In fact, it
> turns most sites — however well-designed — into a trivial exercise to access
> under someone else’s credentials, as long as some people use the same
> username and password everywhere.
>
> The end result is that Jane’s bank account remains secure, while John’s gets
> cleaned out the next day, and it is all because he took the advice of some
> security “expert” whose credentials largely consist of a piece of sheepskin
> and a job at a big-name security vendor that does not actually produce
> anything innovative.
>
> Sometimes, though, when advice sounds too good to be true, that is because
> it is not true. The perfect example is when someone tells you that you do
> not need unique passwords to be secure.
>