Is The End Near For Re-Used Passwords

What do you think about a plan that would actually make it impossible for you to use the same password on two or more sites?  Basically, when you set up a new web account, you would be forced to use a password that was truly different from other passwords you use elsewhere?

I am certain that if you are reading this blog, that you have already put all your passwords on a password manager program such as LastPass.  So this issue would not really affect you.  And of course you have replaced all your short, weak, reused passwords with 20 character random passwords.  No?

Honestly, while I do use a password manager, some of my passwords are still shared by more than one site. Not many though.  Random 20 character passwords are a work in progress.  So I understand why you may not have quite got your password game up to par.

I recently read an article in the Naked Security blog about a new password framework that would allow websites to know if the password you are trying to use has already been used by you on a different site.  This is called the “private-set-membership-test” protocol, and is made possible using something called homomorphic encryption that was developed by IBM ten years ago.

Basically, website that participated in this plan would query other participating site to compare the encrypted has of you new proposed password with the encrypted hash of your passwords on the other sites.  If there is a match, you would not be allow to create that password, you would need to change it to something unique.

I can only assume that people will be less than pleased initially.  This will undoubtedly lead to an increase in the sale of small spiral notebooks suitable for writing down hundreds of passwords.  (search “password minder” on YouTube) Or just maybe more people will be moving toward using a password manager, which would be a good outcome.

There are people who still refuse to wear seat belts when they are in an automobile.  I remember the initial anger of many people who didn’t like being “forced” to wear seat belts.  Even though I had already been wearing a seat belt myself, the change from voluntary wear to legally mandated wear was anathema to me.  I just don’t like to be told!

This protocol, if it comes to pass, will be similar.  Something that is good for you, that someone else is forcing you to do.  Something new we can all complain about.  Do you have an opinion on this subject?  I’d love to hear from you, so leave a comment.



About the Author:

Cybersecurity analyst, pen-tester, trainer, and speaker. Serving small business owners in the St Paul, Minneapolis, and western Wisconsin area since 2001. Cybersecurity and hacking have been a passion of mine since I entered the computer and networking business in 2000. I hold several cybersecurity certifications including Certified Information Systems Security Professional (CISSP), Certified Advanced Security Pratitioner (CASP), and Certified Ethical Hacker (CEH). Other computer industry certifications include A+, Network+ and Microsoft Certified System Engineer (MCSE). As Cybersecurity Analyst at The WyzCo Group, I help our clients experience high levels of security on their computers, networks, and websites. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. We also provide Cybersecurity Awareness Training for clients and their employees. I am a frequent speakers at cybersecurity conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference, the (ISC)2 World Congress, and the ISSA International Conference, and many local community organizations, Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2008.

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.