Is The End Near For Re-Used Passwords

What do you think about a plan that would actually make it impossible for you to use the same password on two or more sites?  Basically, when you set up a new web account, you would be forced to use a password that was truly different from other passwords you use elsewhere?

I am certain that if you are reading this blog, that you have already put all your passwords on a password manager program such as LastPass.  So this issue would not really affect you.  And of course you have replaced all your short, weak, reused passwords with 20 character random passwords.  No?

Honestly, while I do use a password manager, some of my passwords are still shared by more than one site. Not many though.  Random 20 character passwords are a work in progress.  So I understand why you may not have quite got your password game up to par.

I recently read an article in the Naked Security blog about a new password framework that would allow websites to know if the password you are trying to use has already been used by you on a different site.  This is called the “private-set-membership-test” protocol, and is made possible using something called homomorphic encryption that was developed by IBM ten years ago.

Basically, website that participated in this plan would query other participating site to compare the encrypted has of you new proposed password with the encrypted hash of your passwords on the other sites.  If there is a match, you would not be allow to create that password, you would need to change it to something unique.

I can only assume that people will be less than pleased initially.  This will undoubtedly lead to an increase in the sale of small spiral notebooks suitable for writing down hundreds of passwords.  (search “password minder” on YouTube) Or just maybe more people will be moving toward using a password manager, which would be a good outcome.

There are people who still refuse to wear seat belts when they are in an automobile.  I remember the initial anger of many people who didn’t like being “forced” to wear seat belts.  Even though I had already been wearing a seat belt myself, the change from voluntary wear to legally mandated wear was anathema to me.  I just don’t like to be told!

This protocol, if it comes to pass, will be similar.  Something that is good for you, that someone else is forcing you to do.  Something new we can all complain about.  Do you have an opinion on this subject?  I’d love to hear from you, so leave a comment.



About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.