Wired.com thinks password complexity is bogus

We wrote an article yesterday about password security.  I just read an article on wired.com about how password complexity may not be all that much safer than a simple password.  The article is here.

The main points in the article are saying that it doesn’t matter how secure your password is if the website who is storing your password isn’t using secure practices like storing your password in plaintext format.  Most websites will store your password as a hash which looks like this: 5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8.  This is a mathematically calculated string based off the word “password”.  Any different word typed in would result in an entirely different hash.  For example, “Password” results in e7cf3ef4f17c3999a94f2c6f612e8a888e5b1026878e4e19398b23bd38ec221a even with changing just one letter.

In some situations, a complex password can help you. But in others—like when the company holding your password stores it in plain text, without encrypting it—that complexity is meaningless.

I agree with this in a sense that they are right, essentially, that it doesn’t matter how secure your password is if the website is storing the information in an insecure way; however, I think the true risk is when the password is reused on multiple sites.  Which is why I still stand behind using a password manager as your credentials are saved securely and if the website gets hacked, you can change the password as often as you like while your other logins are safe and secure.

What I don’t agree with is the message that Wired.com conveys.  I think that it discourages the use of complex passwords and doesn’t really give the reader a way to fix it.  It touches briefly on multi-factor authentication, but ultimately says that the complexity doesn’t matter if the website is insecure to begin with.

They even go as far to say that putting all your faith in a complex password is a “fool’s wager”.  Also, they mention how it’s ok to use a low-complexity password for a website that doesn’t really matter such as for reading a news article.

The way Herley and van Oorschot see things, some accounts are perfectly fine to have completely low security. Using the word “password” as your throw-away password when you’re forced to register to read an online news article may not be such a big deal. On the other hand, if you’re using Gmail as your primary email account, you’re going to make things more difficult. You want a password that’s really hard to guess, and you want Google to text you a second password when you try to log in from a different device.

No, the real risk here is password reuse.  It doesn’t matter how complex or simple your password is if you reuse it on multiple sites and if you use that simple “throwaway” password more than once, you’re only hurting yourself in the long run.

Take your passwords with you, use a password manager.  Then, you can forget about worrying whether your passwords are good enough.  You can lock all of your passwords down with one, single, complex password and if the website gets hacked, at least the hacker doesn’t have access to everything else you’ve used that password for.