Realistic Trust — On Reused Passwords

A bit of a ruckus has arisen over the purported breach ofsecurity at the groupthink site Reddit.

It seems that the Reddit folks were storing the user’s passwordsin plaintext, so a recent data loss or integrity compromise ofsome sort has them warning users to change their password just incase their backup tape — if that story is right — getsin the hand of the desperate-for-high-karma-Reddit-accounts drugcartels.

Many are calling this a blatant mistake on the part of theReddit crew, declaring that password’s should never be stored in plaintext.The Reddit crew and defenders have stated that the plaintextpasswords are used to allow them to email the password to the user,which is a tenuous argument but I suppose they went for the KISSmodel (which is pretty much the modus operendi of Reddit. Theyrecently rolled out a CAPTCHA implementation that is laughablyvulnerable out of the gate, but it is the simplestimplementation possible).

What is most disturbing to me, however, are the declarationsthat this is much more of a problem than Reddit alone. People arecrying foul because they believe that their bank accounts, emailaccounts, and other online accounts are vulnerable now that theReddit user database might be in the wild.

NEVER USE THE SAME PASSWORD ON MULTIPLESITES.

At worst share passwords among throw-away type siteslike Reddit. Never share passwords between sites that actuallymatter.

Let’s say that Reddit actually did hash the password –debatable if it’s necessary for that site, and I have advocated advanced techniques for doing this before — why inthe world would you trust the folks at Reddit with this secret (allthe hashing in the world does nothing if the people who are doingthe hashing have nefarious motives) Why would you trust the peoplewho man their data centers, or the people who share machines withthem or handle their backup tapes or provide their internetservices?

There is no credible reason why a shared password in the handsof Reddit alone — even if they cross-their-heartpromised to hash it –should give comfort to someone who reuse thesame password on sites of value. That is absolute insanity, and itis a very dangerous practice.

It’s far more disturbing to me that people worry about more thantheir Reddit account in this situation.

If you must “reuse” passwords, use one of the manyutilities available to hash your name or emailaddress with the target site domain on the client side,(for that particular one — note that it’s just one ofhundreds available — you can use their website, Firefox or IE6or 7extensions) actually generating a unique password for each sitewhile only having to remember one password on your end. There aremany clever implementations, but the one linked here, for instance,allows you to preface passwords with @@ and it automatically doesclient-side, site-specific hashing, meaning that your shared secretisn’t dangerously shared with the people at random internetsites.