A study by digital communications agency @www, reveals that whenever possible, 61% of web users use the same password for all their online accounts, reports the Guardian. The survey also found that more than 1 in 10 users have over 50 online accounts to log into, leading many to experience password fatigue. Hence using the same password across all accounts.
One solution to password fatigue is OpenID, which got a huge bump this morning from Yahoo!. OpenID works by letting users log into to any supported service using a single username and password combination. But if using the same password across multiple accounts in dangerous, isn't OpenID essentially the same thing?
In theory, there are a ton of benefits for the user with OpenID. As someone who tests online products and services for a living, and has thus amassed a huge number of accounts with different usernames and passwords, OpenID is an exciting idea. Marshall Kirkpatrick presented a concise list of user benefits in a post on ReadWriteWeb this past November:
But there are also a number of potential problems. Chief among them, in my mind, is that unifying your online identities means that having your password compromised becomes a whole lot like losing your wallet. Now instead of some unscrupulous individual gaining access one online account, the person who has your OpenID credentials can log in everywhere you do. Recovering from that means a long, slow process (for record, I haven't heard anyone talk about using OpenID for logging into ultra-sensitive web sites like those for banking or managing credit cards).
The good news for OpenID, is that with more than 1 in 10 people suffering from password overload, the prospect of a single, linked identity is likely an inviting one. And if 61% of people are already essentially doing what OpenID does on their own -- using the same login credentials across all their accounts -- they may not mind the potential security flaws with the system.
However, there are other options for keeping track of your passwords. As the Guardian writes, "it's not necessarily bad to write passwords down - a piece of paper is going to be much harder to hack for an internet baddie than something stored on your computer or online, as long as it is adequately protected. Hide it, disguise it, put spaces in it, blend it in with other things. And don't write 'My banking passwords' at the top of the page."
Listed below are links to blogs that reference this entry: Bad Form: 61% Use Same Password for Everything.
TrackBack URL for this entry: http://www.readwriteweb.com/cgi-bin/mt/mt-tb.cgi/3136
In a funny (scary?) case of coincidence, the password problem became got highlighted in TechMeme just weeks after I came under an attack that caused me to rethink my password strategy. My login credentials got compromised at a Gmail account that ... Read More
Comments
Subscribe to comments for this post OR Subscribe to comments for all Read/WriteWeb posts
There is one other important difference: try to change your password every month or so when you have that to do for every account. You just don't.
With OpenID, it is just a matter of changing one password.
Posted by: eelco | January 17, 2008 10:35 AMI think eelco's, right: that is a crucial difference for OpenID. I'd love to see OpenID providers offer the option to force a password change every 30 days. I would definitely enable something like that if I could access a large number of my web sites through with OpenID credentials.
Posted by: Randy | January 17, 2008 11:51 AMthat is definitely a benefit but I doubt users will do it unless they are forced to..
what would be great would be if the OpenID system had layers of access. So a username and password was just level 1. Further info whether its DOB, fingerprinting or the Chip and Pin system here in the UK could then give further levels of access.
Posted by: Riaz | January 17, 2008 1:18 PMoh and wouldn't it be great if RWW had OpenID..
Posted by: Riaz | January 17, 2008 1:19 PM"And if 61% of people are already essentially doing what OpenID does on their own -- using the same login credentials across all their accounts -- they may not mind the potential security flaws with the system."
Let me rewrite that for you:
And if 61% of people are already essentially doing what OpenID does on their own -- using the same login credentials across all their accounts -- *they may not need OpenID in the first place*
The one benefit of OpneID for those of us who use 1 or 2 passwords for everything is that if we want to change it it's one change. But between using a single password for everything and the fact that both Firefox and IE can remember passwords for you there's no real use benefit to OpenID.
I have 2 passwords - one a for sites that need a lot of security that is a long string of random digits and one for other sites that's less secure. For sites that allow it, I let them drop a cookie on my machine so that I automatically login.
I just don't see any benefit to centralizing my login credentials and I see a risk in having those credentials stored in one place. Given the repeated lapses in security from various companies ("oh no, Joe lost his laptop that had 5 million user's data on it") why should I put my trust in any single provider>
Posted by: rick gregory | January 17, 2008 2:28 PMThe 'changing one password' benefit that eelco refers to also has security benefits. Suppose someone does lose a laptop with your password on it? You only have to change it once and you're protected anew.
That being said, I'd still follow Rick Gregory's system: use OpenID and the one password for the sites where security isn't that much of a concern, and keep the cryptic codestrings for online banking.
Posted by: Kaila Colbinthe other 39% put there password on a post-it note stuck to the monitor.
Posted by: Spuds | January 17, 2008 11:38 PMAnd why not reuse id & pw?
Posted by: Ivana | January 18, 2008 2:15 AMDo i really care if someone else can read the online newspaper from my account? Post on that forum i visited twice last year?
Of course for the very few online accounts i really care about (mail, blog) open-ID makes sense.
I find that you can't use the same passwords for many sites. So many of them all have slightly different rules, minimum number of characters, maximum number characters, must include 2 digits, etc etc. The only option I have to keep track of them all is to keep have them written down. God help me if I ever loose that notebook.
For non important sites, I just want to be able to remember one login and password, not have to look it up each time.
Posted by: Robert | January 18, 2008 8:01 AMAnother alternative is to use on-the-fly site-specific password hashing. You get the benefit of only remember one master password for all sites, but each site gets a unique and strong password (that you don't have to remember). Furthermore, signing in is automated and no password is stored anywhere, not on the computer or on paper.
See this article for more details about password hashing.
Posted by: Tummblr | January 18, 2008 8:36 AMSorry, URL was stripped from previous post. Here it is:
http://www.tummblr.com/software/passwordmaker-safe-secure-simple-site-specific-smart-password-management/
Posted by: Tummblr | January 18, 2008 8:40 AMInteresting Article. In my Blog you'll find some additional tips:
http://alex.blog.v-band.de/2008/01/password-lost-no.html
Posted by: Alex | January 24, 2008 1:54 AMOpenID requires deep collaboration of a site operator to adopt it. And big guys have all reasons not to do so since
they control many users' profiles and why should they give
out.
Every major player wants to be the OpenID provider but not recognizing others' OpenID.
A more pragmatic way is a portable, secure and purely
Posted by: Hairy Pony | February 1, 2008 5:27 PMweb-based service like Mashed Life or Mozilla weave. Both
are using the web way to deliver the service. That's
exactly what I want.