Maybe You Don’t Have to Use Strong Passwords for Every Account After All

Maybe it’s not so bad that your password is 12345678.

If you need strong passwords for every one of your accounts, from your local public library to your grocery store rewards card, then you just have to use a password manager. There’s no other way to keep your letters, numbers, and symbols straight. But maybe the premise that you need strong passwords for everything is wrong. A new Microsoft study wants to give everyone a break.

Microsoft researchers Dinei Florêncio and Cormac Herley, along with Paul C van Oorschot from Carleton University in Canada, note that password managers generate great random login information, but can cause problems if users forget their master password.* As the Guardian reports, password managers also store passwords locally or in the cloud, and both approaches can be susceptible to hacks. The researchers wrote, “It introduces severe new risks: if the master password is guessed or used on any malware-infected client, or the cloud store is compromised, then all credentials are lost.”

Instead, the group argues that people should use weak, memorable passwords or the same password for low-importance accounts. That way they can focus on memorizing a few strong, diverse passwords for their most sensitive accounts, like email and banking. This seems especially appealing since password managers are difficult to use properly in the first place. (For instance, they make it harder to use a friend’s computer to log into your Gmail account.)

If you’re currently using a password manager successfully this study might not be grounds to give it up, but if you’ve done absolutely nothing about password security when you know you should, this might be a good strategy to start with. Just make sure those important passwords really are super secure.

Correction, July 16, 2014: This post originally misspelled Carleton University.