Password’s are terrible, aren’t they? It’s a cliché you must be used to hearing, not least from CBR, and if you ask anyone in security they will no doubt say it’s so.
Experts have long despaired at the poor habits of users when it comes to our login details. Not only do many of us not even bother to change them from the default, when we do pick passwords they are easy to guess and we reuse them across multiple sites – meaning a hack against one is a hack against all.
But Microsoft is not so sure. In partnership with Carleton University, Canada the computer giant is dissenting from common wisdom, claiming that password strategies "that rule out password reuse or the use of weak passwords are suboptimal".
"Suboptimal" might not sound damning, but in an industry where defence of the password is quickly becoming blasphemous this might be one of the year’s most striking admissions.
So why has Microsoft said this? The company does not dispute that weak passwords are security risks, nor that reuse can cause a domino effect, as was feared with the Heartbleed scandal. What it does question is whether the effort to create strong passwords for each account could not be better spent.
"Optimal password grouping tends to group together accounts with high value and low probability of compromise and group together accounts of low value and high compromise probability," it said.
How the punter determines which companies are on the verge of being hacked when even they cannot tell was not explained, but basically you should have one password for PayPal and another for Reddit. It’ll do while we wait for retinal scanning, at least.