Now Microsoft says weak passwords can be good


Date: 7 August 2014

Hacker guessing passwordsIf there's one piece of IT security advice that's generally not up for debate, it's that you need to use strong passwords.

Some of the most common passwords are things like 'password' and '123456'. Hackers can guess these in minutes, so it's a really bad idea to use them.

The usual advice is to use passwords that:

  • Aren't dictionary words
  • Contain a mix of upper and lower case letters
  • Contain numbers and symbols
  • Are as long as possible

For instance, a password like 'YY6^nUCFT/g}k3Cb' is going to be hard for hackers to guess. You can get advice about choosing strong passwords here.

Don't use strong passwords?

But now Microsoft researchers have recommended (PDF link) we use and reuse weak passwords on low-risk websites that don't hold valuable information.

The theory goes something like this: by not having to struggle to remember complicated passwords for every single website, we can focus more of our efforts on creating and memorising strong passwords on the websites that really matter.

Why this is bad advice

On the face of it this sort of makes sense, but it starts falling apart when you try to actually put it into practice. Here's why:

  • It's hard to know which website accounts are most important. Even some innocuous websites hold sensitive data like your date of birth. It's not uncommon for hackers to piece together the information they need for identity theft from several different website accounts.
  • Memorising strong passwords is too hard anyway. Regardless of what Microsoft says, your average website user doesn't have the time nor inclination to memorise passwords like 'YY6^nUCFT/g}k3Cb' — even if they only need to do so for a few websites. It's simply asking too much.
  • It makes the world of passwords more confusing. The message that strong passwords are important is easy to understand. Being told it's sometimes ok to use weak passwords dilutes that message — particularly when there's no solid definition of what constitutes a 'low risk' website.

Although Microsoft's intentions are good, research like this risks causing more problems than it solves.

As other security experts have argued, you're probably better off using a password manager to create strong passwords and keep track of them all.

Blog by John McGarvey, IT Donut editor

What does the * mean?

If a link has a * this means it is an affiliate link. To find out more, see our FAQs.