We all know it's important to take our online security seriously, but hold on just a second before you stuff that next password full of just the right combination of symbols, numbers, upper and lowercase letters. Shitty passwords have their place.
If you've signed up for any kind of online account recently, the case for a shitty password practically makes itself. You hammer in your trusty email address in one text box while the one beneath it offers you a challenge and a temptation. You should really use a strong, unique password that's hard to remember, it loudly implies. But it'd be so much easier to just use your dog's name, like you do for everything else.
Fortunately there is a solution to this problem, one that you're probably already using: a password manager. For the mild inconvenience of installing an app across your devices and logging into it now and then, the passwords to even your most inane accounts can be 37-character alphanumeric gibberish, and you barely have to remember a single letter.
We've all been told this is the way to go, and most of us probably believe it. But maybe it's not. Maybe sometimes a shitty password is the best password.
Giving up and giving in
Before you dismiss this wholesale, just think about it for one second. What if you just used shitty passwords? Not all the time of course, but most of the time. When it's easy! New research from Microsoft suggests that's exactly what you should do.
The argument goes something like this:
Strong passwords are good, but your brain only has room for so many of them. Sharing passwords between accounts hurts your security, but memorizing a bunch of strong unique passwords is basically impossible. Using a password manager gives you the best of both worlds, but at a huge risk; you're bundling your Google, or Paypal, or Facebook, or Amazon password (all very high value) with your Imgur and ReadItLater and stupid-old-highschool-Hotmail-account-you-check-every-two-years-for-kicks password (much lower value) behind one master pass. All of your eggs are in one basket.
That wouldn't be a problem if strong passwords were impenetrable, but we all know from experience (if not our from own, then from that of others) that passwords aren't perfect. Even the strongest password possible is worthless if someone finds a way around it.
If your master password gets sucked up by a client-side keylogger, or gets guessed, or forgotten, or if you stay logged in to an insecure computer, your entire kingdom is lost. And while LastPass and OnePassword have never been hacked, you can bet people are trying; a cache of master passwords is the ultimate get. It may seem unlikely, but the stakes are too high to risk it.
So what's a security conscious person to do? Just use shitty passwords. Not all the time, of course, but on the sites you truly don't care about. Microsoft argues that by just reusing the same, stupid "Sparky31589" at all your low-value sites — like ones where you don't store any important financial info — you're freeing up your mental RAM for memorizing four or five unique and secure passwords for your high-value accounts.
And this isn't just the conclusion of a bunch of logic and reasoning. These researchers used actual maths, and models, and probability (that I can't even hope to understand or explain).
The only real catch is that so many damn sites that force complexity on you. We are an Important Site, so your password must have 30 characters, upper case and lower case letters, three symbols, two numbers, an underscore and an anagram for a US state. And in order for this to work those sites have to knock it off and give us all the freedom to go weak when we want to, because sometimes it just makes sense.
And if that's the case, why not go even further? Maybe passwords should be entirely optional for some site! It sounds nuts (and maybe it is), but bear with me.
There are low-value accounts, but there are also no-value accounts. Just think for a minute and I bet you can think of at least one online account of yours that doesn't even need a password. My Imgur account I use mainly to store screenshots of my phone, for instance, could well be password-free. Ditto the dozens and dozens of accounts I've made for services I tried for just a few days, or intended to only use once. When I use my go-to shitty password on these ultra-low value accounts, I'm actually making that password weaker, to no real gain. It's like making extra copies of a key to secure lockers that have nothing inside.
Password-free accounts do exist, if not very widely. Maybe you've heard of Mailinator, the password-free email service. It's great for all your one-use, low-value email needs. Hell, the backup email address for my Xbox Live account was on Mailinator for years; the obscure address was password and username all in one. I might not actively recommend going that far, but there are plenty of cases where it'd make sense. You wouldn't believe how many Mailinator accounts I use, and if you can find out their wildly obscure addresses, you are more than welcome to what's inside.
No password is perfect
The whole argument of using shitty passwords (or no passwords at all) strikes at the heart of a deeper truth: passwords kind of suck. They suck to remember and they kind of suck at their jobs. Even the guy who invented them thinks they're pretty dumb.
Strong password-mania helps perpetuate the idea that if your password is strong enough, it's basically bulletproof, but that's just not true. Your password is more like a bike lock than a bank vault; it keeps honest people honest, but anyone with an angle grinder can probably saw through. And that's not to mention the exploits and dumb mistakes that expose your passwords all the time.
Using strong passwords is only half the security battle; the other half is minimising the damage when one or two inevitable leak out. Until someone can come up with a way to kill the password once and for all — whether it's through biometrics or some other future-tech — we're stuck balancing both sides of that equation. The good news is that being lazy about sharing your passwords between accounts isn't part of the problem; it's a potential solution.
Photo via Computer History Museum