Passwords: uniqueness, not complexity

Hacktivists recently broke into the StratFor website and dumped details of 800,000 accounts, including e-mail addresses and password-hashes. Since the password-hashes were simple MD5, it meant that almost all the passwords were easily cracked. People have looked at the passwords, and found that most people chose simple ones, such as "password123". This has led to articles like this one (Breach shows that even experts chose bad passwords) that claims "Security experts recommend building long, complex, case-sensitive passwords with multiple characters".

Nope. That's wrong advice. Your password for a free or cheap StratFor account doesn't need to be complex, because there is little to lose if hackers guess it.

Instead, what's important is that the password be unique. Most sites are like StratFor and have poor cybersecurity. (StratFor wasn't even close to good cybersecurity, they were horrible on almost any measure). Any information you give them, such as your password, will eventually get stolen by hackers. If you use the same password for all websites, then eventually hackers will break into one of those sites, then gain access to all your other accounts.

There are essentially three tiers of websites. At the first tier is your e-mail account. Since a hack of your e-mail account means hackers can reset passwords on all your other accounts, it would be terrible if that password were lost. This should both be very complex, as well as wholly unrelated to any other accounts.

At the second tier are important e-commerce sites, like Amazon.com, NewEgg,com, Apple.com, and so on. The major sites are unlikely to be hacked. You could probably share the same password for all these accounts.

At the third tier are the unimportant accounts, like StratFor, where it wouldn't be catastrophic if your password were lost. Again, you could choose a third, simple password, like "passwd1234" for all these accounts. It'll probably get stolen within a year, but who really cares?

Thus, you really only need three passwords for each tier, so it's not too much trouble. However, even then, you might consider adding uniqueness. For example, on the last tier, you might use the domain name as your password, like "passwdStratfor1". When a hacker breaks in and runs an automated script to see if your password is unique, the script will fail to find a match on any other site. Sure, a hacker looking at the password individually will figure out your scheme, but in a huge hack like the 800,000 StratFor accounts, hackers are unlikely to manually check every password.

In conclusion, your first password policy shouldn't be complexity, but uniqueness. When hackers break into a site like StratFor and discover your password is "password1", you shouldn't be embarrassed. You should instead say you don't care about your free StratFor account, or that hackers break into it, and that knowing this password doesn't help break into any account you do care about.