Crappy Passwords Very Common

← Back to Stories (view on slashdot.org)

Posted by CmdrTaco on Saturday March 16, 2002 @05:41AM from the no-shocker-here dept.

KeatonMill writes "CNN released this story about passwords. Apparently, a group of UK psychologists did a study about password selection, and found that many passwords can be guessed if access to the subject's desk is allowed (the article gives an example of sports memoribilia representing sports-related passwords). According to the study, 50 percent of people use names of family members or pets as passwords."

11 of 422 comments (clear)

Min score:

Reason:

Sort:

Has to be crappy. by Account+10 · 2002-03-16 05:47 · Score: 5, Insightful

The password policy where I work is 10 characters, mix of upper and lowercase, at least 1 non-alphabetic, expires every 6 weeks. So of course I write it down (indirectly) or put it in "logon.bat".
Because of Windows' stupid caching, I already have to phone the helpdesk every 6 weeks to get my account unlocked when windows somewhere decides to try my old password 5 times in succession.
1. Re:Has to be crappy. by beer_maker · 2002-03-16 12:05 · Score: 3, Insightful
  
  Try this on your boss every day, make them hate IT as much as you. (-;
  
  /RANT ON
  Make them hate IT as much as [they hate] you? You can't even remember your password and now you want to get the poor IT staff in trouble? Thanks a lot.
  I LOVE folks like you. You're the one with the 30 GB of mp3s on the server, the collection of screensavers on your desktop machine, and the Zip disk you swore would be used "only for work files, really."
  You, Sir or Madam, put the "L" in user!
  /RANT OFF
  Whew, that felt good. Who needs Karma, anyway ...
  
  --
  Hmmm. Your ideas are intriguing to me and I wish to subscribe to your newsletter.
Passwords.. by bje2 · 2002-03-16 05:50 · Score: 5, Insightful

you know what my problem is??? i have dozens and dozens of passwords to remember...i have my work computer, my work e-mail, my home computer, my 2 home e-mail accounts, eBay, Slashdot, IM, etc...it's just too many passwords to remember...

because of that, i've fallen into a bad rut for my passwords, i only have like three that i use on a regular basis, and i just reuse them whenever i register for a new account...don't get me wrong, i know that's a terrible thing to do...but i just can't bother myself to rememeber more and more passwords...god forbid someone found one out...
does anyone have any tips for things they do, or products they use to keep track of their dozens and dozens of passwords...?

...that said, i think i'll go change my slashdot password...

--

"Facts are meaningless. You could use facts to prove anything that's even remotely true." - Homer Simpson
1. Re:Passwords.. by Remus · 2002-03-16 06:16 · Score: 3, Insightful
  
  I was in the same situation and decided that neither using only a few passwords nor trying to memorize >= 10 passwords is a really good idea. So I started using Keyring for PalmOS on my Palm. It even generates random passwords for me (useful for all those web accounts) and I only have to remember one master password.
  
  Passwords that I use regularly stick after a while anyway.
  
  Remus
2. Re:Passwords.. by dunkelfalke · 2002-03-16 09:04 · Score: 2, Insightful
  
  well it won't help you in case of brute force but it will help you in case of dictionary searching:
  
  use a password in a different language than your main one. the target language should be much different. for example if you mother tongue is english, use a password in russian, japanese or turkish. it should be a long sentence you can memorize easily, like fuckyoudamnscriptkiddie, translate it into the target language, memorize it.
  
  it works surprisingly well
  
  --
  "It's such a fine line between stupid and clever" -- David St. Hubbins, Spinal Tap
The fallacy of their argument by Walter+Bell · 2002-03-16 05:54 · Score: 5, Insightful

...is that, although biometrics will generate a nice password like "sdf987*(&^JJHASBDjkasdjkh231*()&as" that nobody could ever guess, the problem of a replay attack is undeniable. That is, once somebody can obtain your biometric hash through the use of a rogue thumbprint scanner, there's no way (by definition) that you'll ever be able to change it to something different and make it secure again. And that is why putting biometric scanners on personal PCs with insecure Micro$oft operating systems opens the door quite wide to identity theft.
The best authentication schemes involve something you know (a PIN or password) and something you have (a smartcard, RSA key fob, or some other device that implements a challenge/response system to authentication queries).
~wally
Re:so what? by MoneyT · 2002-03-16 06:02 · Score: 2, Insightful

What?! Are you moronic? Having a user account is the first step in getting administrator accounts. Much information about people can be gleaned from a user account. Couple with some social engineering and a little bit of luck and you have access to an admin account.

Of course, if someone has accesss to your dest, you've got bigger problems thatn just access to your compter account.

--
T Money
World Domination with a plastic spoon since 1984
Epasswd by jhunsake · 2002-03-16 06:11 · Score: 4, Insightful

Enforce password conventions the way NASA does... Epasswd
Re:Biometrics... by BeBoxer · 2002-03-16 06:46 · Score: 5, Insightful

The problem with biometrics as passwords is that they can still be obtained via other methods such as password sniffing and they can't be changed. So by themselves, they are even worse than regular passwords.

Let's look at the "obvious" method of using say fingerprints as passwords. A print scanner on your keyboard scans your print into some sort of unique id. When you want to log in to some service, the keyboard sends your username along with your print id in lieu of a regular password. The service checks your username and print in it's database and decides whether or not to grant access. The problem with this type of setup is that every service you use has the ability to impersonate you to every other service you use. Not a good idea at all. This is the same fundamental flaw credit cards have. Every vendor you do business with has the ability to impersonate you to every other vendor who accepts your type of credit card. Hence all the fraud. But at least with credit cards you can get a new number if someone starts abusing it.

Really, the only way to do authentication that doesn't suffer from this flaw is to ue a public-key based method. It's absolute insanity to start sending your fingerprint everywhere and using it as an ID. Absolutely the dumbest way of doing authentication online I can think of. Which is not to say that biometrics don't have their place at all. It can be used in very limited means inside of closed systems and provide a reasonable increase in security. I think where this will end up is that we will each have a small portable hardware device which can do secure public-key based authentication for us. A fingerprint can be used to authenticate us to our hardware token. Since the fingerprint never has to leave the token, it isn't nearly as vulnerable to being stolen. Imagine an ATM card which has a small number pad on it. You type the amount you want to withdraw into your ATM card which scans your prints as you type the amount in. Then, you insert the card into the ATM machine and the card securely authorizes a withdrawal in the amount you entered. This authorization protocol can be public and standardized without any loss of security. Your fingerprint never leaves the card so isn't vulnerable to theft.

Note that there are companies now selling the keyboard-style scanners. In my opinion, these are nothing but snake oil. From looking thru the descriptions of the available products, all of the ones I've found appear to be transmitting a fingerprint 'hash' to an authentication database. It's not hard to imagine software hacks which can record the fingerprint info as it comes in off the USB or parallel port and later replay that information to spoof users. While some hackers might still be guessing passwords, a lot are now using software to grab passwords either off the network or off the keyboard. Fingerprint scanners do nothing to prevent this type of hack except make it impossible to change the password after it's been stolen. So not only are you still vulnerable, your options for correcting the problem after the hack are drastically reduced.

Inside of a corporate environment where all hardware and software installations are tightly controlled, there might be some value. But it's not a general purpose authentication technique. Every terminal you use will gain the ability to impersonate you, and every server you log into will gain the ability to impersonate you. Which is the case now, but I don't use the same password for Slashdot that I use for my shell accounts. And I don't log into my shell accounts from computers I have no reason to trust (such as at a cyber cafe.) If everyone is using biometrics, then the services you trust least (like Slashdot say) has the information they need to impersonate you to the places you trust most (your bank, your shell accounts at work, etc.) When I say 'trust', I'm probably using the wrong word. What I mean is I don't really care very much if someone steals my Slashdot password. It's not a big deal. I do care of someone steals my work passwords, or online banking passwords. I would never use the same password both places which is exactly what biometrics force me to do.
Re:Best password ever by ruvreve · 2002-03-16 06:46 · Score: 2, Insightful

If you are one of these people who has a stupid password, you deserve what you get.
The problem is that most of the people that have 'easy' passwords are not the ones that are affected. In a corporate environment if somebody hacks into the system using an easy password its the IT departments fault and problem. HOW COULD THEY LET THIS HAPPEN! I don't care if the person wrote the password on the screen in white-out you should have stopped this hacker. You are FIRED! Meanwhile the bonehead who did it continues to do it. That is why the circle was invented, to graphically illustrate this very example :)
Re:That leads to DoS by RainbowSix · 2002-03-16 13:03 · Score: 3, Insightful

Perhaps a good way to implement a lockout is that once lockout occurs it will still accept passwords but it must be typed in 3 times in a row at 15 seconds apart. It would only take 45 seconds to log in (as opposed to getting locked out for x minutes) but the delay and requirement would be a buffer against a cracking program.

--
--------
It's OK to be social, just don't tell anyone about it.