Slashdot Mirror

← Back to Stories (view on slashdot.org)

Crappy Passwords Very Common

Posted by CmdrTaco on from the no-shocker-here dept.

KeatonMill writes "CNN released this story about passwords. Apparently, a group of UK psychologists did a study about password selection, and found that many passwords can be guessed if access to the subject's desk is allowed (the article gives an example of sports memoribilia representing sports-related passwords). According to the study, 50 percent of people use names of family members or pets as passwords."

3 of 422 comments (clear)

  1. Guessing seldom needed by TandyMasterControl · · Score: 4, Interesting
    If you have access to a person's desk like the study stipulates, you have probably a 1 in 3 chance of finding the password written down somewhere.

    --
    Johnny Quest has two Daddies.
  2. Re:Best password ever by ergo98 · · Score: 5, Interesting

    He took the name of a family pet, just like an idiot would. But then he encrypted it with 4096 RSA PGP and the passphrase was his favorite saying. The 15th through 23rd characters where his password

    That sounds like an interesting way of making a password a failsafe (i.e. you would be able to recover it if you forgot the special sequence of characters, and the password becomes not only the code sequence but also the process. i.e. A prehashing of hashing. An interesting scenario would be to say "my password is always WEAKPASSWORD but for each service I'll hash it through SHA1 with the service name, and I'll use characters 10-15 in hex form as my password"). I use strong passwords (bogus words, numbers and punctuations), yet one way in which my passwords are weak is that I don't prescribe to best practices for changing passwords regularly. Why? Because I've forgotten so many passwords that I'm cynical about the reality of password changing best practices...recently I was thankful that my FreeBSD box has the single user local mode (without physical security there is no security) that lets you supercede the security systems because it'd gone unmanaged for so long that I'd forgotten among the hundreds of passwords out there. I truly believe that if users are forced to regularly change passwords then they a) write it down, b) use weak passwords so they don't forget for the short period that they have to use it, c) they use the same password on many different services. I believe that c is very common, and if you analyzed people's ICQ, Hotmail, Slashdot, computer, domain, etc passwords you would find some pretty common correlations.

    And after he told me this, he changed it. Because he changes his PGP keys every week.

    He changes PGP keys every week? How do people that have to keep importing his public key feel about this? (Personally I'd have long refused to both importing a new key each week).

  3. My two rules for passwords by rcw-home · · Score: 4, Interesting
    1. It has to take someone longer than 30 seconds to memorize it if they were to see it written down somewhere
    2. It has to take me less than 2 seconds to type it in

    Any password that fits this criteria will take a long time to crack and even longer to figure out by looking over someone's shoulder.

    ObTrivia: at a place I used to work, 246 out of 780 user accounts had a password of "", "pass", or "password". Before I convinced the IT director to let me implement strong passwords, anyway.