Slashdot Mirror

← Back to Stories (view on slashdot.org)

Crappy Passwords Very Common

Posted by CmdrTaco on from the no-shocker-here dept.

KeatonMill writes "CNN released this story about passwords. Apparently, a group of UK psychologists did a study about password selection, and found that many passwords can be guessed if access to the subject's desk is allowed (the article gives an example of sports memoribilia representing sports-related passwords). According to the study, 50 percent of people use names of family members or pets as passwords."

1 of 422 comments (clear)

  1. Re:Best password ever by ergo98 · · Score: 5, Interesting

    He took the name of a family pet, just like an idiot would. But then he encrypted it with 4096 RSA PGP and the passphrase was his favorite saying. The 15th through 23rd characters where his password

    That sounds like an interesting way of making a password a failsafe (i.e. you would be able to recover it if you forgot the special sequence of characters, and the password becomes not only the code sequence but also the process. i.e. A prehashing of hashing. An interesting scenario would be to say "my password is always WEAKPASSWORD but for each service I'll hash it through SHA1 with the service name, and I'll use characters 10-15 in hex form as my password"). I use strong passwords (bogus words, numbers and punctuations), yet one way in which my passwords are weak is that I don't prescribe to best practices for changing passwords regularly. Why? Because I've forgotten so many passwords that I'm cynical about the reality of password changing best practices...recently I was thankful that my FreeBSD box has the single user local mode (without physical security there is no security) that lets you supercede the security systems because it'd gone unmanaged for so long that I'd forgotten among the hundreds of passwords out there. I truly believe that if users are forced to regularly change passwords then they a) write it down, b) use weak passwords so they don't forget for the short period that they have to use it, c) they use the same password on many different services. I believe that c is very common, and if you analyzed people's ICQ, Hotmail, Slashdot, computer, domain, etc passwords you would find some pretty common correlations.

    And after he told me this, he changed it. Because he changes his PGP keys every week.

    He changes PGP keys every week? How do people that have to keep importing his public key feel about this? (Personally I'd have long refused to both importing a new key each week).