Slashdot Mirror

← Back to Stories (view on slashdot.org)

Crappy Passwords Very Common

Posted by CmdrTaco on from the no-shocker-here dept.

KeatonMill writes "CNN released this story about passwords. Apparently, a group of UK psychologists did a study about password selection, and found that many passwords can be guessed if access to the subject's desk is allowed (the article gives an example of sports memoribilia representing sports-related passwords). According to the study, 50 percent of people use names of family members or pets as passwords."

18 of 422 comments (clear)

  1. In other news... by bwulf · · Score: 5, Funny

    ... water found to be wet[1], sky found to be blue, Earth found to be round[2] and CNN found to be obvious.

    [1] at certain temperatures
    [2] well, almost

  2. Guessing seldom needed by TandyMasterControl · · Score: 4, Interesting
    If you have access to a person's desk like the study stipulates, you have probably a 1 in 3 chance of finding the password written down somewhere.

    --
    Johnny Quest has two Daddies.
  3. Has to be crappy. by Account+10 · · Score: 5, Insightful

    The password policy where I work is 10 characters, mix of upper and lowercase, at least 1 non-alphabetic, expires every 6 weeks. So of course I write it down (indirectly) or put it in "logon.bat".
    Because of Windows' stupid caching, I already have to phone the helpdesk every 6 weeks to get my account unlocked when windows somewhere decides to try my old password 5 times in succession.

  4. People don't get password security by defile · · Score: 5, Funny

    I went to my bank the other day to assign a PIN to my ATM card. For this you need to sit down with a bank person at their desk. Just to be a pain in the ass, I asked her how many numbers I could enter (it's 7). She said 4. I entered 7 and it took.

    Then she went "How do you remember 7 numbers?" and I said "The same way I'd remember 4 numbers. It's not like remembering yet another set of numbers is going to be hard--I've memorized the passwords of at least 20 other services".

    To which the lady at the bank said "See, the best way is to just use the same password for EVERYTHING. This way you only need to remember one!"

    1. Re:People don't get password security by oo7tushar · · Score: 4, Funny

      The reason you want to enter 4 is because a lot of old systems only supported 4. They were trying to make you backwards compatible.
      But you raise an interesting point, passwords used to be the domain of the l33t (5, 10 years ago), but now everybody uses computers and they aren't as proficient. They can type, they can message but they don't understand computer security, for them the net is still their computer and the most secure box on the planet, why? because it's in their home.

      --
      internet like monkeys'
  5. Passwords.. by bje2 · · Score: 5, Insightful

    you know what my problem is??? i have dozens and dozens of passwords to remember...i have my work computer, my work e-mail, my home computer, my 2 home e-mail accounts, eBay, Slashdot, IM, etc...it's just too many passwords to remember...

    because of that, i've fallen into a bad rut for my passwords, i only have like three that i use on a regular basis, and i just reuse them whenever i register for a new account...don't get me wrong, i know that's a terrible thing to do...but i just can't bother myself to rememeber more and more passwords...god forbid someone found one out...

    does anyone have any tips for things they do, or products they use to keep track of their dozens and dozens of passwords...?

    ...that said, i think i'll go change my slashdot password...
    --

    "Facts are meaningless. You could use facts to prove anything that's even remotely true." - Homer Simpson
  6. No s**t, Sherlock by seldolivaw · · Score: 4, Funny

    I realised this the moment the team leader of our software development project -- a woman who is about to graduate with a *degree* in *computer science* revealed that her password for nearly everything was her name, spelt backwards. *D'oh!*

  7. How to pick a good password by EricKrout.com · · Score: 4, Informative

    The best way to think of a password is to conjure up a phrase that's random, but easy to memorize. Then, just use the first letter of each word as your password.

    For example, if you're told to pick a password with at least six characters, you could randomly come up with: Dubya Doesn't Know A Goddamn Thing

    Then, you'll have a good, random password (ddkagt) and you'll remember it, too.

    If there are other restrictions (you need numbers, mix of upper/lower cases), just adjust your random phrase to coincide.

    m o n o l i n u x :: Imagine There's No Windows(tm). It's Easy If You Try.

    1. Re:How to pick a good password by Tony+Hoyle · · Score: 5, Funny

      MY boss does this using nursery rhymes. Sometimes when he's on holiday we have to get into his machine... you end up with half a dozen geeks reciting nursery rhymes to each other until the correct permutation is reached.

  8. The fallacy of their argument by Walter+Bell · · Score: 5, Insightful
    ...is that, although biometrics will generate a nice password like "sdf987*(&^JJHASBDjkasdjkh231*()&as" that nobody could ever guess, the problem of a replay attack is undeniable. That is, once somebody can obtain your biometric hash through the use of a rogue thumbprint scanner, there's no way (by definition) that you'll ever be able to change it to something different and make it secure again. And that is why putting biometric scanners on personal PCs with insecure Micro$oft operating systems opens the door quite wide to identity theft.

    The best authentication schemes involve something you know (a PIN or password) and something you have (a smartcard, RSA key fob, or some other device that implements a challenge/response system to authentication queries).

    ~wally

  9. Re:Best password ever by ergo98 · · Score: 5, Interesting

    He took the name of a family pet, just like an idiot would. But then he encrypted it with 4096 RSA PGP and the passphrase was his favorite saying. The 15th through 23rd characters where his password

    That sounds like an interesting way of making a password a failsafe (i.e. you would be able to recover it if you forgot the special sequence of characters, and the password becomes not only the code sequence but also the process. i.e. A prehashing of hashing. An interesting scenario would be to say "my password is always WEAKPASSWORD but for each service I'll hash it through SHA1 with the service name, and I'll use characters 10-15 in hex form as my password"). I use strong passwords (bogus words, numbers and punctuations), yet one way in which my passwords are weak is that I don't prescribe to best practices for changing passwords regularly. Why? Because I've forgotten so many passwords that I'm cynical about the reality of password changing best practices...recently I was thankful that my FreeBSD box has the single user local mode (without physical security there is no security) that lets you supercede the security systems because it'd gone unmanaged for so long that I'd forgotten among the hundreds of passwords out there. I truly believe that if users are forced to regularly change passwords then they a) write it down, b) use weak passwords so they don't forget for the short period that they have to use it, c) they use the same password on many different services. I believe that c is very common, and if you analyzed people's ICQ, Hotmail, Slashdot, computer, domain, etc passwords you would find some pretty common correlations.

    And after he told me this, he changed it. Because he changes his PGP keys every week.

    He changes PGP keys every week? How do people that have to keep importing his public key feel about this? (Personally I'd have long refused to both importing a new key each week).

  10. Epasswd by jhunsake · · Score: 4, Insightful

    Enforce password conventions the way NASA does... Epasswd

  11. What about the inverse? by dsb3 · · Score: 5, Funny

    I once named a pet (it was a fish, in fact) after one of my passwords. Shame it wasn't one of the more pronounceable ones.

    --

    Slashdot? Oh, I just read it for the articles.
  12. Welcome to the Slashdot Server by Wordsmith · · Score: 4, Funny

    Welcome to the Slashdot Server

    Login: CmdrTaco
    Password: Kathleen

    "Whoohoo! I'm in!"

  13. Re:Biometrics... by BeBoxer · · Score: 5, Insightful

    The problem with biometrics as passwords is that they can still be obtained via other methods such as password sniffing and they can't be changed. So by themselves, they are even worse than regular passwords.

    Let's look at the "obvious" method of using say fingerprints as passwords. A print scanner on your keyboard scans your print into some sort of unique id. When you want to log in to some service, the keyboard sends your username along with your print id in lieu of a regular password. The service checks your username and print in it's database and decides whether or not to grant access. The problem with this type of setup is that every service you use has the ability to impersonate you to every other service you use. Not a good idea at all. This is the same fundamental flaw credit cards have. Every vendor you do business with has the ability to impersonate you to every other vendor who accepts your type of credit card. Hence all the fraud. But at least with credit cards you can get a new number if someone starts abusing it.

    Really, the only way to do authentication that doesn't suffer from this flaw is to ue a public-key based method. It's absolute insanity to start sending your fingerprint everywhere and using it as an ID. Absolutely the dumbest way of doing authentication online I can think of. Which is not to say that biometrics don't have their place at all. It can be used in very limited means inside of closed systems and provide a reasonable increase in security. I think where this will end up is that we will each have a small portable hardware device which can do secure public-key based authentication for us. A fingerprint can be used to authenticate us to our hardware token. Since the fingerprint never has to leave the token, it isn't nearly as vulnerable to being stolen. Imagine an ATM card which has a small number pad on it. You type the amount you want to withdraw into your ATM card which scans your prints as you type the amount in. Then, you insert the card into the ATM machine and the card securely authorizes a withdrawal in the amount you entered. This authorization protocol can be public and standardized without any loss of security. Your fingerprint never leaves the card so isn't vulnerable to theft.

    Note that there are companies now selling the keyboard-style scanners. In my opinion, these are nothing but snake oil. From looking thru the descriptions of the available products, all of the ones I've found appear to be transmitting a fingerprint 'hash' to an authentication database. It's not hard to imagine software hacks which can record the fingerprint info as it comes in off the USB or parallel port and later replay that information to spoof users. While some hackers might still be guessing passwords, a lot are now using software to grab passwords either off the network or off the keyboard. Fingerprint scanners do nothing to prevent this type of hack except make it impossible to change the password after it's been stolen. So not only are you still vulnerable, your options for correcting the problem after the hack are drastically reduced.

    Inside of a corporate environment where all hardware and software installations are tightly controlled, there might be some value. But it's not a general purpose authentication technique. Every terminal you use will gain the ability to impersonate you, and every server you log into will gain the ability to impersonate you. Which is the case now, but I don't use the same password for Slashdot that I use for my shell accounts. And I don't log into my shell accounts from computers I have no reason to trust (such as at a cyber cafe.) If everyone is using biometrics, then the services you trust least (like Slashdot say) has the information they need to impersonate you to the places you trust most (your bank, your shell accounts at work, etc.) When I say 'trust', I'm probably using the wrong word. What I mean is I don't really care very much if someone steals my Slashdot password. It's not a big deal. I do care of someone steals my work passwords, or online banking passwords. I would never use the same password both places which is exactly what biometrics force me to do.

  14. Re:Best password ever by zzyzx · · Score: 4, Funny

    My PIN is pi... The last 4 digits.

  15. Re:So? Only allow 'trusted' devices... by Detritus · · Score: 4, Funny
    You can't exactly ask your admin to change your fingerprints.

    I can change them for you. Where did I put that cheese grater...

    --
    Mea navis aericumbens anguillis abundat
  16. My two rules for passwords by rcw-home · · Score: 4, Interesting
    1. It has to take someone longer than 30 seconds to memorize it if they were to see it written down somewhere
    2. It has to take me less than 2 seconds to type it in

    Any password that fits this criteria will take a long time to crack and even longer to figure out by looking over someone's shoulder.

    ObTrivia: at a place I used to work, 246 out of 780 user accounts had a password of "", "pass", or "password". Before I convinced the IT director to let me implement strong passwords, anyway.