Slashdot Mirror

← Back to Stories (view on slashdot.org)

Users feel Password Rage

Posted by CmdrTaco on from the hulk-no-can-log-in-hulk-smash-puny-pc dept.

Pcol writes "The Baltimore Sun is reporting on Password Rage, the frustration users have with the abundance of codes they are required to memorize. Some cope by remembering their passwords with the help of a tune or a phrase, some use three or four levels of passwords with the most complex protecting financial information, and others keep all their passwords in a database - protected by a password. Security experts say that with the increased use of biometrics, our reliance on passwords will lessen in the future. Until then, it's ok to cheat - but wisely."

6 of 388 comments (clear)

  1. Re:Old Problem by LostCluster · · Score: 3, Insightful

    Overly tight security rules lead to Type II security errors... the kind where the people who are supposed to get into the system can't. As a result, people start circumventing the rules, which ends up weakening that overly tight security... oops.

    People who make the rules need to think a little more sometimes.

  2. What's so hard about remembering passwords? by iapetus · · Score: 3, Insightful

    Build a system for generating passwords from other information that's easier to remember. Books and their authors. Songs. Quotes from your favourite movies. American Football players. It's easy enough to build a quick and easy set of rules for which letters should be capitalised, where numbers should appear and so on. And it's a hell of a lot easier for me to remember that my root password is American Pie than it is to remember that it's dm7aO2Eg, or that my password for the database server at work is One Week rather than bl31eOWs. There's a huge range of subject matter to pick from, and although the passwords aren't random and do have patterns that make them slightly weaker than genuinely random , they're a damn sight better than the ones most people use, they won't succumb to a dictionary attack, they're easy to remember, and they meet the requirements set down by any password security checker.

    --
    ++ Say to Elrond "Hello.".
    Elrond says "No.". Elrond gives you some lunch.
  3. Password change policies by Alioth · · Score: 4, Insightful

    The worst is the password policy that not only requires you to have a password that resembles line noise and is a minimum of 9 characters long, but also requires a change every 28 days.

    The unintended consequence of this policy is instead of users bothering to choose a good quality password and making the effort to remember it, they either write it down and stick it on a post-it to their monitor (!) or they use something as a password that's on a book by their desk (such as a book name + part of its ISBN). The result is that the password is orders of magnitude easier to crack than if they weren't forced to change it as often or faced with a bizarrely complex password policy. And of course, when they change it, all they do is increment or decrement the trailing digit or character anyway.

    Then there's password synchronization. On one network at $ORK, the password has to be synced in (a) a Novell netware tree (b) M Sexchange server, (c) web proxy (d) Windows domain. There are frequent failures with this synchronization (usually (a) (c) and (d) synchronize fine, but the M Sexchange server doesn't. The only solution is to reset the password which will resync it on all. It would be much nicer to have a passphrased public/private key pair, and use those to authenticate with everything.

    --
    Oolite: Elite-like game. For Mac, Linux and Windows
  4. Biometrics are hated by real security geeks. by perry · · Score: 4, Insightful

    I don't understand this "security experts say biometrics will fix the password problem", since I'm a professional security geek and I don't think that and I know of no fellow security geeks who think that. Indeed, most of us make fun of biometrics when they are mentioned as a solution to such problems.

    Biometrics are essentially useless for over-the-net identity verification because you have no way of knowing whether the equipment on the other end has been tampered with. There might be no retinal scanner there at all -- just software that pretends there is one and feeds you faked up scans. There is also no way to change your retinal scan if it is compromised, so if someone finds a way to get information on your retina, they can thereafter fake your scan over the net with impunity. It isn't like your retina can engage in a public key authentication protocol with the equipment -- the equipment just makes a measurement, which once stolen can be replicated and by definition cannot be easily changed. Ditto for fingerprint scanners or any other biometric measuring instrument.

    Also, the quality of biometric authentication, even when the scanners are known good and untampered with, is very questionable. The false positive and negative rates are unacceptably high -- measured in percent, not in hundredths or thousandths of a percent. That might be fine for unlocking the weather report, but is completely unacceptable for authorizing a purchase. Worse still, those false identification rates are unlikely to change.

    In short, biometrics are not of any use for over the net authentication. They are only useful in very limited applications, like verifying identity at a door with a guard who makes sure you don't tamper with the equipment, and even then only if the system is verifying your identity based on another mechanism of conveying identity (like an ID badge) rather than attempting to determine who you are based on the scan.

    Determining who you are based on the scan has an amazing error rate -- put a fingerprint scanner up on a door to identify rather than to verify an ID card and one in ten people will just walk in by putting their thumb up to it after being falsely identified as a user of the system. If you actually need security, such rates are unacceptable.

    Anyway, as I said, serious security people rarely mention biometrics in any context, and never for over the net transactions.

    Why, then, do biometrics keep getting press? I'm guessing because if you don't know anything about security, biometrics seem like a sexy idea, and because there are so many startups that have millions of dollars gambled on biometrics and would like people to think that they are going to be of some use in the security world.

  5. Re:USB keys by Carmody · · Score: 4, Insightful

    Most of the users in my environment simply write all their passwords on a piece of paper and stick them to their computer.

    Problem solved!

    You laugh, but in certain contexts, that is the easiest way to go, and not that bad, security-wise.

    For example, I post on slashdot. I need a password, so pranky kids don't post under my name, saying rude things. Fine. Now let's say I wrote the password on a piece of paper, taped to my monitor.

    Who sees my monitor? The custodian. I know Bernadette - she is a nice lady and isn't going to hack my slashdot account. My colleagues? They haven't the slightest interest in doing such a thing, nor do they have the time.

    There are also low-stakes passwords. If my net-flix password got out, you all could ADD AND DELETE MOVIES FROM MY QUEUE! Oh the horror! If someone wanted my net-flix password, they could break into my office and find it in a .txt file on my computer desktop. But once I noticed my queue had been changed, I would alter the password.

    Obviously, I am careful with my bank password, etc. But otherwise, I don't see why it's so bad to have low-security when high-security is unwarrented.

    --
    God is real unless declared integer
  6. Passwords and e-commerce sites. by stickb0y · · Score: 3, Insightful
    (Part of a rant I originally posted to Ars Technica's forums.)

    I admit that I know nothing about business, but it seems clear to me one of the primary goals should be to to make it as easy as possible to separate willing customers from their money. If people want to give you money, don't make them jump through hoops.

    For example, an alarming number of sites I've visited require me to create an account to buy something. This is a turn-off.

    • For a first-time shopper who may never visit your site again, it's an extra, unnecessary step.

    • An account implies that my name, address, telephone number, email address, and credit card number are stored on file. No thanks.

    • Creating an account means I have to supply a password. This means that I either make up a new password (which I will need to remember but won't should I ever return), or I re-use a password I've used elsewhere. In other words, that's either one more password I need to remember or one more place where someone can steal it.

      I have no evidence of this, but I suspect at least 90% of people re-use passwords. As a consequence, I must ask myself: do I trust your site with my password? (It suddenly strikes me as odd that I would trust a site with my credit card number but not my password, but I do.) Even if the answer is yes, that's one more decision the customer who has already decided to buy something from you has to make; that's one more point where the customer can change his/her mind.

    Please, don't require accounts. Provide them as a convenience to repeat customers, but don't make them a barrier to first-timers. Make the first- timers happy, build up trust, and they'll be more likely to come back.

    (If you do use accounts, it would be reassuring to know if your site hashes or encrypts passwords before storing them.)