Slashdot Mirror

← Back to Stories (view on slashdot.org)

Users feel Password Rage

Posted by CmdrTaco on from the hulk-no-can-log-in-hulk-smash-puny-pc dept.

Pcol writes "The Baltimore Sun is reporting on Password Rage, the frustration users have with the abundance of codes they are required to memorize. Some cope by remembering their passwords with the help of a tune or a phrase, some use three or four levels of passwords with the most complex protecting financial information, and others keep all their passwords in a database - protected by a password. Security experts say that with the increased use of biometrics, our reliance on passwords will lessen in the future. Until then, it's ok to cheat - but wisely."

11 of 388 comments (clear)

  1. USB keys by chrysalis · · Score: 4, Interesting

    USB keys are really neat to store keys (PGP, SSH, etc) .

    This is definitely the handiest way to replace multiple passwords.

    --
    {{.sig}}
    1. Re:USB keys by TCM · · Score: 5, Interesting

      How does this protect malware to read it off your USB stick _and_ use it? Right, you protect your private PGP key with.. a password!

      The only thing that comes to mind that's even remotely sophisticated is an "intelligent" USB stick, so to speak. It contains your private key and never gives that out to anything. Instead, it gets fed a challenge, encrypts it using the key and sends it back to the computer where the corresponding public key is stored.

      Is anyone using something like this on a regular basis (for his home server/desktop)?

      --
      Of course it runs NetBSD. BTC: 1NT7QvbetmANwaMzhpVL6
  2. Wallet by spoonist · · Score: 4, Interesting

    Store then in your wallet like Bruce Schneier does.

    Note: I don't store mine in my wallet, so keep your hands to yourself!

    1. Re:Wallet by amcguinn · · Score: 4, Interesting

      And check his reasons for doing it: A wallet is a secure container for things you don't want to lose or have stolen. If I lost my wallet, the handful of medium-high importance passwords I would compromise would be among the least of my worries.

      Using the same passwords for multiple different services is much more dangerous, and no-one could possibly memorise unrelated secure passwords for everything needed. I need about 20 just to do my work, and I'm usually required to change one or two of them every week.

      The worst was my office voicemail. I rarely used it, and the required password change frequency was set so high that it demanded a new password every single time I tried to pick up a message. The end result was I turned the fscking thing off as it wasn't worth the effort to use.

  3. Password rage? Try password-phobia. by JessLeah · · Score: 4, Interesting

    I had an ex-boss-- the CEO of a dot-com-- who simply hated passwords. Her solution? Set up all of our workstations without a password at all, or with the same password, which never changed. (The password was the name of the company.) This was in an office in New York City, which we shared with other companies.

    Apparently, this hatred of passwords had even spread so far as the techs-- when I joined the company, I almost immediately found that one of our three servers (running Windows (NT 4.0 Server), no less, had NO Administrator password whatsoever.

    Users simply do not understand why passwords are important. They are completely unaware of the concept of a bad password (say, "apple") being cracked by a dictionary attack, and then being used as a stepping stone to gain root (at which point it's all over). I run a Web host myself, and I constantly have to explain to users why good passwords are important. And this problem has gotten much worse with time (at present my company is 5 years old).

    People generally have the attitude of "Oh, who would try breaking into my account, I just have some photos of my cat there." Maybe so, but if your account has a one-word password, and you have shell or FTP access to the system, Bad Things could happen if your account was compromised...

    And then, of course, the techs (us!) would get blamed.

    --
    Honey, I shrunk the Cygwin
  4. Old Problem by R2.0 · · Score: 4, Interesting

    Former job: had access to 3 different database systems and the Lan. Passwords had to be changed every month, and no repeats were allowed for 6 months.

    Result: ALL my systems used the same password, and it was of the form [lastname+sequential 2 digit number]

    I was in blatant violation of the password policies, but they were unworkable. Policy was: different passwords for each system, composed of a random string of letters, numbers, and sysmbols. Add in changing it every month, and you get the picture.

    And BTW - everyone on site, even the IT dept., did it the way I did.

    --
    "As God is my witness, I thought turkeys could fly." A. Carlson
  5. use a token by neglige · · Score: 4, Interesting

    For those really secure passwords, I look around in my office, pick a token, and use something from it as a password. Could be the ISBN number from my favourite book. Could be a book title. Could be the favourite track on a CD (or the MD5 sum of your favourite MP3). The model of your monitor. Anything. It's unlikely you will forget which token you used and what from that token you took as a password. If you really forgot, just take a look around, and you'll remember.

    This assumes, of course, that there are passwords that you only need at work, and not at home (and vice versa). It's a start, though, and reduces the number of password you really need to memorize.

    --
    My cats ate my karma. They also wrote this comment.
  6. A few thoughts by arvindn · · Score: 4, Interesting
    OnceUponATime, I used to have a password dictionary for download, here's the thoughts on passwords I'd written on that page:
    Humans are horrible at selecting and using passwords. We have to live with passwords, however, since no other authencation mechanism is good enough to find use outside niches. (Let's face it: when humans interact with computers, we still have to go more than halfway to meet them.) We keep forgetting passwords, because we aren't really good at remembering lexical/numerical data. There are three things people to about this: write passwords down, choose weak passwords and choose the same password for several unrelated accounts. All of these are bad. Very bad.

    Choosing the same password for different accounts is particularly bad. I imagine script kiddies have well-maintained databases of username:password pairs going around. (If they don't, at least the NSA has one.) I remember reading somewhere about how someone could easily acquire a sizeable list of username:password pairs. Set up a website offering free porn. No popups or other annoyances, but require users to create an account before being able to access much. Get word out about your site. Bingo. There you go.

    A lot of websites store their users' passwords as plaintext. If crackers were consceintious enough to update a centralized list every time a website got cracked, I suppose anyone who uses the same password everywhere can be more or less certain that the black hats have got it.

    I'm guilty of reusing passwords myself. I use one of only about 3 or 4 for accounts on random websites, but at least I use different ones for the machines on which I have any data that matters. The alternative of remembering all your account:password pairs is simply too much work. Browsers that fill in your password for you alleviate the problem somewhat, but if you browse from a lot of different accounts its still a pain.

    As a sysadmin there is nothing much you can do about users writing down passwords or reusing them (except perhaps lecturing), but you can ensure that they don't choose weak passwords.

  7. Biometrics on it's own is weak authentication by Herrieman · · Score: 5, Interesting

    Biometrics on it's own is still one-factor, and thus weak, authentication. To make it strong authentication, you still have to add:

    - something you have (such as a token) or
    - something you know (such as a password or pin :))

    --
    http://blog.astyran.sg
  8. Silly... by mraymer · · Score: 4, Interesting
    Memorization is one of the easiest skills that the human brain is capable of. I think a lot of the frustration with passwords (and computers in general) is simply due to users lacking confidence.

    Ever notice that the people who always forget passwords are the same ones that, when presented with one, will say "I'll never remember that!"

    Granted, some people have better memories than others, but a little more confidence couldn't hurt. When a person says "I'll never remember that" they're basically choosing not to.

    --

    "To confine our attention to terrestrial matters would be to limit the human spirit." -Stephen Hawking

    1. Re:Silly... by Zachary+Kessin · · Score: 4, Interesting

      Problem is we are good at memorizing paterns. And patterns are easy to guess. When Richard Feynman tried to crack the safes at Las Almos he found that a very large number of them were set to 31 41 59 or 27 18 28 (pi and e). We are good at memorizing things because we expect to find paterns, which is makes it easy to attach the password.

      Now if you are cleaver you can change things just enough, or say put in letters of two langages. But most people just pick something stupid and go with it.

      I will admit to having a throw away password, that I use when I need a password for something I don't care about.

      --
      Erlang Developer and podcaster