Slashdot Mirror

← Back to Stories (view on slashdot.org)

Users feel Password Rage

Posted by CmdrTaco on from the hulk-no-can-log-in-hulk-smash-puny-pc dept.

Pcol writes "The Baltimore Sun is reporting on Password Rage, the frustration users have with the abundance of codes they are required to memorize. Some cope by remembering their passwords with the help of a tune or a phrase, some use three or four levels of passwords with the most complex protecting financial information, and others keep all their passwords in a database - protected by a password. Security experts say that with the increased use of biometrics, our reliance on passwords will lessen in the future. Until then, it's ok to cheat - but wisely."

27 of 388 comments (clear)

  1. USB keys by chrysalis · · Score: 4, Interesting

    USB keys are really neat to store keys (PGP, SSH, etc) .

    This is definitely the handiest way to replace multiple passwords.

    --
    {{.sig}}
    1. Re:USB keys by TCM · · Score: 5, Interesting

      How does this protect malware to read it off your USB stick _and_ use it? Right, you protect your private PGP key with.. a password!

      The only thing that comes to mind that's even remotely sophisticated is an "intelligent" USB stick, so to speak. It contains your private key and never gives that out to anything. Instead, it gets fed a challenge, encrypts it using the key and sends it back to the computer where the corresponding public key is stored.

      Is anyone using something like this on a regular basis (for his home server/desktop)?

      --
      Of course it runs NetBSD. BTC: 1NT7QvbetmANwaMzhpVL6
    2. Re:USB keys by curious.corn · · Score: 4, Informative

      those are smartcards you are talking about. They contain a small general purpouse microprocessor and special storage for OS and data. Once locked, data cannot be read out of the device but only used within the programs stored within. It appals me that those things aren't ubiquitous and/or used for POS C/C systems. Some cryptalalysts managed to weasel some data out of them only by physically interfering with the operating device to cause program execution failures (heating or EM interference). Still much safer than a crummy magnetic strip and a numeric code.

      --
      Mi domando chi à il mandante di tutte le cazzate che faccio - Altan
    3. Re:USB keys by Carmody · · Score: 4, Insightful

      Most of the users in my environment simply write all their passwords on a piece of paper and stick them to their computer.

      Problem solved!

      You laugh, but in certain contexts, that is the easiest way to go, and not that bad, security-wise.

      For example, I post on slashdot. I need a password, so pranky kids don't post under my name, saying rude things. Fine. Now let's say I wrote the password on a piece of paper, taped to my monitor.

      Who sees my monitor? The custodian. I know Bernadette - she is a nice lady and isn't going to hack my slashdot account. My colleagues? They haven't the slightest interest in doing such a thing, nor do they have the time.

      There are also low-stakes passwords. If my net-flix password got out, you all could ADD AND DELETE MOVIES FROM MY QUEUE! Oh the horror! If someone wanted my net-flix password, they could break into my office and find it in a .txt file on my computer desktop. But once I noticed my queue had been changed, I would alter the password.

      Obviously, I am careful with my bank password, etc. But otherwise, I don't see why it's so bad to have low-security when high-security is unwarrented.

      --
      God is real unless declared integer
  2. Wallet by spoonist · · Score: 4, Interesting

    Store then in your wallet like Bruce Schneier does.

    Note: I don't store mine in my wallet, so keep your hands to yourself!

    1. Re:Wallet by amcguinn · · Score: 4, Interesting

      And check his reasons for doing it: A wallet is a secure container for things you don't want to lose or have stolen. If I lost my wallet, the handful of medium-high importance passwords I would compromise would be among the least of my worries.

      Using the same passwords for multiple different services is much more dangerous, and no-one could possibly memorise unrelated secure passwords for everything needed. I need about 20 just to do my work, and I'm usually required to change one or two of them every week.

      The worst was my office voicemail. I rarely used it, and the required password change frequency was set so high that it demanded a new password every single time I tried to pick up a message. The end result was I turned the fscking thing off as it wasn't worth the effort to use.

  3. Password rage? Try password-phobia. by JessLeah · · Score: 4, Interesting

    I had an ex-boss-- the CEO of a dot-com-- who simply hated passwords. Her solution? Set up all of our workstations without a password at all, or with the same password, which never changed. (The password was the name of the company.) This was in an office in New York City, which we shared with other companies.

    Apparently, this hatred of passwords had even spread so far as the techs-- when I joined the company, I almost immediately found that one of our three servers (running Windows (NT 4.0 Server), no less, had NO Administrator password whatsoever.

    Users simply do not understand why passwords are important. They are completely unaware of the concept of a bad password (say, "apple") being cracked by a dictionary attack, and then being used as a stepping stone to gain root (at which point it's all over). I run a Web host myself, and I constantly have to explain to users why good passwords are important. And this problem has gotten much worse with time (at present my company is 5 years old).

    People generally have the attitude of "Oh, who would try breaking into my account, I just have some photos of my cat there." Maybe so, but if your account has a one-word password, and you have shell or FTP access to the system, Bad Things could happen if your account was compromised...

    And then, of course, the techs (us!) would get blamed.

    --
    Honey, I shrunk the Cygwin
    1. Re:Password rage? Try password-phobia. by CommieOverlord · · Score: 4, Informative

      Because no password is uncrackable. One issue about cryptography is that things don't have to be uncrackable, so long as by the time they are cracked it is irrelevant.

      If it's possible to crack your password in 7 months but you change it every 6, then the cracked password is useless. If you never change your password it can always be cracked.

  4. There's help for this... sorta by LostCluster · · Score: 4, Funny

    Why not use a simple password manager program such as the popular Gator... uhm, er, uhm, maybe that's not such a wise idea!

  5. No problem for me. by NetDanzr · · Score: 4, Funny

    I keep my passwords on small post-its, stuck to the edges of the monitor. Even though I must admit that recently I had to upgrade to a larger monitor because I ran out of space...

  6. Old Problem by R2.0 · · Score: 4, Interesting

    Former job: had access to 3 different database systems and the Lan. Passwords had to be changed every month, and no repeats were allowed for 6 months.

    Result: ALL my systems used the same password, and it was of the form [lastname+sequential 2 digit number]

    I was in blatant violation of the password policies, but they were unworkable. Policy was: different passwords for each system, composed of a random string of letters, numbers, and sysmbols. Add in changing it every month, and you get the picture.

    And BTW - everyone on site, even the IT dept., did it the way I did.

    --
    "As God is my witness, I thought turkeys could fly." A. Carlson
  7. use a token by neglige · · Score: 4, Interesting

    For those really secure passwords, I look around in my office, pick a token, and use something from it as a password. Could be the ISBN number from my favourite book. Could be a book title. Could be the favourite track on a CD (or the MD5 sum of your favourite MP3). The model of your monitor. Anything. It's unlikely you will forget which token you used and what from that token you took as a password. If you really forgot, just take a look around, and you'll remember.

    This assumes, of course, that there are passwords that you only need at work, and not at home (and vice versa). It's a start, though, and reduces the number of password you really need to memorize.

    --
    My cats ate my karma. They also wrote this comment.
  8. Make Password Open Source! by Lieutenant_Dan · · Score: 4, Funny

    I think the enraged users would benefit from the years of experience contained within the Open Source developer community. Their impartial review of all password would facilitate the password creation password. By providing a publicly-available password list and the application of such password, users would be able to leverage off the peer-review methodology with is quite popular in Ukraine.

    The Open Source developers would also be granted much quicker access and approval to systems that they deemed important to their project work. This would improve fund generation and IP (Intellectual Property) sharing which are some of the stumbling blocks in current academic circles.

    Only when we improve the texture-layer vortex shading in the Matrox drivers can be unleash the full potential of quad-monitor Parphelia configuration.

    Which is nice.

    --
    Wearing pants should always be optional.
  9. A few thoughts by arvindn · · Score: 4, Interesting
    OnceUponATime, I used to have a password dictionary for download, here's the thoughts on passwords I'd written on that page:
    Humans are horrible at selecting and using passwords. We have to live with passwords, however, since no other authencation mechanism is good enough to find use outside niches. (Let's face it: when humans interact with computers, we still have to go more than halfway to meet them.) We keep forgetting passwords, because we aren't really good at remembering lexical/numerical data. There are three things people to about this: write passwords down, choose weak passwords and choose the same password for several unrelated accounts. All of these are bad. Very bad.

    Choosing the same password for different accounts is particularly bad. I imagine script kiddies have well-maintained databases of username:password pairs going around. (If they don't, at least the NSA has one.) I remember reading somewhere about how someone could easily acquire a sizeable list of username:password pairs. Set up a website offering free porn. No popups or other annoyances, but require users to create an account before being able to access much. Get word out about your site. Bingo. There you go.

    A lot of websites store their users' passwords as plaintext. If crackers were consceintious enough to update a centralized list every time a website got cracked, I suppose anyone who uses the same password everywhere can be more or less certain that the black hats have got it.

    I'm guilty of reusing passwords myself. I use one of only about 3 or 4 for accounts on random websites, but at least I use different ones for the machines on which I have any data that matters. The alternative of remembering all your account:password pairs is simply too much work. Browsers that fill in your password for you alleviate the problem somewhat, but if you browse from a lot of different accounts its still a pain.

    As a sysadmin there is nothing much you can do about users writing down passwords or reusing them (except perhaps lecturing), but you can ensure that they don't choose weak passwords.

  10. Biometrics on it's own is weak authentication by Herrieman · · Score: 5, Interesting

    Biometrics on it's own is still one-factor, and thus weak, authentication. To make it strong authentication, you still have to add:

    - something you have (such as a token) or
    - something you know (such as a password or pin :))

    --
    http://blog.astyran.sg
  11. Silly... by mraymer · · Score: 4, Interesting
    Memorization is one of the easiest skills that the human brain is capable of. I think a lot of the frustration with passwords (and computers in general) is simply due to users lacking confidence.

    Ever notice that the people who always forget passwords are the same ones that, when presented with one, will say "I'll never remember that!"

    Granted, some people have better memories than others, but a little more confidence couldn't hurt. When a person says "I'll never remember that" they're basically choosing not to.

    --

    "To confine our attention to terrestrial matters would be to limit the human spirit." -Stephen Hawking

    1. Re:Silly... by Zachary+Kessin · · Score: 4, Interesting

      Problem is we are good at memorizing paterns. And patterns are easy to guess. When Richard Feynman tried to crack the safes at Las Almos he found that a very large number of them were set to 31 41 59 or 27 18 28 (pi and e). We are good at memorizing things because we expect to find paterns, which is makes it easy to attach the password.

      Now if you are cleaver you can change things just enough, or say put in letters of two langages. But most people just pick something stupid and go with it.

      I will admit to having a throw away password, that I use when I need a password for something I don't care about.

      --
      Erlang Developer and podcaster
  12. Spreadsheet by sms · · Score: 4, Funny

    I keep all my passwords in a spreadsheet. The spreadsheet is passworded. That password is the concatenation of all my passwords so it's hard to break into and if I forget a password, all I have to do is.....hmmmm, wait.....

  13. But where do you draw the line? by reachinmark · · Score: 5, Informative
    Banks in Sweden are currently running a new BankID system. You can use this to access several government facilities, including submiting claims for sick leave and possibly in (the future) voting, over the internet. The password protection? Your certificate must be unlocked with a password that is at least 12 but at most 16 characters, of which at least 3 must be digits, and 4 alphabetical characters. Oh, and you can't simply repeat a word two or three times - they check for that. The end result? A password so annoying difficult to remember that of course everyone has it written on a post-it note by their keyboard.

    Now THAT gives me password-rage.

    1. Re:But where do you draw the line? by Anne_Nonymous · · Score: 4, Funny

      Hey! Sophia_Pears_1952 is *MY* password! What are you some sort of hacker?

  14. Remembering passwords... by yeti-graf · · Score: 5, Funny

    One guy I worked with set his password to "Viewsonic" so that whenever he forgot it he could just look at his monitor.

  15. Password change policies by Alioth · · Score: 4, Insightful

    The worst is the password policy that not only requires you to have a password that resembles line noise and is a minimum of 9 characters long, but also requires a change every 28 days.

    The unintended consequence of this policy is instead of users bothering to choose a good quality password and making the effort to remember it, they either write it down and stick it on a post-it to their monitor (!) or they use something as a password that's on a book by their desk (such as a book name + part of its ISBN). The result is that the password is orders of magnitude easier to crack than if they weren't forced to change it as often or faced with a bizarrely complex password policy. And of course, when they change it, all they do is increment or decrement the trailing digit or character anyway.

    Then there's password synchronization. On one network at $ORK, the password has to be synced in (a) a Novell netware tree (b) M Sexchange server, (c) web proxy (d) Windows domain. There are frequent failures with this synchronization (usually (a) (c) and (d) synchronize fine, but the M Sexchange server doesn't. The only solution is to reset the password which will resync it on all. It would be much nicer to have a passphrased public/private key pair, and use those to authenticate with everything.

    --
    Oolite: Elite-like game. For Mac, Linux and Windows
  16. Re:Don't forget the admins.... by BabyDave · · Score: 5, Funny
    ... now I'm stuck resetting passwords all day. I blame the users for this, but it *will* be nice for IT staff when biometrics replace passwords.

    User: I can't log in!
    Tech: Your biometric data's become corrupted, we'll have to resample it
    Tech pulls out meat cleaver
    Tech: Now, are you left- or right-handed?

  17. It doesn't matter what password you use... by d0n+quix0te · · Score: 4, Funny

    ...those crackers/hackers from the movies will usually guess it on the third try... while mouthing inanities like " "It's a UNIX system, I know this..."

    ---
    A woman is helping her computer-illiterate husband set up his computer, and tells him that he will now need to choose and enter a password that he wants to use when logging on. The husband, thinking he'll be oh-so-manly, types in the following letters when prompted for his desired password by the computer... m - y - p - e - n - i - s His wife rolls her eyes. Then she nearly falls off her chair howling with laughter when the computer replies: PASSWORD REJECTED. NOT LONG ENOUGH

  18. Biometrics are hated by real security geeks. by perry · · Score: 4, Insightful

    I don't understand this "security experts say biometrics will fix the password problem", since I'm a professional security geek and I don't think that and I know of no fellow security geeks who think that. Indeed, most of us make fun of biometrics when they are mentioned as a solution to such problems.

    Biometrics are essentially useless for over-the-net identity verification because you have no way of knowing whether the equipment on the other end has been tampered with. There might be no retinal scanner there at all -- just software that pretends there is one and feeds you faked up scans. There is also no way to change your retinal scan if it is compromised, so if someone finds a way to get information on your retina, they can thereafter fake your scan over the net with impunity. It isn't like your retina can engage in a public key authentication protocol with the equipment -- the equipment just makes a measurement, which once stolen can be replicated and by definition cannot be easily changed. Ditto for fingerprint scanners or any other biometric measuring instrument.

    Also, the quality of biometric authentication, even when the scanners are known good and untampered with, is very questionable. The false positive and negative rates are unacceptably high -- measured in percent, not in hundredths or thousandths of a percent. That might be fine for unlocking the weather report, but is completely unacceptable for authorizing a purchase. Worse still, those false identification rates are unlikely to change.

    In short, biometrics are not of any use for over the net authentication. They are only useful in very limited applications, like verifying identity at a door with a guard who makes sure you don't tamper with the equipment, and even then only if the system is verifying your identity based on another mechanism of conveying identity (like an ID badge) rather than attempting to determine who you are based on the scan.

    Determining who you are based on the scan has an amazing error rate -- put a fingerprint scanner up on a door to identify rather than to verify an ID card and one in ten people will just walk in by putting their thumb up to it after being falsely identified as a user of the system. If you actually need security, such rates are unacceptable.

    Anyway, as I said, serious security people rarely mention biometrics in any context, and never for over the net transactions.

    Why, then, do biometrics keep getting press? I'm guessing because if you don't know anything about security, biometrics seem like a sexy idea, and because there are so many startups that have millions of dollars gambled on biometrics and would like people to think that they are going to be of some use in the security world.

  19. Keyring for PalmOS by arth33 · · Score: 5, Informative

    Just protects the passwords so you don't have to lock down your whole PDA all the time (I don't really care if someone nabs my schedule/phone list). It works really well, and seems to be written with security in mind (as opposed to ease of use). According to the website, it uses "secure triple-DES encryption using a 112-bit key derived from the password". And the best part: it's open source. Pick it up here: http://gnukeyring.sourceforge.net/

  20. Apple's Keychain by EelBait · · Score: 4, Informative

    Apple has a nice solution to the password problem in their Keychain. The Keychain was originally part of the Mac OS back in 1993 with System 7 Pro, part of the AOCE toolkit. Most of AOCE has been abandoned, but a few pieces survive.

    The keychain is basically a small, encrypted database with an accompanying API that software developers can use to store passwords. The keychain itself is locked with one's login password. Basically, when one logs in, the keychain is unlocked, and various applications can retrieve the credentials that were previous written into the keychain.

    Apple uses this for storing various passwords for email, file servers, as well as passwords for web sites accessed from Safari. The Camino web browser also uses it. The SSH Agent program stores my passphrase for unlocking my ssh private key.

    Using the Keychain application, users can use it to store secured notes. I use this feature for storing credit card PINs and other things that do not use the Keychain API.

    One thing that would be really nice would be if software developers would use the keychain to store their serial numbers. Since I make backups of my keychain, having all my software serial numbers stored in one place would make a system rebuild a lot easier since I would not need to track down and re-enter all my software serial numbers.