Slashdot Mirror
Giving Up Passwords For Chocolate
RonnyJ writes "The BBC is reporting that, according to a recent survey, more than 70% of people would willingly give up their computer password in exchange for as little as a bar of chocolate. Over a third of the people surveyed even gave out their password without having to be bribed, and most indicated that they were fed up with having to use passwords."
Yes, I am that desperate.
I use one password for anything I don't really care about (/. login, LWN login, etc.) and different ones for systems I do care about (webservers, mx machines, client machines etc). I couldn't have told them my care-about passwords anyway though - I don't remember them, I just remember how to type them in. If I have to tell someone, I have to go through the process of mentally "typing" the word - complete with shift keys etc...
:-)
:-)
It takes less than 5 minutes to remember a new sequence, just by typing it lots of times, and I find that if I *do* forget one from (say) 6 months ago, if I put my fingers through the first 1 or 2 chars, I get the whole sequence back... Holographic memory at its best
I've found this works much better for me than what I used to do (take 2 words, reverse them, catenate them, and take the central 8 chars) - the recovery of "forgotten" passwords is much easier when I let my fingers "remember" what to do... It also allows me to give clients obviously hard-to-forge passwords and easily use them
Simon
Physicists get Hadrons!
And apparently over 30% of those asked would just reveal their passwords without any bribery!
Troc
Troc's dubious podcast and blog: http://www.trocnet.net
My users do that all the time, if I am to believe that all those candies sitting in urns on desks serve a purpose! And to think my wife works at Nestle! JB
They didn't actually test these passwords they just said "I'll give you a bar of chocolate if you give me your password".
So people can just make it up.
Yes Mr "Researcher" if offered chocolate 79% of people can think of a random word.
Big deal,
John.
Without the ability to check that the passwords given are correct, surely the survey results will be totally inacurate?
If someone came up to me in the street and asked me for my password in exchange for a gift, i'd just tell them any old word to get the free stuff...
One bag of pork rinds, and I'll give complete superuser access to anybody!
Punk: Okay, you say you can't get the NVidia card to work in Red Hat. Let's go to the NVidia site and download--
Dude: My root password is money45!
Punk: [dope smack] NEVER DO THAT AGAIN!
Even back in the days I did call support for an ISP, sometimes I'd just ask their login name and they'd just blurt out, "My login is sueray22 and my password is newyork!"
IT rules with an iron fist:
:(
You will use passwords and you will like it.
But certainly users giving away passwords for chocolate is double-plus-ungood. They would have to offer me some money, but of course none of my passwords protect anything of any real value
It's YERAWANKER. Now where's my chocolate?
Oh, wait. You wanted my REAL password? Well, that'll cost you another chocolate bar. Of course I'll give you my real password this time. Would I lie to you?
"An unarmed man can only flee from evil, and evil is not overcome by fleeing from it." Col. Jeff Cooper
What kind of passwords do they talk about? For example, a password to a home Windows computer would not be a too large security risk, and something worth giving away for chocolate. But when it comes to more important matters, such as addresses to webmail systems and remote-accessible Linux boxes the deal is significantly different. I would never give my root pass away on my server, but my grandma would of course give away her. She doesn't need to keep it secret at all.
Quantum hacker.
...at many of the places I've worked at is that the users have as many as a dozen passwords to remember for different systems, and each one expires at a different time and has different rules for how long and complex it has to be.
Most of them keep their passwords written down on a sheet of paper right on their desk.
for most internet users there is no real value attached to their computer accounts. it is not the same as the pin for your ATM card where, if shared, it would mean an empty account. hence it is understandable that they are willing to share this information.
.NET) will be enough to deal with fueling up a car or buying a bunch of roses. probably then the attitute will change, when some smart scammers burn some people's fingers...
this, i think, is a big problem and the onyl way to solve it is to re-educate people for them to understand that such a password is important and should not be shared. clearly an alternate solution would be to install fingerprint scanners on all computers (a viable option in the future), but that would not help overcome the erroneous attitute towards computer security. in fact, such scanners would work well as again people are used to the fact that their fingerprint makes them unique and should not be "shared".
finally, this will be an important concern in the future: already we are able to shop online and the future where all transactions go via the internet is near. one account (a la
I would give out login details for sweets
But they wouldn't be real.
Who says the researchers were given real details by everyone?
Anyone interested in giving up their passwords for a $100,000 bar?
Most likely, the people willing to give up their passwords have very little to protect. For many, it wouldn't be life altering if their email was read, their MP3 collection viewed and downloaded and their favorite version of solitaire copied as well. I would argue that the people with valuable data wouldn't give out such information (like many of us in this forum). Also, many people have the luxury that even if the system was maliciously accessed with their user/pass that there would be zero repercussions. They would shrug their shoulders and remember the delicious piece of chocolate they had the day before.
Most system administrator would wish that they had a company policy which allowed them to break the fingers of users who share their passwords.
But if users don't like using password, why force them. I think they would discover very quickly why it's needed. Nothing like a "You suck" email sent from a users account to the boss, to make them realise that may it's not such a bad idea.
A better solution would of cause be wide spread use of Kerberos, then at least they only need to enter their password once.
in the growing body of evidence to support my thesis that most people
really dont give a crap about anything past their next meal.
Without a username, passwords don't mean much. If they asked for your email address and password, it would be different.
G
I don't understand why people have a problem with passwords. Are geeks brains really wired so differently to "non-geeks"?
I have a different password for everything; but it is derived from a core password modified in some way that is relevant to the whatever it is the password for; usually the name, such as "Slashdot" or "Fark".
My algo also means that you cannot tell which component of the password is core and which is derived.
damm you slashdot, this has been my #1 sploit for like 6 years. now i gotta go find out where to get and how to use all these "pre-written scripts" that you all keep talking about. unless............i've got it! ice cream!
Not a troll, but this is really one of the stupidest ./ articles I've seen in a while. I mean, is it really news to anyone that Joe lUser doesn't understand the need to keep his computing environment secure?
"The problem with internet quotations is that many are not genuine" -Abraham Lincoln
And I thought it was because we dont go outside. ;-)
.... for a big bar of chocolate. oh wait! his password is so easy, people might guess it without me telling them...
If I write on a sticky note evEry0ne that's quite easy for a malicious passer by to remember or for me to give someone when bribed. If however I have to click on a series of eight icons - say smiley face, then a fish then a dog etc etc that's easier than a complex passwords with upper/lower case numerals and to remember and quite difficult to write down or explain over the phone.
This simply shows how non-techincal people really don't think about security or responsibility for what goes on under their accounts. It needs to be impressed on these people that their password is NOT TO BE GIVEN AWAY FOR CANDY.
:-/
Do these people not realize that Mr. Reseacher could then use their accounts and put scat pr0n all over their home directories and/or send viscious emails to their bosses and/or colleagues?
But hey, I guess this is good news for crackers, eh? No need to write complex toolkits... only a Hershy's bar is really necesssary
Jeez, some people's children...
Assign people passwords rather than let them choose their own. Make them easy to remember phrases like:
"Fuck off you mother fucking fuck fucker"
Then see if they'll spurt them out to people on the street.
Boffoonery - downloadable Comedy Benefit for Bletchley Park
.. how many people would give away their chocolate for a password?!
-el
PC.......$600
DSL......$20/month
nmap.....free.
Being pipped to the post by a reporter with a snickers bar.....Priceless.
There are some things even money can't buy, for everything else there's Masterfoods, Plc.
Here cowboy neal...........chocolate.......yummy. You know you want to give up all the passwords to the slashdot.org sites.
It's either on the beat or off the beat, it's that easy.
I moderate therefore I rule!
--
You insensitive clod!
I'd only give up my password for dark chocolate.
Creator of the popular web game Proximity
If everyone had an Ident-i-Eeze.
The Braying and Neighing of Barnyard Animals Follows.
One of the nice things about sunrays is that you generally don't need passwords. Sure passwords exist, but Sunrays use a swipe card to get you into an account. When you leave your computer, just take your card. Your session is saved and your terminal may now be used by anyone else.
This study brought to you by Klondike. What would you do for a Klondike bar?
I really hate signatures, but go to my website.
Kinda useless, if you ask me. I prefer to have 3-5 different passwords and use post-its attached to my monitor.
When I've been in admin positions and responsible for password policy I prefer forcing the user to create a strong password in the first place (by using a modified passwd to check for easily guessed ones, and enforcing things such as not all lower or upper case, etc.), but then I don't expire them! I've found most users are fairly happy with the process since they don't have to constantly try to remember a new, random, password and after a while they don't even write it down anymore, greatly increasing security.
Face it, most people just want things to be easy, and having to type in a password's a pain to them. They have no concept of how insecure it is to give out their password, or leave it written on a sticky note on their monitor. As admins we have to find a way to make the process palatable for them and relatively secure.
Personally though I've never had a problem remember passwords, I still remember passwords I'll never need again, and we're talking some of the 30+ character pseudo-random string ones. I have no clue why I can remember passwords so easily, but it definitely comes in handy. I tend to have a different root password on every server I deal with and all of them would take an eternity to try to guess through brute-force.
Is there a correlation between percentage cocoa solids and the coercive power of chocolate?
Everybody loves chocolate!
:P
;)
Go ahead, tell me I'm wrong.
Google Bakaretsu Hunters if you're lost.
Karma: Chameleon (mostly due to the fact that you come and go).
you realise that such a deal will ensure your getting rooted twice?
The second one might not be so pleasant.
Still, it's probably better than being an OpenBSD hacker and having never been rooted at all.
(and please don't mod up the karma whore who follows this going "don't stereotype geeks waa waa waa" it's a joke...laugh)
Kerberos. Works with Windows and Unix.
See the "Liberty Alliance Project" for internet web sites.
There's of course other ways of doing it. LDAP, ssh etc.
Government of the people, by corporate executives, for corporate profits.
"We are amazed at the level of ignorance from consumers on the need to protect their online identity," said Tim Pickard, spokesman for RSA Security.
Is that arrogance ?
Just the reduction (and the 'idea of man' / {Menschenbild} hiding from behind) of 'identity' to the concept of an "online identity" makes my stomach hurt (will not bother my brain with anger).
CC.
TaijiQuan (Huang, 5 loosenings)
Occasionally you may HAVE to tell someone your password. Keep that in mind selecting one. Consider this exchange I had with one of my users a while back:
..." *blush* "Do I have to?"
... it's ... TPBP6969. It's my initials followed by my husband's initials. Please don't tell anyone!"
... personal password."
Bryan: "What's your password on this system?"
Tammy: "Uh
Bryan: "No, you can always call the help desk like you're supposed to, but I can't reset your password on this system."
Tammy: "Um
Bryan: "Considering your husband and I have the same initials I think I'll keep that one to myself. But in the future you might want to select a less
"An unarmed man can only flee from evil, and evil is not overcome by fleeing from it." Col. Jeff Cooper
for a girl who would give up her password for a bar of chocolate
Why do you find this surprising? I know most of you don't know what a woman is, but do you know how badly they crave chocolate? If you learn this simple fact, the world will be come your oyster, so to speak. Now get ye gone and lose that virginity!
The other 30% were too dumb to think up a random word in exchange for the chocolate.
Now, I just need to figure out how to do strong biometric identification over ssh or SSL-imap... preferably authenticating against some part they won't let people play with for mere chocolate...
-30-
would you... would you kill a man?
-family guy.
Count Moriarty: Will you give me your password for this chocolate bar?
Grytpype-Thynne: What, how dare your, sir. I'll have you know that I'm a patriotic English gentleman!
Count Moriarty: Which means?
Grytpype-Thynne: I'll only do it for money
You don't need a lab to make mud.
Take the chocolate and then lie about my password. did they test the passwords to see that they worked after all it only takes a second to make up a word in return for sweet sweet candy
Saying Apple is better than MS is like saying Botulism is better than rabies.
"Workers are prepared to give away their passwords for a cheap pen, according to a somewhat unscientific - but still illuminating - survey published today."
Office workers give away passwords for a cheap pen
The Internet's nature is peer to peer - 20050301_cs_profs.pdf
I don't get it? What do you guys have against chocolate? I thought it was an exceptional deal. Still trying to figure out where all the money in my bank account went, incidentally. Anyone have any ideas?
Any help will be gratefully recieved and results will be shared with all. Oh boy will they be shared........
And if you thought that was boring you obviously havn't read my Journal ;-)
Hopefully the optional use of biometrics will solve the password memorization issues in the future... as long as actual fingerprints etc are not stored (could be privacy issues, hacking etc.), only a fingerprint signature is stored...
Or in the meantime, just use tokens like SecurID. Our users were happier when we started using SecurID since it required them to remember less passwords. You just need to remember a simple PIN and have your token.
Actually, I strongly suspect that most people will actually just come up with their password unless they had time to 'prepare' an answer. (particularly the people that will give up a password for a chocolate bar)
---
We spoke for about a half an hour. I don't recall a thing we said. - Colorblind James Experience
man.... sueray22 and punk are gunna get owned now
I gave my slashdot login/passwd away ages ago, and my karma's only gone up.
I have 5 common passwords I use for email accounts, websites, etc. I try not to use the same one for a website that I use for the email acct I give that website, but sometimes I fail :P Luckily I generally give out forwarding addresses now in stead of actual account addresses so that means fewer site admins casually reading my email for me..
My 2 main passwords each have a random core that is then altered by something machine specific. In some cases it is a portion of the network name and ip address, sometimes it is a service and name, etc.
Both of them are a result of the "slap your hands down on the keyboard and see what comes out" method, so I have a random mix of letters and numbers as the base, no words with letters replaced with numbers or any of that silliness
But my super, high security, enter this machine and the world will self-destruct password is super-duperhard to guess...ooh, candy bar, ok I give, it's God, no, really, why don't you believe m? See, here is a yellow Post-It (tm) with the word on it...no no, your looking at it backwards, and ignore the "doof" next to it and the "klim, sgge" under it...
Whee signature.
The concept of a unified authentication scheme based on biometrics is interesting, but may be fatally flawed.
Apart from technological issues, a significant problem may arise when any of your identifiers are compromised. With passwords, you can just select new ones and continue, but you can't change your fingerprint, for example. This may lead to a scenario where a whole trust system is blown away.
To do anything really useful in the long-term, we need to proceed with caution and be extremely mindful of concerns about personal freedoms, etc. At the moment, I'm happy remembering secrets and would not feel comfortable using biometric-based systems where I cannot trust every part of the authentication network.
"Amazed at the level of ignorance"?? I'm perfectly *aware* of the need for secure passwords. My passwords at work were initially hard-memorized, completely random strings of letters & numbers. However, after the 3rd time I had to change all my 12 passwords (on different schedules, of course), I just said "Screw it". There is no way I can practically memorize 12 secure passwords a month. The constant changing of passwords is one of the most counter-productive practices - while perhaps great in theory, and with some sound reasoning behind it, everybody I know agrees their passwords get less secure every iteration.
- To err is human; but to really screw up, you need a computer
My grandmother would give the PIN number for her ATM card to a complete stranger everytime she needed to raise cash from the machine. She is a prototype of techno-illiterate. We were quite shocked when we found out and I spent an hour explaining her what the PIN number is and how to use the ATM.
the problem is again simple: you give people now a little card which spits out numbers. i bet you they do not know what this card does. therefore, if you offer a chocolate for the card, they will show it to you... it's the same problem. although i have to admit it makes things better to use tokens and it is way more secure...
Has anyone else experienced voice mail systems are really well secured? At most of the jobs I've had as a contractor, I've noticed that the voice mail security systems were usually locked down pretty tightly.
These voice mail systems usually have minimum password lengths of 6 digits, and of course the password is all numeric, making it hard to remember if you try to use a relatively obscure one (rather than 1-2-3-4-5-6). Furthermore, they usually prevent you from using all the same digits, or the above sequence, and some of them even prevent you from using the same password more than once!
Ummm... it's VOICEMAIL. WTF? How secure does it need to be? Meanwhile, there are no such password restrictions on the network accounts.
Do any of you have super-important voice mail messages that must be protected at all costs? Makes me wonder if voice mail administrators have god-like delusions of grandeur, just like Windows SA's (and I use the term lightly).
c:\windows\system32>for %u in (*) net user /add /y %u %u
c:\windows\system32>dir > users+passwords.txt
Now, someone just tell me where to mail the file so I can collect my 1804 chocolate bars.
This has been a problem for a long time in the military world. Instead of 'password' read 'safe combination'. People who had to manage multiple safes wrote the excess combinations on a sheet that was labelled with the highest classification of any of the safes and was stored in the highest classification safe available. Likewise, I use a password cache on my most secure machine.
By the way, it _is_ possible to come up with strong memorable passwords. Think of a phrase involving numbers and punctuation. Then translate it into a password by using the initials of the words (alternating capitalization), the numbers, and the punctuation. As an example, consider: "Don't forget 9/11/01!" That becomes dF91101! Research indicates the passwords generated by that algorithm are as strong as the randomly generated passwords some systems force unto users.
I also use a network password here at school that Windows can't handle. Basically, the network login script parsing on the machines used by students can't handle imbedded punctuation, but my research machine is OK with it, so my network password is only usable from specific machines in secure areas. It's not perfect, but it reduces the exposure.
I have so many site passwords that sometimes I wish "passport" was global. How long before computer come standard with a retenal scanner or some other physical secruity that I wont have to remeber all these passwords.
Did they ask the people who have had their identity stolen and their credit ruined?
Bet they enjoyed that chocolate bar!
-A
Remember when you were young and people told you to never trust someone you don't know with candies?
:)
Now they're grownups, and they do what they want.
:)
Many adopt very unsafe tactics to remember these login names. Some of those questioned simply use the same password for every system they must log on to
And that would mean if I had 10 accounts on different machine, I would have to make 10 very disctinct password with no link to my life whatsoever? If I like my pet name I should be able to use it
The real issue is, do doze people have any sensitive data? That would threat the world or reveal the Kennedy assassination?
Cause in my office, I wouldn't care less, if they knew my password. Hell they could even sit at my computer and work on my comp doing my job
Ordinary people are no security freak, and the majority are no computer geeks either. They wouldn't do anything beside changing the background of my desktop if they had my login.
Now if only the black sheep didn't spoiled it for us all... I would have plenty candy!
It's funny how I make sense to others and not myself...
I deal with this kind of junk all the time, and despite the fact that I see it every day, I hope that users will get a clue sometime.
Of course, that explains why there are so many computers that are weak to the "weak share passwords" exploits in viruses.
Striking fear in the authors of godawful fanfiction, I am here, appearing in darkness, Tuxedo Jack!
For pizza, I'll give up my OL banking ID, password, SSN, and mother's maiden name.
Slow down, cowboy! It has been 4 hours since you last posted. You must wait another few hours.
... the password requirements are probably reasonable. The problem (as the poster points out) is that you have a dozen or more systems to logon to. The other one I hate are the systems you hardly ever use but force you to change the password regularly. We have an HR system that does that. It's fine for the HR drones that use it everyday but everyone else goes on a few times a year (pay rise day, bonus day) and by then they've forgotten their password. Queue 1500 people trying to get their password reset on the same day!
---
We spoke for about a half an hour. I don't recall a thing we said. - Colorblind James Experience
The problem with biometrics is that if someone compromises your "password" (never mind how), you cannot get a new one, unless you get new irises or thumbs implanted.
Passwords are used in part becuase of history, but mostly because they work and can be changed.
"Sir, your bio-passport is invalid due it being compromised. No, I'm sorry, sir, you cannot get a new one. No, not ever."
If it is an SCO server you are talking about where do I send the pig skin?
From excellent karma to terible karma with a single +5 funny post...
If that is the case Willy Wonka is the most 31337 hacker on the planet
just because your a schizophrenic doesn't mean people arn't really out to get you
Just as Homer would have said: "Mmmmmmmmmmmh chocolate".
I'll be adding a selection of Hershey to my rootkit.
- This isn't the sig you're looking for. Move along, move along..
While password policies and the security that they provide are pretty much the recommended approach these days, they rely heavily on one resource that many people have a lot of trouble with: long term memory. Sorry, but it's 2004... where is voice print ID or fingerprint ID, or even dna sampling? MacOS was on the right track, but the technology was a little too early. Ahem!!! Time for the OSS/Free community to show the rest of the world where authentication is going. Voice Print ID should be a part of Gnome.
Un-news
There are lots of things you can't do with humans because of human nature. Communism is one, speed limits are another, and expecting people to remember the sheer number of passwords they have to today is another. I have to keep them all in my Palm. Most of the people at work keep them on a Post-It. The password-mania of IT at work has become a joke amoung the employees. Get a grip!
What to do? You're the IT people, you tell me! Fingerprint readers? Retinal scanners? How about you just read the little badge that I wear around my neck all day anyway? The building security guys figured out that passwords don't work for building security, when will you guys learn the same lesson?
W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
This survey just shows that a new security model is needed - people hate passwords. A place I used to work at used RSA SecurID tokens to authenticate users. It uses a psuedo-random number generated on a (physical) keyring that must match the one in the computer. I think the system is brilliant, and I wish I could find a free/open source version to use at home. The token could be replaced by a handheld computer or a program on a mobile phone for those that don't want to buy a keyring.
A latent existence
Those who would give up security for chocolate deserve neither.
Unknown host pong.
this is why i am a total IT security nazi. if you let people get away with things they will continue to push their limits. My policy is no less then a 6 digit random alphanumeric password that expires every 3 months. no if's or fucking buts. too many sys admins give in to demands of pure lazyness. your the admin, admin and make them fall into line.
If you mod me down, I will become more powerful than you can imagine....
combine one-time password with an iris scan. then show me how to get someone elses iris... ouch...
I think the people we asked would they give up their password for a pen or something like that.
Then we had the same comments, how do you know if they gave you the real password, or you asked them would they, but you never actually asked for it. ETC.
Remember the Saying SOSDD, how about Same Old Post Different Day.
SOPDD
SOPDD
500 dollar reward for tip(s) leading to the arrest of the person(s) who stole my sig.
Think of them like seatbelts in a car. They're a minor pain, and you hope/wish you'll never need their protection. But if someone ever steals your password, then your identity, you may wish you had been more careful...
To a politician, one email equals one voter.
It never worked, but it was a good plan in theory.
I do remember helping one girl who wore a workout suit into the computer lab, no bra, and the jacket partially unzipped. It is amazing how much help she needed (well, received) from me that day. It is also coincidental that the optimum location to stand when helping someone who is sitting down working on a computer is behind them and off to the side a little.
My beliefs do not require that you agree with them.
My favorites were always the ones they make you change your password all the time. Where I used to work, everyone had three passwords. At first, the company never made people change their passwords. Two of the passwords could be the same, and the third could be related (different number of characters required). People remembered their passwords, and I don't remember ever coming across someone else's.
Then, to increase security (without having had any problems, just, you know, to be more secure), they made it so that everyone had to change all three passwords every month, and the computer actually checked to make sure that no two were very similar to each other, or to the past month's password.
Suddenly, about half the computers in the office had a post-it-note on the monitor with a list of all three passwords. Since there were three, they always had the logins written conveniently beside them, so they could remember which account each password went with. This quickly got so bad that systems actually had to issue a rule you couldn't do this. But if you sat down at someone's desk and took a quick look around in the top desk drawer, under their calendar, etc, you could usually find their password sheet. (Yes, I sometimes looked, to just gauge the extent of the problem). Just walking around the office, you could see where people kept theirs because you'd see them checking the list just before they logged in.
At the same time, calls to Systems to reset passwords went through the roof. It got so bad they set up a separate phone number set up for password resetting. This number would often be busy so much that when someone forgot their password, instead of calling systems, they'd just ask someone else for theirs, or wander around to find a desk with them posted, and then use someone else's.
Perhaps they'll eventually notice how insecure this is. If they do, they'll probably make it so everyone has 10 different 30-character passwords they have to change every day. Just think how secure that would be!
Can anyone tell me how to set my sig on Slashdot?
Most users at my company keep their passwords on a sticky note in their top drawer. If it's not there, then it's on a rolodex card in the back of their rolodex.
My cup is empty , I am bereft, my coffee, my sanity, I have none left.
A friend of mine is particularly anal when it comes to security. He's a network security geek for a major college in the Boston area, and security is his life. Unfortunately, he'll interact with you when he's just entered Level 1 REM sleep.
About 7 years ago, he was crashed out on the floor of my apartment after a late night session. Since I was still coherent, I started saying random command prompts and command lines to him. He had just fallen asleep, and was finishing the prompts!
Me: rm -rf
Him: star
Me: apachectl
Him: restart
Me: shutdown
Him: -h now
And then I upped the stakes.
Me: username
Him: blurted out his username
Me: password
Him: blurted out his password
I left him an e-mail from himself that evening, and then went to bed. The next morning, he said "cute trick, but anyone can forge the From: header". I told him to go and double-check the received line, and he'd see that it was sent from localhost on a server that I didn't have an account on.
He was rather annoyed and amused at the same time...
Priceless.
PepperHacks - Hacking the Pepper Pad
If you go to online tech support, they ask for your password to verify who you are. No, not that you have to type in your password to get to tech support, I mean once you get a real live person on chat, you have to give them your password.
/. ? Won't take the password I created. More than once. I think my computer hates me.
I've also had to give it to them over the phone to verify who I was.
I wasn't happy with them, and this is one of the reasons I left. No other ISP I worked with asked for a password like that. They would ask for a DOB or an address or phone number -- but never a password.
And as for
"what would you do for a klondike bar"
*shakes head in shame*
e.
Build Your Own PVR/HTPC news, reviews, &
A lot of them just don't see the point of passwords. After explaining that this is to secure company data against corporate theft, hackers, etc.. they rightfully counter with:
... do the passwords really make that much difference?" Why worry about the door keys when the windows are open?
"Well, since we're always having viruses, trojans, spam, popups, crashes, and other unwanted crap on our networks
Maybe when the admin's (& the business') house is in order, we've got some right to bitch about users and passwords.
Get off my lawn.
That explains why Adrian Lamo carries cartons and cartons of chocolates in his backback :)
Dont make a better sig, you insensitive clod!
Anyway, it's not like you can actually verify these are real passwords. It's more like a psychology study: would you lie about your password in exchange for some pens / chocolate / head?
Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
Mine is 1-2-3-4-5, same as on my luggage. Now hand over the chocolate, my ship is about to crash into an as-yet undiscovered planet inhabited by ape-like creatures.
Will wank off Linus Torvalds for fame.
RSA-Security, who make those little keyfob things where the password is a number that changes once a minute.....
Of course there's no adjenda here..;-)
Good IS policy should explain why passwords are important, and suggest ways users can choose strong passwords (and what constitutes a strong password), and counter the problem of having to remember too many. Two suggestions :
1) Encourage users to use Schneier's Password safe program.
They only then need to remember one well-chosen password, which unlocks the password database.
2) Encourage users to make passwords from acronyms of easy to remember phrases, e.g. "My cat is called Bob, he is 6" => McicBhi6.
Just in case you didn't know...
Passwords should not include names of persons, cities, mountains, or any words that can be
found in a dictionary. Also inversions or doubling of words, or appending a number or special
character before or after might not be secure enough.
A good trick to create a secure password which you can still easily remember is to take the first
letters of words from a sentence (or song etc.) and mix it with some special characters, for
example:
Id'lPlt4 (I don't like Password longer than 4 characters)
Now Tammy wouldn't have given out her password for a chocolate bar. I say, give everyone an embarising password and they won't tell anybody. Not nessarily sexual, but insulting like "IhaveBO" or "FatAssAmI" something like that.
Well.. maybe. Or Maybe not. But Definitely not sort of.
Chocolate stocks worldwide surged due to heavy buying form a someone knoew only as "3l33t hax0r"
You have 5 Moderator Points!
Which Helpless Linux zealot/MS basher do you want to mod down today?
Wouldn't a fingerprint be an extremely bad choice for this? If there's anything you're constantly leaving behind, everywhere, every day, it's your fingerprints.
Plus, as others have mentioned, it is impossible to replace when it is compromised.
One of the lessons of history is that nothing is often a good thing to do and always a clever thing to say. - Will Duran
and I get passwords all the time. I just ask, and people tell me. But what's really funny is when people say "Well I don't have a password! Why would I need a password for my account?"
modern scanners send a slight current trough your skin when scanning. with this they can figure out that you are not just a glove or the finger of a dead guy, because, as far as i know, the resistance is measured and that tells you if it is a realf finger or a living human of not. clearly it is not foolproof, but nothing else is either, right?
I have accounts on 2 banking sites, 1 stock trading site, at least 70 message boards - 2 ISP's - my work LAN account, home router (hardware router), ICQ, MSN etc.
I store ALL of these passwords now in an excel file using one single password to access all the other passwords - unfortunately it's the best way I can do it - some of the more dangerous ones (banking / trading) I don't store the pass, I store something to remind me of it or the pass backwards with an extra random character that's not needed in it.
It's a real burden oh and I have my Xbox live password too (sue me asshole's it's quite fun actually!..)
Really need some other way of identifying myself - can't wait till my PC is taking blood and urine samples............
Yeah, but have you ever tasted british chocolate? Hell I would give up my password for a Turkish bar, Yorkie bar, or even a Sherbert Fountain. No wonder the Brits teeth are messed up!
Open Source. It's the difference between trust and antitrust.
Ummm... how is a computer password any different then a PIN number for most users? How many regular users do you know who use IE (or even Mozilla/FireFox) to save all of their passwords? Including their on-line banking usernames and passwords... all of their credit card usernames and passwords... and all of the sites that they trusted with their credit card information...
And dealing with the fingerprint issue... The Reg just had a write up about it...
Nephilium
This survey didn't prove people treat passwords as unimportant. It proved chocolate is more important than passwords! Get your priorities straight.
the person responsible for the breach has been sacked.
The person who hired the person responsible has been sacked.
The researcher who gave the candy bar in exchange for the password who was hired by the person who hired the person responsible for the security breach has also been sacked.
Thank you,
-ted
clearly a york peppermint patty might make me think twice...
any takers?
Robo-Blogs of the world: UNITE!
I never knew that 70% of computer users were women.
Just a couple of month ago I saw guys to give away their fingerprints ("to help in research project" as they've been told.. yeah, right.. hehe) for a piece of chocolate from Kinder. Well.. they did get a little toy as well :)
The "I hate passwords" attitude is not merely (or even primarily, IMHO) a function of users doing something wrong. It is a function of poorly designed security, or of security designed for a different environment being reused for current systems.
Passwords came into popularity a long time ago. Things that have changed since the introduction of the password:
* Many people have accounts on many, many systems (thanks to websites with accounts).
* Users on such systems may not be primarily benevolent -- on a UNIX box used by a small bunch of researchers in the early 80s, a password may be an acceptable barrier to anyone poking around. A password on eBay, on the other hand, may be of interest to a number of less savory characters.
* The ability to attack systems has significantly increased. Internet accessability means that remote, hard-to-trace attacks are more common. A brute force attack on a computing system physically isolated in a building may be simply infeasible, and choosing "cheese" as a password may be perfectly acceptable -- such a thing is no longer reasonable.
* Computing power is much greater now. Attacks on password hashes (including those sent over the network) are much more feasible. The relative strength of passwords to CPUs has decreased logarithmically.
* Many systems require passwords frequently. If you are a defense contracting employee, you might have only needed your password once when walking in the door in the morning and once after lunch. Now, corporate intranets have passwords, Yahoo has passwords, Slashdot has passwords, eBay has passwords, etc. Many of these require passwords multiple times a day (or, if they have an option to cache a password, do not have sufficient data about the client side to know how long it is safe to continue to cache the data).
* The demographic of password users has changed. Almost everyone has many passwords now -- not just a couple of engineers or scientists, or the occasional person with an ATM PIN.
What I Suspect Needs To Be Changed
A couple of things that probably need to change:
* It needs to be standard (and have a common interface for doing so) for users to be able to delegate a subset of their authority. Few systems currently have authorization systems smart enough to allow users to delegate chunks of their power to other users for a short term (and audit any moves). This needs to be simple, *easy*, and secure. If Sharon wants to let Bob purchase something online and charge it to her credit card account, she needs a quick and easy way to say "I authorize Bob to spend up to $500 in the next week and charge it to my credit card." That could be via her cell phone or on a computer. Most systems should have at least several forms of authorized actions that can be delegated to other users that require no more than entering a limit on the degree of the actions taken. A list of actions that other users have taken with that authorization should also be easily visible.
* Where feasible, passwords should be replaced by smartcard/PIN combinations. It's easier to remember a four-digit PIN than a long, secure password, and for anyone that doesn't have physical access to a user's smartcard, the strength of the token on the card is much greater than that of a password. Currently, this is particularly disasterous in the form of credit card information. Currently, many vendors store full credit card information used in purchases in databases. If any such database is compromised, authentication data providing full access to money accounts is granted the compromiser -- this is, frankly, insane. Credit card providers have one effective line of defense against a compromised card -- they do statistical analysis against purchases, which isn't the most reliable method of dealing with such attacks, and requires intense monitoring of anything users do -- producing a strong disincentive to provide users with privacy. (I realize that there are a few attempts at improving t
May we never see th
Oh what would you do for a Klondike Bar.
If it was just documents of my work? who cares? My co-workers NEED to see those documents anyway!
What does my password protect? Private files? Am I supposed to have private files at work? I guess not. Secrit files then? Ok. possibly.
To track possible abuse? They're allowed to use my phone too, do I have to password-protect that too?
But hey, if it's about my admin password..
That's a different story.
Then I'd like to have some chocolate too!
Privacy is terrorism.
I use one password for anything I don't really care about (/. login)
/. login isn't through SSL. So I wouldn't use the same password for /. as for Citibank, etc.
Correct me if I'm wrong, but
I think everyone would agree that no one really likes dealing with one or multiple passwords. Even someone accustomed to using multiple passwords would cringe at the thought of replacing the collection of keys in his or her pocket with a series of alphanumeric characters.
So what kind of alternatives exist? There's got to be some company out there implementing something on a software level, if not making effective use of such things as smart cards, USB devices, thumbprint readers, etc.
If you can recognise your computer, then it's only logical your computer should be able to recognise you. I mean, it's staring right back at you, right?
Like "Password Manager" :-)
:-)
a ge r.ht%6dl
WARNING WARNING DANGER WILL ROBINSON!!! BLATANT PRODUCT PLUG AHEAD!!!
I use Password Manager myself, because it's written in Java, and I can put the program along with it's datafile on a USB drive, then use it at work (WinXP), at home on my Linux workstation, or with my Powerbook. Check it out.
http://www.geocities.com/ramix_info/passwordman
---- The price of freedom is eternal vigilance. -Thomas Jefferson
When I was in school, one of the secrets was that the fraternities actually had a nicely put together book of tests for various classes. Foreign language, histories, etc. Pretty much all of the core classes' tests were in that book. One of my friends borrowed it for a laugh from a fraternity friend of his.
It's still interesting to see that in two years of cybercrime and media frenzies that nothing has really changed...
Do you or your partner snore? - Visit www.snoring.com.au
Now the candyman is the ultimate hacker. Able to get 70% of all passwords with ease!
Argh! We're not talking about having to recite the Magna Carta here. A username and a password for each whatever. I can see if it's something you only use like once a year or something, but come on.
Free Mac Mini Yeah, it's
For the Palm, use the free YAPS 2.5, YAPS, Yet Another Password Safe.
Just have a fake password ready. Some day, maybe even today, someone may offer you that bar of chocolate, or a night of hot wet sex, in exchange for your password. By making up one now, and memorizing it every day, you can answer instantly when asked, and that will make it sound so real. Hint: include upper and lower case letters, digits, and maybe even some punctuation. That way it will sound secure and more valuable.
Just be sure you don't get fake chocolate, fake sex, or whatever.
now we need to go OSS in diesel cars
The password usability problem was covered in a topic not so long ago.
The bottom line was that you can always manage a reasonably large (10 - 30) set of passwords if only you help your memory with it. A few helpful hints were included so please don't get mad if I repeat them.
For example, take a list of persons or items from a part of your life or hobby (i.e. classmates names, friend's birthdays, a set of toys etc.), and use it as base. Use assocciations that are very likely to be familiar only to you. Write one set down as a reminder (what association to what usage) and alter the second set in a specific way, like substituting all 'f's with an asterisk, instering a comma after a wowel or converting letter to digits (bu7 n07 7h3 08v10u5 l4m3 c0m81n4710n5!)
Most importantly, practice typing your password to memorize the keystrokes.
I admit it takes some time and consumes some brainpower, especially when new items or sets have to be generated, but training your mind is only beneficial! You can always keep it simple: most secret and specific things for most important stuff, same lame or obvious sequence for different non-related utilities.
Example: use first three letters of birthplace or residence, followed by a number of engine horsepower for a set of your classmates (their altered names will serve as passwords) and write that down next to an index of the passworded services you use (you may somewhat encrypt those, too (you surely have stimulating associations on your mind that will prevent your peeking work colleagues from directly deciphring what pr0n sites you prefer). Unless you tell what your little system is about, you're reasonably safe for personal use and the index of coded hints (prefferably stored somewhere personal and handy at the same time) means nothing to anyone who might try to peek into it.
The whole point of security is that it can't be foolproof, but that it's made too hard, too time consuming (expensive) and too unlikely to be compromised.
Finally, technology will advance to something more user-friendly and safe at the same time, but those willing to train their brain an extra curl will always have an advantage.
It doesn't haven't to be my current password does it ?
I guess it could also be something from BugMeNot.
Is it dark chocolate?
Is it good quality?
I'm not cheap, you know.
I don't know the meaning of the word 'don't' - J
Currently doing support for mostly athletic coaches and staff I see this all the time. Most users don't even understand why they need a password. Better yet, trying to get them to use a variety of characters and not word based passwords.
The best I was ever able to describe it to the worst of the users was that a password is very similiar to a key to your home. Your computer contains almost as much information about you as your house does, do you leave your door open and unlocked for anyone to walk in? And trust me, that only helped explain it a little
Bosco! Bosco!!!!! It was said that my mother once took a lover... perhaps his name was Bosco.
At the company I work (hint: It's mentioned in the slashdot blurb), people will give you their password just by ringing them up, the helpdesk will reset their password most of the time with just your name and a frantic "I'm going on air in 20 minutes!". Occasionally they want your extension number too.
About half the users have a password as (all lower case) "monday", or another day, or the current month (this is what the helpdesk sets when they do forget their password, they just dont change it)
Trouble is the more complex a password you force them to have, the more chance of them writing it on a post it on their monitor.
Posting anonymously of course.
I don't need to get someone else's iris. I only need to get the number that the iris scanner generates when it scans that person's iris. Then I can feed that number to any system "protected" by the biometric and I'll be let in. Now show me how that person will get a new iris in order to be able to set up a new, uncompromised account.
This is one of the many multitude of reasons why biometrics are a stupid idea for stupid people.
My understanding is that Samba 3.0 is supposed to solve that issue. Haven't tried it tho.
----
Open mind, insert foot.
What's that work out at? About 1 in 7 passwords are password. I dare say a lot are username/username as well.
I would be interesting to see how these people reacted if we went round and removed the keys to their desks/offices and told them we saw no reason why they should need to lock them.
Bah. I want more. My password is up for auction on ebay...
I'm in the Air Force and have to remember so many different passwords. I have come up with my own password algorithm for choosing my password and changing them every 30 or 90 days. Some passwords require only numbers, and others don't mind just letters. Some you have to have letters, numbers, symbol and at least one letter has to be capitalized, and of course can't contain a real word within it. All of these are very easy to remember if you have standard procedures for choosing them. ie, take a word from whats on your desk say..."pavilionf170". Get rid of the vowels. "pvlnf170" now capitalize one letter all the time. "pVlnf170" . when you need to change passwords, just come up with an algorithm like rotating the letters, or incrementing a letter every time.
Mark
Please send all your usernames and passwords to me and I'll look after them for you.
Nominal fee of US$5 permonth.
I'll issue you with one master password which you can use to identify yourself to me to gain access to your passwords.
"goatse? What's that? Anyone have a link?" - AC
We're so screwed when people have become so stupid that they are unable to maintain a password. I still wonder why we don't have a little keychain swipe card thingy to login to our computers.
And now you posted it on Slashdot. Your going to hell for that... ;)
Are the people who will not give their password, no matter what. As "the IT-guy" I require access to just about all computers here. And yes, that includes the end-user desktops/laptops. And there are some people here who simply refuse to give me the passwords to their system! Noooo, they have to type the password themselves. And that means I have to drag them from their meetings and such just so they can log in to their machine so I could work on it!
Hell, I have received maybe 200 passwords while working here, and I don't remember any of them. I don't keep them stored anywhere, and I don't have eidetic memory, so there's no risk. And still I hear the "I use the same password in several places, and I don't want to change all those passwords if I gave you my password!". If you are so careful when it comes to security, you shouldn't use the same password everywhere! And yes, you CAN give your password to the IT-department if they walk up to you and ask you for it. If you don't... well, we can always reset your password!
Sheesh, some people....
Lesbian Nazi Hookers Abducted by UFOs and Forced Into Weight Loss Programs - -all next week on Town Talk.
Watch Minority Report .
John Anderton: I'd like to keep the old ones.
Dr. Solomon: Why?
John Anderton: Because my mother gave them to me.
JA
http://www.johnalex.org/
I mean, who would guess "Cadbury"?
Norman Cook's Ode to Sl
Us Brits will also willingly cough them up for a cheap pen. Every man has his price, you know.
When I am king, you will be first against the wall.
In other news, Hershey aquired by the NSA.
Ed Skoudis (of http://www.CounterHack.net and other fame) had recently proposed at a SANS conference I went to that everyone should go with passphrases, rather than passwords. I have to agree. Why not remember "MyGoldenRetrieverIsUberCool" rather than "AB12CD!@%asd3asd"?
Either one requires you to know how to type, and a passphrase will more likely be albe to be typed without being a contortionist.
How was this experiment controlled, or verified? Did they test the passwords they were given to make sure the people weren't faking to get chocolate and gifts?
That password isn't worth a lump of sweet brown anything.
You work for some cruddy company which treats you poorly and requires that you key in your arcana ten times daily just to access the word processor?
Who the heck cares about that one?
Question is, why would somebody want your password? Don't they have their own? When it comes down to the crunch(y bar), when Betty from down the hall, (who everybody knows is a manipulative sociopath), offers you a Snickers Bar for your password, you'd have to be just about 70% stupid to accept.
This question is so academic, it could only be a Slashdot article.
-FL
finally, this will be an important concern in the future: already we are able to shop online and the future where all transactions go via the internet is near. one account (a la .NET) will be enough to deal with fueling up a car or buying a bunch of roses. probably then the attitute will change, when some smart scammers burn some people's fingers...
This is exactly the same problems that Bruce Schneier has been trying to warn us about. In the end, we are all responsible for our own security. The illusion of security is extremely dangerous. A significant number of people will choose to believe in the illusion, reducing real security.
I do agree that it is hard to remember gobs of passwords, but at the university that I work at most people can't remember their passwords when I switch out their old computer for a new one. It makes my life a real joy because they don't know how the heck to get into their email/other application. Thank goodness for whatever little utility I've got that looks behind the astrisks...makes my life just a little easier. I could get the help desk to reset it, but that means that I have to have the client do it because they require a social security number.
This is proof that people just don't care about computer security, which should make all of you tinfoil hat types sit up and recognize that when you're screaming "WINDOWS ISN'T SECURE!!!", nobody really listens and nobody really cares. THAT is why Windows is so popular. Linux & such may be more secure, but when it comes down to it, most people just don't give a shit.
Suppose I have a computer at work. The boss says I have to have a password. But I don`t really care about it. It`s not my computer; It`s not my data.
It`s like a key to the building; If thieves come in (after work) and steal all the computers, I might experience some inconvenience. I might even loose my job. But then, if the boss loots the company and flees the country, I might loose my job; And the boss already has a key.
I think in 20 years, we're going to look back at this time period, shake our heads, and be baffled that we ever let end users handle their own security. They obviously cannot be trusted.
When you work for a big company (as I do), you are trained about using passwords and computers securely (although the training is pretty obvious). Joe Sixpack who signed up for Netzero and thinks online banking is really cool never got this training.
These are the same people who undoubtedly would love to see good folks like mitnick rot in jail for get their passwords from them with a bar of chocolate.
Did the researchers actually check that the passwords worked, or were they tricked out of chocolate by some very wise, if lying, respondants?
Andrew Oakley - www.aoakley.com
My password is password My IP is 127.0.0.1 Now where's my chocolate ???
The survey is focused on their computer passwords. The responses from the people are typical considering the average person does not know how much is tied to that password. "I don't have anything special in my email that someone can read..." or "What can someone do with my password...?"
The survey should have also asked the following questions:
1) Please specify your major credit card number and expiration date.
2) Please specify your address, bank account number, and SSN (if it applied to citizens of the United States - otherwise insert THEIR form of special identification).
Would the numbers have coincided as to who revealed that particular bit of information? Absolutely not. The average person would see the risk in giving those pieces of information to a complete stranger.
If a direct association could be made between their Internet password and their money, those people would have guarded their password under lock and key. Why? Because the loss of money is readily understood, versus having to call an ISP and say "Someone hijacked my account."
Although people may be tired of using passwords (or PIN numbers), they are still a somewhat effective means of preventing improper access to their assets, be it Internet access, money, or personal information. The quality of the password is directly related to the importance of the stuff being protected.
The article cites that birthdates, pet names, etc. are common passwords. However, if someone applied the same level of protection on say...
Instead of asking that 16-digit number (an abstract version of a password), one were to ask "What is your credit card phrase?" Answer: "Buddy."
Instead of asking that expiration date, one were to ask "What is your age?" Answer: 30. These easy "passwords" would make is easier to make fraudulant charges on someone's account.
Public awareness of the importance of securing their own personal information is a key issue that needs to be resolved. Using an easy to understand analogy would be a good first step for those who are being surveyed.
Ayup
is **********.
Now, where's my chocolate?
This is not my sig.
It irks me, because even if I wanted to use a completly different password for every login, there is no pattern or strategy I can follow to appease all of them.
"Love heals scars love left." -- Henry Rollins
At an ATM you may be right, but we were talking about a fingerprint scanner hooked up to your home PC, right? All it takes is for someone to hack his scanner to disable this security feature, or build his own, and he can just send any fingerprint image he wants.
I think it's simple: fingerprints are not secret, and therefore not a secure way to log in.
One of the lessons of history is that nothing is often a good thing to do and always a clever thing to say. - Will Duran
The iris scan is turned into electical impulses signifying bits at one point or another. If you can get a hold of that series of bits, for all intents and purposes, you have their iris.
But why is the rum gone?
At my school, we just implemented a new password system whereby the password must be between 8 and 12 characters long, contain at least 1 number and cannot be the same as the previous 3 passwords used. The password must be changed every 60 days. I can't even count how many people piss and moan about it. "Why can't I just use the same password?", "Why does it have to be so long?", "Why do I have to keep changing it?", "I don't care if someone hacks my account because there's nothing important on there," et cetera.
These people need to realize that it's not just about protecting their data. It's about protecting the network. If a student's password gets cracked, the cracker now has access to all the university resources that the student does, including site-licensed software, VPN access, and therefore send mail server access, since we require all mail being sent through the SMTP server to non-internal addresses to come from the local network to prevent spammers from using our server. In the case of a private business, confidential documents are at risk. Employees store sensitive documents on their computers, so those computers had better damn well be well-protected. If the employee is careless with that data, he should simply be fired. That'd be like someone in the 1950's leaving the office unlocked every night. It's inexcusable.
This isn't some technocrat rant about how everyone should be proficient in computers. This is simply a reality; the necessity for security is there for almost every aspect of one's life, and that people are so careless with their computer's security is extremely disturbing. Honestly, who do you know that bitches and moans about having to use a separate key for both their car and house/apartment? But users constantly whine about having to remember too many passwords. You have a fucking memory; use it and quit bitching.
Interesting? I take it you haven't seen the film Hackers?
Overrated? I take it you haven't seen the film Hackers?
And "I'm tired of passwords, so I'm going to give it to a stranger" doesn't really parse.
--- Ban humanity.
...would actually give out their passwords. My guess is that the responders that said they would were users who had no idea of the implications, but whose passwords could (hopefully) do very little damage. As opposed to sys admins who probably wouldn't give out their passwords to the systems that they hold dear and would have to ultimately fix anyway.
SSH keys are a dream and make remote admin very easy. As long as your home system ain't to comprimised it is also safe. Bunch of keys on the keyring/agent and off you go.
But this is only for unix users and then on an admin level. Why do the ordinary computers users and windows freaks not have something physical? A key you stick in a holder that takes care of the login?
Well they exist of course. Keycards and similar are nothing new but so far noone seems to have made on that can be cheapily fitted by dell to each PC.
Then again MS tried to do something about all that login trouble. Something called passport? Wonder what happened to it. Oh wait. People didn't want to use it.
Trouble with PC's is that people expect them to do magic without them even waving their magic wand.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
It's the often the rules around password generation that make this happen. Let's look at a typical company. You probably have 3 plus passwords to remember, some of them likely expire (ours expire monthly) without letting you use repeats. Now, some people I'm sure will come up with some great random words and methods to memorize them easily. However, once you get past about 5 people who understand security, the rest of the company is going to come up with a scheme to just figure out their own passwords because they just want to do their work everyday and don't want to deal with this problem. At our company, the scheme is invariably one of two options: 1) Write it down on a post it note and stick it on the front of the computer. 2) Come up with one word, and increment a couple letters in it each month. Neither method is too secure, and neither one would be used if it weren't for the total number of passwords required and frequent changes combined with a large number of users. Once you get past about 5-10 people in a place then you know a ton of users will find an easy way out. At that point added complexity to your password rules probably makes you less secure. What's more secure, allowing people to use english words and change once every 6 months, or having non english words with 1 month changes and having 2 dozen people in your place of business post their passwords on a post it on their computer?
It works the other way around poor Microsoft security has ruined all computer security. Most "security" on Microsoft systems are nothing more than an inconvenience to the honest user. In a corporate environment all of the inconveniences add up to a huge ass pain and the user gets blamed when the system gets rooted again anyway. People using such systems know they don't work and are resentful. Worse, they are deeply suspicious of anyone who would tell them that there are good security practices that are not difficult to use.
I know, I've worked at a fortune 500 Microsoft Partner. It was big windows stupid and it sucked eggs. Reasonable security on an institutional scale was figured out decades ago and is implemented well at places like MIT. You can't just bandaid that kind of system into a single user OS that automatically opens runs email attachments.
Big dumb companies are especially hard pressed to deal with each other. They are so paranoid about losing their precious "IP" that they can't share anything without having you memorize a new random sequence of characters and signing a 10 page agreement to never tell anyone else what you know. It's a tin foil hat at the executive level that drives these half ass security measures. The same executive moron lets his favorite vendors remove his tin foil hat in the next instant and that's why you have all these stupid windows networks paining everyone to begin with. It's stupid from the top down.
Friends don't help friends install M$ junk.
How many of you went to the slashdot login page and tried to login as CmdrTaco using the password "hershey"?
I've finally had it: until slashdot gets article moderation, I am not coming back.
...intelligence is a minority. Studies have now proven that the earth is populated by morons.
I wish I could use SecurID (or something like it) for everything. It would dramatically simplify my life.
Key to financial independence: Spend less than you earn. Save and invest the difference. Do it for a long time.
Biometrics used in combination with a traditional password scheme would be more secure than just the password itself. Consider this:
A system that monitors the timing of how you type in your password. This can and has been done in software. For a hardware solution, we could use a keyboard/keypad that monitors the velocity of each keypress. These perople have done something similar for handwriting recognition.
Heck, we could even add fingerprint identification to our hardware solution and determine not only who is entering the password but which fingers were used to press which keys. It would cost quite a bit more for a reader in every key but that's paranoia for you. How much are you willing to do to protect your data.
For most internet users there is no real value attached to their computer accounts.
Then...
This, I think, is a big problem and the only way to solve it is to re-educate people for them to understand that such a password is important.
I hope I'm not quoting you out of context here. But you appear to have directly contradicted yourself. First you say there is no real value attached to an account. If so, how is the password important? You just said is has no value.
I don't mind admitting that my user account on my home machine has no password. That's ok. There's no password to my (physical) filing cabinet either. Access to both rests on access to my house, and my house is locked. I think that is how most people see it.
You may want to protest that access to a computer doesn't need physical access, but I disagree. In my case (and in most domestic cases) it does. If you were to try to access my computer right now, I guarantee you would fail, even if I told you the IP address. That's because it's switched off. Even if it were switched on, you'd have to find a whopping great remote-access exploit - because it is behind a firewall with no open ports.
we have our vending machine authenticate via LDAP.
How do they know this doesn't just show people are dirty lying bastards. I'd give up a random string of charachters I made up on the spot for a bar of chocolate!
If you liked this thought maybe you would find my blog nice too:
About 5 years ago, I set up an NT machine for this one lady at the office. Since then, I've forgotten the Administrator password. I've tried and tried to remember it, but so far, nothing.
I really don't want to bother reinstalling NT on the machine.
The woman retired last year and we have a new hire to take her place. The new woman knows absolutely nothing about computers at all. I'm tempted to install Linux on the machine and train her on that.
I just moved all my financial stuff to one bank, for exactly two reasons. Firstly, the interest rates sucked where I was before. Mostly, I required four 4-digit PIN numbers, six 10+ digit ID numbers, three "memorable" words, and two more 6-digit code numbers, just to manage my darned money! (For anyone who's wondering, that's a budget and a current account at the bank, and the two credit cards I use occasionally -- just four "accounts".) Go ahead and tell me that's not silly. My new stuff will require one PIN, one numerical ID and one password in total, BTW.
I love people who think this sort of nonsense is actually good for security, as well, particularly those who force me to use something really cryptic for a password. Take UNIX, for example. Just the other week at work, I was trying to change my password on our office systems, of which there are many. Unfortunately, for the various inter-system logins to work without irritating me every few seconds, I need the same account name and password on all of the systems. That's wonderful when, after spending a silly amount of time updating these on several independent systems, I then find that one of the UNIX platforms thinks my new password is too like a dictionary word! I KNOW IT'S LIKE A DICTIONARY WORD, F***WIT, I CHOSE IT!
User interface rules 101: by all means offer unobtrusive advice, but the user is always right, and there should always be a "No, just do what I told you and shut up" option. No, you don't know better. And no, I don't care if you're the sysadmin.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
Ironically, you're probably right. A combination of two real words, possibly with a random digit stuck in between them or replacing a letter or two, is one of the best choices for a password: it's far more memorable to most people than a random character string, but defeats your average dictionary attack.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
In case I forget it!!
Biometrics used in combination with a traditional password scheme would be more secure than just the password itself.
I don't even advocate that.
As I said earlier, fingerprints and the like fail for any sort of security use becuase they are not secret.
And as for things like monitoring HOW you type your password, I think it's a bad idea. Personally, I probably have about 5 different typing styles depending on what else I'm doing and how much attention I'm paying. Then there's also the problem of "What it I break my finger?"
Personally, I'd rather have better locks on my can than a lock that monitors how fast I turn the key. While it can be argued that adding basically ANY step to a security system makes it more secure, the real think should consider it that energy is better expended elsewhere.
One cool password authentication scheme I've seen, was where your password was a series of tasks to be performed on a set of objects. The concept was that you could watch me enter my password once, but you wouldn't be able to access the system because the objects to perform the tasks on would change.
Even a keylogger wouldn't help with that situation.
The only way to get my password for be for me to tell you the set of tasks or for you to watch me enter my password many times.
Unfortunately, the guy's implementation was to difficult to use.
Life is too short to proofread.
i bet you they do not know what this card does. therefore, if you offer a chocolate for the card, they will show it to you
A securID displays a 'random' number. It's keyed to a PIN. The 'random' number must match the value generated (by a h/ware device at the other end of the network) for that PIN for that time period.
i.e. my card is currently reading 144800. That does you no good right now, unless I tell you the PIN. Even if you got hold of the PIN, the value 144800 will be no good to you by the time I finish typing, because a new key-pair will be generated.
In many cases, I think the employees are actually right, too! Just last week, I completed the migration of a network from an old Windows 2000 server to a brand new one with Active Directory put in place, etc.
During the migration, I discovered that the vast majority of the file shares were configured so "everyone" had full control. The only "security measure" they really had in place for them was hiding them (putting $ on the end of the share name so it didn't show up in browse lists).
They'd been happily using this environment for years, with no real incidents, too.
The average I.T. worker loves to analyze this type of enviroment, and go ballistic about the lack of security -- but in reality, you're talking about a fairly small business where if something really needs to be "kept away from prying eyes", it's not going on the file server in the first place. Passwords really are a non-issue for people like this, because everyone pretty much has equal access anyway.
"not foolproof"? You can defeat it with a Gummi Bear:
http://news.com.com/2100-1001-915580.html?tag=f
And, even if the sensor detects, say, body heat, you just keep the gelatin next to your skin until you use it. But I doubt an outdoor ATM will have sensors for body heat- too many variables. (You run out on a winters morning to get cash, and neglect your gloves- the ATM rejects your thumbprint because your thumb is too cold? Ha- banks would change that in a flash!)
Sadly, I've seen public computers with IE set to save passwords without prompting so people logging into wherever on those machines have their passwords stored on the machine indefinitely without ever knowing because one person checked the option to "never show this dialog again."
To: All Employees
Subject: New Chocolate Security Policy
It has come to our attention that chocolate has been found to be a new type of computer security threat. In the interest of assuring proper computer security and protection of company assets chocolate will be banned from corporate facilities and corporate-sponsored events. Employees are expected to report immediately to corporate security any incidents of suspicious offers, bribes or exchanges involving chocolate by other employees, competitors or members of the public. This policy is in effect immediately.
We appreciated your help in making Initech a safer place to work.
Provisional Security Manager
William 'Bill' Lumbergh
No, really, what's wrong with that?
I use passwords to protect my online traffic.
I use a deadbold to protect my apartment.
If a thief did break in- do you have any idea how much paper I have strewn about? Do you know how long it would take to find my password?
My handwriting alone has to be equivalent to at least 1024 bit PGP encryption.
Write passwords on paper, and memorize them. It's simple. If you forget, you can try every password on your paper list.
I use the Gator! eWallet (tm)! it remembers all my passwords for me!!!!!!!111111
But the numbers of "whatever" grow to insane amounts. I'm a student and I work 2 part time jobs. So I have ~5 various user/pass combo's given to me by the university. One of my job's requires me to remember ~15 user/pass combos (all on slightly different rotating schedules amd all with different length/format requirements). I also have a second job where I take care of a few smaller networks. So here I need to remember various administration passwords (which I obviously have as different betweem each network, and I rotate those about every 2 months). That probably relates to another ~30 user/passw. Then there is my personal life (e-mail, web accounts, banking sites, personal computers, etc). All told that's about 50 user/pass combos that I need to remember just for work/school. Remembering that most of these work on a rotating basis too.
Now the only way I can actually remember all of these is often by using a password wallet program. There is no damn way I could remember that many passwords.
What also needs to change is the password reset abilities in a lot of places. One of my jobs is @ a helpdesk for a local ISP and as a result I work evenings/weekends alot (it works with my school schedule). Now if any of my passwords need to be reset I need to submit a ticket to IS security who will then reset it the next business day! So if I'm in working on a Friday night and I forget my password, I need to wait till Monday morning to get a password reset. So basically I could come in and be unable to do my job because I forgot a password and can't get it reset for 3 days. I recognize the need for me remembering my password, but you'd think in a company with ~10,000 people they could at least have 1 person working IS security over the evening/weekend to do workstation resets.
but what makes you think it would be my real password
I'll do it for free right here. It's 12345.
Vote for new mod!!! Score:-2,Imbecile
The main problem I have with biometrics is that it usually isn't even your attributes, it is just a syndrome of theose attributes. For example, your fingerprint is converted into a bit pattern thatr can be captured and replayed. At least with a password, it can be changed.
See my journal, I write things there
I use only 6-digit alphanumeric passwords, for instance 'zbw35f', because they're easy to remember (two groups of three characters). I use four of these for almost all of my passwords, but in order to get more mileage out of the sequence, sometimes I'll use the same one twice in a row, e.g. 'zbw35fzbw35f', or I'll put two different ones together, e.g. 'zbw35fwe8fe4'. This gives me a very large number of potential passwords which would be difficult to crack, and I only need to remember four sequences in all.
... I just keep a sheet with the name of each site, and next to it the FIRST CHARACTER of the password. For instance, if I used the above password, I would abbreviate it to 'z'. The doubled one would be abbreviated to 'z z'. The compound one I above would be 'z w'.
As for the 'writing down' problem
The actual passwords are written on a piece of paper that I keep in my safety deposit box, in the bank, right next to my passport, birth certificate, etc., so that if I die an untimely death, my wife will eventually find the sheet and she'll be able to access my email, etc.
I have seen it done on three occasions, each time someone who has just fallen asleep ( cat/power napped ) at their desk.
and not chocolates when I enter my root password to login on websites such as Slashdot?
-- "I can't tell the future, I just work there." -- The Doctor
go go
go dw go go go
dw b. goode
andriy_sb hotsexnospam yahoo.com
... why I gave up sysadminning to go back to programming. Next time they ask, I'll just point them to story id 104740 on /.
MacOS X makes it trivial to build a small, encrypted disk image. Make up a strong password for that image, store passwords in -rw------- text files on that image and you're set. As long as you unmount the disk image after each use, it's pretty easy and modestly safe. Using a technique like this, I make up a semi-random password for *every* computer, website, maillist, etc that I access. The three or four most sensitive passwords (GPG passphrase, etc) don't go in there, though. Those stay only in my head.
A nice alternative is Secret! for PalmOS which, similarly, encrypts a simple text file.
I'm on a different computer :-)
most users hate passwords -- its just one more useless piece of information they resent having to remember in order to get things done.
for example, i was trying to migrate my dad from mac OS9 to OSX, and he refused to use OSX because it required a login whereas OS9 didn't - in his home situation, it was just an extra impediment standing between him and using the machine to geth things done. of course, i set the auto-login feature for him, but the passwords fundamentally annoy him.
he complained that as far as he was concerned that he already had a password for his email, and adding a second password on top of that for a login (what!? a password to turn the machine on -- i don't want it!) was just going from bad to worse. so i reminded him that if he gets email, he already uses a password, and with the keychain, he would still need to remember only one password for the login, and the email would pick-up off the keychain -- meaning that his password load would not double as he feared.
he still refuses to to switch to OSX from OS9, 'because of all those #$%#$% permission passwords -- why can't i just get at my own hard disk in my own house!?' -- to a geek on the internet, the necesity of passwords is clear. but for the average home user they're just a pain that gets in the way.
john penner
(toronto).
So you could create a password that consists of:
up right right f7 f2 other random chars F2 down left
Thanks for the cheat.
Would that give you unlimited caffeine, and excellent karma?
I've got a cheat that turns off periodic crashing in Windows 98:
up right down down left left left up up up enter
The timing is important. Let me know if it works.
My voice is my passport!
Passwords will be abolished. Each site will prompt you with randomly generated text, which you will encrypt with your private key, and return to the server.
Then they know it's you, and you never have to remember any silly passwords.
The passwords don't cycle back to the top - they drop off the bottom when they've been used as the 'chocolate password.'
This is a bit off-topic, but a friend of mine had an account at a bank that would only allow you to access your information if you could answer a particular question. You could set the question and answer to whatever you wanted. His question was:
"What are you wearing?"
His response?
"I don't think that's an appropriate question."
--Stephen
Did you ever notice that *nix doesn't even cover Linux?
...to open. Why can't my support|itstaff|it people send me this e-mail notification without a god***mned password!
"According to a recent survey, more than 69.6% of people don't answer polls. Over a third of the people surveyed love answering polls, and most indicated that they were fed up with having to take polls at all. Over 10% of those surveyed were not available for comment at the time of the poll."
my karma will be here long after I'm gone
lol computer users revolting against the computers ;)
Sivaram Velauthapillai
Seeking the meaning of life... @slashdot of all places
would also lie a little white lie you couldn't check if you offered them anything for it.
..and in other news people would like to be able to leave their houses unlocked and the car keys into the car.
the rest would just think that the candy bar sucks.
world was created 5 seconds before this post as it is.
The country that gave the world Tellytubbies is far too busy to be bothered with such trivialities! God Save the Queen's account... or better yet, get access yourself with a Hershey's Bar!
Try Gator! :)
You cant fight in here, its a war room!
If they didn't test the passwords, maybe the public is smarter than the pollster? ;-)
Forget social hacking. Now we have candy hacking!
I'd gladly give up my password to many sites for a bar of chocolate. I'd be getting a great deal. Heck, I'll tell you all now: it's "password"... or sometimes if the sites use a dictionary check, I'll go for "password1".
A whole lot of the places I visit protect absolutely nothing of significance to me with their password. As in, maybe I can select a color scheme for a site, or similar. And for a lot of those, I know perfectly well I'll never go back to a site; I just have to do a one-time transaction. Exactly how concerned am I supposed to be that "hackers" might change my color scheme on a news website. Actually, a lot are even worse than that--like commercial newspapers (NYT and friends): I can't even change a color scheme, they just insist on me giving them demographic info. But it's a one way thing, you can't see or change it after "registration." Even if crackers -could- change how old the NYT thinks I am, why do I care about that exacty?
Opinions of security are probably harmed by the overuse of security measures where there is self-evidently no reason to have them. Casual users get in the habit of thinking passwords are just a nuisance... even when the -do- something significant.
Buy Text Processing in Python
At one of my jobs, we had a sysadmin who was an absolute nazi and treated everyone with extreme disdain, even though he was a clueless retard.
When I had to turn over my old pc to him, he asked me to make sure I clearly labelled my password as I was going on vacation. I attached a PostIt which said -
"Password: there is no password"
Of course, as you should've guessed, that phrase *was* the password. The poor schmuck struggled with it for a week before someone put him out of his misery!
hpnon9d8
Voice Print ID is just plain stupid. I enjoy typing passwords
I am a computer professional so maybe I play the game more than the non-technical. But if someone came to me and offered me a pen (last year) or chocolate for my password, I'd just make one up on the spot and give it to them. It wouldn't do them any good since it would work on anything, and I'd have the chocolate.
Thought I'd share this:
http://mr.unpopular.com/pwgen/
It's a password generator written in Javascript, which can give you passwords from severely-jumbled to memorable-but-not-from-the-dictionary.
My password is "password." Please send me a bar of chocolate. You can find my address when you login to my account.
[M]ore than 70% of people would willingly give up their computer password in exchange for as little as a bar of chocolate
So, what would YOU do for a Klondike bar?
-Hentai [in vita non pacem est]
how many people were simply bullshitting? the UK seems notorious for bullshitting surveys.
and how many people would do that, but lie about their password? or promptly change it?
funny siht that
where do you work then?
learn from yesterday, plan for tomorrow, party tonight
or one out of three ain't bad
I used to have public/private passwords, but that never really fealt like a good solution to me.
I have eventually started using Password Safe (though there are a dozen tools like it).
http://passwordsafe.sourceforge.net/
I remember a couple of account passwords and one long pass phrase. For anything else, I have to open the Password app and copy/paste. The good news is that I have a LOT of distinct passwords that are all randomly generated. The bad news is that I have to have my laptop to do much of anything. And, of course, backups are critical.
plus-good, double-plus-good
I can tell you the password I use, but it is unlikely that you will ever type it out right (ah, the advantage of phonetic data hiding). Unlike silly stuff like >
"Kaan Yoo Heere Mi Mnowe?"
feloneous
IANAL, but I've seen actors play them on TV
Announcer:"Sir, what would you do for a klondike bar?"
Man:"Um, I don't know...."
Announcer:"Would you stand on one foot?"
Man:"I guess..." (stands on one foot)
Announcer:"Would you act like a monkey?"
Man:"Yeah..." (makes monkey like sounds)
Announcer:"Would... would you kill a man?"
That's right. All your base.
I suppose he could have gotten away with locking the root account.
1 potatoe,
2 potatoe,
3 potatoe,
4,
5 potatoe,
6 potatoe,
7 potatoe,
more........now if I can only remember when to use which.
And then there are those who will just give up their passwords or other personal information if someone just plainly asks (without reward). Look at all of the SPAM e-mail's and web sites that portray to be a legitimate company asking for a user's account id and password under the disguise of some sort of account update or maintenance. They may or may not look authentic to the average Joe computer user, but from what I have read, even though these sites and e-mails are usually only up for a short time, they are fairly successful at obtaining information.
Homer no function beer well without.
"most indicated that they were fed up with having to use passwords"
I would be interested if these same people leave their cars running while they step inside a convinience store.
while( !passwords_difficult_to_remember ){
if( !exhaustive_to_type ){
printf( "Hey admin, pwned\n" );
}else{
printf( "The money in your bank account stays yours.\n" );
}
}
I am Bennett Haselton! I am Bennett Haselton!
In a very small business (for my purposes, single server, everyone on it, computer support is a part-time job [could be part of a full-time person's responsibility or it could be 'service contract' or it could be an actual part-time position]) - it's quite unlikely that decent security will be in place, even though it is needed just as much as any other business. With larger companies, there will be lapses as well, but that reality doesn't mean that these issues aren't important. To trot out a tired old horse: Just because everyone else does something stupid doesn't per se make it smart to do the same yourself.
with no real incidents - let me rephrase this: you probably mean "no known incidents". The error here is the assumption that only known incidents matter. What users consider to be "a real incident" and what actually can cause loss are two very different things. In my book it is an IT responsibility to deal with/anticipate/cover the gap between those two while minimizing the burden placed on users.
everyone pretty much has equal access anyway Two problems here: First of all, please note the size of the gap between "everyone" and "all current employees of the company". Secondly - it would surprise me to see a company bigger than one person where every employee was truly a peer with a genuine need for equal access (both read and write) to every piece of information in the company.
if something really needs to be "kept away from prying eyes", it's not going on the file server in the first place - If some data/file meets this requirement then it usually also satifites two other conditions: 1.) complete loss of the data is relatively expensive, and 2.) when the person that usually uses that data is on extended vacation/illness then someone else will need to fill that role. All three of those are very strong reasons why the data should be on a server in the first place (backup, network access, better than workstation-level security).
Overall, I hear a lot of arguements similar to this: "We haven't had a problem before, why should we go to the effort to accomidate some security?" and the related "We don't have anything that we really need to secure anyway". There are a few very specialized enviroments where state really doesn't matter - where you could have the entire staff running off CD only machines. For just about every other office, it matters.
Just a handful of things (tasks/files/processes/data/whatever-you-want-to-c all-them) to think about - especially in the context of 'every current employee' vs. 'every human on the planet': payroll, employee reviews, customer payment info, taxes. Nearly every company needs to track (some or all of) these things. Nearly every company must keep these things from being public (readable by everyone on the planet) information. Nearly every company with more than one employee has at least one employee that should not be able to change every single one of those things.
Given all of that, do you really want to suggest that the lowest common security stance amung all employes is really the responsible approach In many cases?
And all because the Lady loves Milk Tray...
"Flyin' in just a sweet place,
Never been known to fail..."
At my wife's place of work (she's a research scientist for a major university) IT will delete the old passwords, then send out an email informing the employees that their passwords are no longer good and that they need to be changed.
Of course, to read your email, much less change your password, you need to log in. And you can no longer log in because your password has been deleted. Therefore, no one ever receives the email that their passwords need to be changed, nor could they do anything about it even if informed. Eventually enough people call up IT to ask them what the hell is going on, prompting them to restore the old passwords long enough for everyone to get on, read their mail, and change their password.
The IT department at her university has pulled this idiocy more than once. In fact, one time they restored the old passwords, everyone dutifully changed them, and then IT deleted the new passwords!
If ever there was an IT department where it was a requirement to have the word "LOSER" stenciled on one's forehead, this one takes the cake.
Max
My god carries a hammer. Your god died nailed to a tree. Any questions?
considering that I could jsut change my password from my mobile faster than some pollster on the street could exploit it, I might, depending on how huingry I was.
For that matter, how do they know what I gave them was my password? And to what?
"A friend of mine is particularly anal when it comes to security."
Perhaps I'm being too literal, but does anyone else get the shudders thinking about where your friend keeps his car-keys?
But now serious, how safe is it to have base passwd and change a sequence number everytime the sysadm (no offence, i have been one too) thinks you need to change your passwd again?
At work I use 7 differnet systems that I have to login everyday a few times. Some have the passwd system somehow linked (ldap) but most systems are independend. I am getting SOOOO tired of typing passwds and remembering passwds and having to change the passwd every 6 weeks or so.
I like to know a good secure system of generating passwds for myself that I can use on all 7 systems. Oh yes, they have to be exactly 8 chars/digits/special_char long...
thanks
Please give us links!
I always see stuff like this and wonder, why are people more worried about a highly unlikely Man in the Middle attack than the are about there ID and password sitting in the database on the site? Sure slashcode tells me they run it through MD5, but there is no way for me to know that for sure. And there may even be some kind of logging turned on in the web server completely outside of slashcode that catches and logs all requests including POST info somewhere that isn't encrypted.
I think the more appropriate thing to say is "Correct me if I'm wrong, but people you don't trust run
fair amount of passwords just by asking, (ahem),
Would you, kind post reader, please reply with with your various passwords and any other related identification needed to access whatever said passwords guard?
I'd also like a pony, and a million dollars, and to rub britney the right way.
PS There's milk and cookies in it for you if you're so inclined and travel by reindeer
"Yea.. so you can make my computer faster? It takes like 15 minutes to boot.."
"Sure... No problem, just give me a 3 minutes." (I so have forgotten how slow 56K modems are, so it took a bit longer)
*Cleaning out the system, leave the comp while it downloads*
*Screen saver pops up, get prompted by login-screen*
"Um, what's your password? I can't get in otherwise to finish up"
"It's *******, oh no.. that's my hotmail.. um *****, no that's the other account. Oh there.. It's just my name on that login thing."
"mhmh.. that seems to work."
I think we can keep recursing like this until someone returns 1
Ok, thanks for the chocolate. Now here it is:
dontbestupidimnotgivingyoutherealpassword
-- All your bass are below two Hz
No, really, I dont. I only know the first part of all my passwords (the same for all), and the second part is random characters, which I have it on my website and on a saved email.
Whenever I need a password, I have to look it up.
The issue is people stupidly trusting random individuals of whom they don't have any way to really determine the trustworthiness.
IIRC nowadays fingerprint readers are set up to allow access with any one of at least two fingers, in case you cut your finger or something, and one "panic" finger which sets off an alarm in case you are forced against your will to open/access the system.
Is "elevatoroperator". Give me candy.
Unfortunately my boss refused this idea saying that it would be too expensive to build such infrastructure in our 500+ computers network...
How did they pass up a chance for an article name like that?
"You call it a new way of thinking; I call it regression to ignorance!" -- Operation Ivy
If he hasn't gotten what he wanted in the first 30 days, then why can't he look over your shoulder again?
Or better yet, lift up your mousepad and get the new password without the risk of shoulder surfing.
I worked in the computing departmant of a reasonably big company a few summers ago. I was new, and only there for three weeks, and 18 years old, so they never got around to getting me an ID card or indeed a magnetic access card. However, I was hanging around the computer room mostly so people knew who I was at least.
For some reason we were then asked to go around every computer in the company - which is spread over a (physically) very large site - and update certain settings in Outlook. (Don't look at me, I don't run this company.) Now this happened on dress-down Friday so I wasn't wearing a shirt and tie, just jeans and a t-shirt. When we got to Marketing - where I'd never been before - the guy who was helping me said "you take that end of the corridor, I'll take this end", and we split up.
So there was me - a complete stranger, a random kid wearing everyday clothes, no identification, no access pass, no supervisor, asking four or five marketing ladies to let me spend five minutes adjusting some settings on their computers. And they happily let me.
I'm told things have tightened up more recently.
qntm.org
> and most indicated that they were fed up with having to use passwords
Most are fed up with passwords? Passwords don't protect me from spam overdoses. Passwords don't protect me from having to update Windows XP for security holes (home user) every few months. Passwords don't protect me from having to run AdAware and SpyBot and other things every few days.
I can't imagine why people are fed up with passwords.
(-1: Post disagrees with my already-settled worldview) is not a valid mod option.
You know the scene, where Bob and Doug bribe the receptionist with a Jelly Donut.
"Go on, go on.."
"It's my last one."
"Go on! eh."
"Here you go, it's a Jelly..."
Always a laugh-riot when security consultants want employees (specifically me) to abide by unusual rules for "company security". Sorry, security is YOUR job, not mine! You may have convinced the CEO to distribute a memo entitled, "security is everyone's job", but hell I change my work habits to abide by your ideals. If I feel my work is more productive by keeping my computer running with no passwords, then you'd better lock down your servers more tightly. My favorite is the "workers should never hold the door open for people to enter the building" policy. Um, screw you! You're not deciding that I'm going to be a rude asshole especially when I'm not even into work yet. You want door security? Make physical barriers and hire a security guard. You want computer security? Lock down the terminals and hire network security to maintain them. Don't count on me, Joe, because it ain't my job!
Passwords -- plural -- is the real problem here.
I bet users could be bothered to remember and not tell anyone a particular single password.
I bet that end users are better at this than most geeks (who would trade it for sex).
One possible solution that I wrote up is here. The paper is very arrogantly and somewhat foolishly written, but I wouldn't change anything about the implementation ideas -- except that I would actually implement it, because it doesn't look like much work, and is mostly patches to other projects.
Don't thank God, thank a doctor!
What need is there for iris scan, when I have to have OTP?
implement good password ageing policies so his password changes regularly, and use complex passwords. then insist he keeps the backup password tatooed on his arm up to date. you could probably buy a robotic tatooing machine for the IT department.
My aardvark fondles attic stairs.
However, I am debasing inexpensive furniture.
Giving Anita naughty nighties is terribly optimistic."
Those who sacrifice security to condemn liberty deserve to repeat history or something. - Benjamin Santayana
Actually, yes, I am in I.T. and have been working in the field for 14+ years now.
I never said that I neglected to put security measures in place, as part of the server migration. My point was, everything ran just fine without it for years and years - so the alarmist attitude some I.T. folks might take upon seeing this seems a little "over the top".
Furthermore, I think that sometimes, I.T. admins feel like the security permissions and account restrictions they apply serve as the only safeguard preventing employees from committing corporate crimes (leaking proprietary information, for example, or editing documents they're not supposed to have authority to change). In reality, I suspect that these only provide mild stumbling blocks to those bent on breaking company rules and/or the law.
Unless you've gone to the extremes of such things as fingerprint identification for logins, it's just not that difficult to obtain someone else's password in a small business. Social engineering gets people right past most account restriction/security rights issues.
Lastly, even though a Win2K or NT server may have permissions set for "everyone" to have full control, that doesn't automatically imply that "anyone on the planet" could really go in and access those files. If the firm was using wireless networking, I'd say "Yes, that's a big potential issue." If they didn't have a firewall in place, again, I'd agree that it's a real issue. In this case, they did have a firewall proeprly set up and they had no wi-fi devices in use, which helped minimize their risk.
Most users understanding isn't much more than click the pretty [w] and that launches my "operating system". Quite obviously these people don't understand why they would need a password...they can't comprehend that someone might know more than them.
As for my experiences I come in to contact with plenty of computers that are currently sitting unattended while logged on to a very fuctional user account.
Some people give away their passwords without even realizing it. For example, if they sign up for access to an adult site, there are lots of people willing to try hacking those sites. Once a hacker has figured out your username/password, they publish it to a website somewhere.
As most people wouldn't use their work email to sign up for adult sites, and because people also don't bother to used different usernames and passwords for their email logins, you can often log into their yahoo or hotmail account (and soon maybe even gmail accounts). Then they have email receipts with their credit card numbers and addresses and such--the potential for a malicious threat suddenly becomes very real and very costly.
Moral of the story: Use different passwords for different levels of security.
Darn, I locked myself out of the office again, oh well, I'm going home.
Donations to the human fund