Slashdot Mirror


Giving Up Passwords For Chocolate

RonnyJ writes "The BBC is reporting that, according to a recent survey, more than 70% of people would willingly give up their computer password in exchange for as little as a bar of chocolate. Over a third of the people surveyed even gave out their password without having to be bribed, and most indicated that they were fed up with having to use passwords."

6 of 710 comments (clear)

  1. Re:Wait a minute by the_mad_poster · · Score: 5, Insightful

    Depends what type of password they're asking for. I can imagine my boss giving up some of his real passwords for a bribe because he thinks "big deal... that one's not protecting anything sensitive anyway". Except, that comes down to him not understanding that whole "weakest link in the defenses" problem. Yea, maybe THAT password isn't, but what does that give a malicious user access to that could be abused elsewhere? What apps level attacks are we now vulnerable to? What databases could be stolen? Could the attacker now impersonate you to get more information from other people?

    Management and business types, and of course home users, don't think security is a big complex model. They think "oh, we have a firewall... we're safe" and that's the end of it.

    --
    Alito: A vote for Alito is a punch in the eye to put that bitch back in her place!
  2. Re:Passwords and memory by Anonymous Coward · · Score: 5, Insightful

    Remembering passwords is easy. I have lots of them.

    The key is to make them memorable, pronouncable non-words. You can do this using passwdgen on linux. Just set it to the number of characters, add the "pronouncable" switch and - optionally - the "non alphaneumeric characters" switch and you'll have something that is very secure yet easy for YOU to recall.

    Further, what a bunch of whiney fucks. "Boo hoo, I have to use passwords. Boo hoo, I have to use a key to open my car door, house, bank deposit box, home safety, glove compartment, trunk. Boo hoo, I have to turn the knobs on doors and open them before walking into a building or home or car."

    Come on people.

  3. Re:A big problem... by Evil+Schmoo · · Score: 5, Insightful

    Absolutely. We're a government facility, including a few areas that are nominally very secure, and as such, we have an extremely good IT department, all of whom work tirelessly to prevent nasty people and things from seeing our noodlings.

    The problem is, the vast majority of people who work here are either academic researchers, who are used to open collaborative discussion and find passwords inherently distasteful, or administrative workers, who, while they may be very dedicated civil servants, find the different password systems for email, LAN logon, timesheets, billing, contracts, grants, etc., to be tedious at best and bewildering at worst. Since they are not allowed to have the same universal password, for obvious security reasons, nor is that password allowed to be a recognizable English phrase, they have a great deal of difficulty memorizing each one.

    Add in the fact that each password must be changed every six months at a minumum (monthly for some systems) and that passwords cannot be repeated for five cycles, and that's as many as fifty or so passwords over the course of a year for some administrative officers. That's a lot to ask, even for someone with a technically-oriented mindset.

    Recognizing that writing them in a booklet next to the desk- or lap-top is a problem, many offices have taken to writing them down inside a lockbox.

    Biometrics may help, but if our physical plant is any evidence, we'll be ten or so years behind the curve getting such systems installed.

  4. Because people have been doing security wrong by 0x0d0a · · Score: 5, Insightful

    The "I hate passwords" attitude is not merely (or even primarily, IMHO) a function of users doing something wrong. It is a function of poorly designed security, or of security designed for a different environment being reused for current systems.

    Passwords came into popularity a long time ago. Things that have changed since the introduction of the password:

    * Many people have accounts on many, many systems (thanks to websites with accounts).

    * Users on such systems may not be primarily benevolent -- on a UNIX box used by a small bunch of researchers in the early 80s, a password may be an acceptable barrier to anyone poking around. A password on eBay, on the other hand, may be of interest to a number of less savory characters.

    * The ability to attack systems has significantly increased. Internet accessability means that remote, hard-to-trace attacks are more common. A brute force attack on a computing system physically isolated in a building may be simply infeasible, and choosing "cheese" as a password may be perfectly acceptable -- such a thing is no longer reasonable.

    * Computing power is much greater now. Attacks on password hashes (including those sent over the network) are much more feasible. The relative strength of passwords to CPUs has decreased logarithmically.

    * Many systems require passwords frequently. If you are a defense contracting employee, you might have only needed your password once when walking in the door in the morning and once after lunch. Now, corporate intranets have passwords, Yahoo has passwords, Slashdot has passwords, eBay has passwords, etc. Many of these require passwords multiple times a day (or, if they have an option to cache a password, do not have sufficient data about the client side to know how long it is safe to continue to cache the data).

    * The demographic of password users has changed. Almost everyone has many passwords now -- not just a couple of engineers or scientists, or the occasional person with an ATM PIN.

    What I Suspect Needs To Be Changed

    A couple of things that probably need to change:

    * It needs to be standard (and have a common interface for doing so) for users to be able to delegate a subset of their authority. Few systems currently have authorization systems smart enough to allow users to delegate chunks of their power to other users for a short term (and audit any moves). This needs to be simple, *easy*, and secure. If Sharon wants to let Bob purchase something online and charge it to her credit card account, she needs a quick and easy way to say "I authorize Bob to spend up to $500 in the next week and charge it to my credit card." That could be via her cell phone or on a computer. Most systems should have at least several forms of authorized actions that can be delegated to other users that require no more than entering a limit on the degree of the actions taken. A list of actions that other users have taken with that authorization should also be easily visible.

    * Where feasible, passwords should be replaced by smartcard/PIN combinations. It's easier to remember a four-digit PIN than a long, secure password, and for anyone that doesn't have physical access to a user's smartcard, the strength of the token on the card is much greater than that of a password. Currently, this is particularly disasterous in the form of credit card information. Currently, many vendors store full credit card information used in purchases in databases. If any such database is compromised, authentication data providing full access to money accounts is granted the compromiser -- this is, frankly, insane. Credit card providers have one effective line of defense against a compromised card -- they do statistical analysis against purchases, which isn't the most reliable method of dealing with such attacks, and requires intense monitoring of anything users do -- producing a strong disincentive to provide users with privacy. (I realize that there are a few attempts at improving t

  5. Re:I weep for the future. by theLOUDroom · · Score: 5, Insightful
    Now, I just need to figure out how to do strong biometric identification over ssh or SSL-imap...

    I know you mean this as a joke, but I want to take a second to remind people why biometric authenticaion is stupid:
    • Your biometrics are not secret
    • Your biometrics are not changeable


    When you're using somrt sort of key/password, you want it to meet the following criteria:
    • Secret
    • Changeable
    • Hard to duplicate
    • Hard to guess

    Many of the best security systems rely on "something you know and something you have". This means that there is a physical object, and some sort of password.
    Biometrics are stupid because they rely on the secrecy of something like your fingerprints, which you leave on everything you touch. They're just not secret. And they're not changeable once the secret is out and the bad guys have your fingerprints.

    It makes me cringe every time I hear about biometrics being used as a substitute for passwords, credit card numbers etc. What happens when I get a copy of your fingerprint (using a only piece of tape and some talc)? I can go around making purchases as you, and it's not exactly like you can cancel your fingerprints and get new ones.

    The only place biometrics really shine are the times when the person doesn't WANT to be identified. You kinda have to carry your fingerprints around with you. For everything else, they suck.

    I would much rather fork over my credit cards at gunpoint than be kidnapped or have my fingers chopped off.
    --
    Life is too short to proofread.
  6. Password Rules by Baby+Duck · · Score: 5, Insightful
    My biggest gripe about website password is the lack of consistency in password rules.
    • Some let you use special characters.
    • Some don't.
    • The set of allowed special characters differs for those who do
    • Some are case sensitive
    • Some are smashcase
    • Some allow just numbers
    • Character length range is wildly variable
    • Some make you change your password and won't let you use your last X passwords
    • Some force you to do weird stuff like "at least one uppercase, at least one lowercase, at least one number"

    It irks me, because even if I wanted to use a completly different password for every login, there is no pattern or strategy I can follow to appease all of them.

    --

    "Love heals scars love left." -- Henry Rollins