Slashdot Mirror
Giving Up Passwords For Chocolate
RonnyJ writes "The BBC is reporting that, according to a recent survey, more than 70% of people would willingly give up their computer password in exchange for as little as a bar of chocolate. Over a third of the people surveyed even gave out their password without having to be bribed, and most indicated that they were fed up with having to use passwords."
I use one password for anything I don't really care about (/. login, LWN login, etc.) and different ones for systems I do care about (webservers, mx machines, client machines etc). I couldn't have told them my care-about passwords anyway though - I don't remember them, I just remember how to type them in. If I have to tell someone, I have to go through the process of mentally "typing" the word - complete with shift keys etc...
:-)
:-)
It takes less than 5 minutes to remember a new sequence, just by typing it lots of times, and I find that if I *do* forget one from (say) 6 months ago, if I put my fingers through the first 1 or 2 chars, I get the whole sequence back... Holographic memory at its best
I've found this works much better for me than what I used to do (take 2 words, reverse them, catenate them, and take the central 8 chars) - the recovery of "forgotten" passwords is much easier when I let my fingers "remember" what to do... It also allows me to give clients obviously hard-to-forge passwords and easily use them
Simon
Physicists get Hadrons!
And apparently over 30% of those asked would just reveal their passwords without any bribery!
Troc
Troc's dubious podcast and blog: http://www.trocnet.net
Even back in the days I did call support for an ISP, sometimes I'd just ask their login name and they'd just blurt out...
My ISP always asks me what my password is. I've explained to them many times that it gets people into a bad habit and that I have to repeatedly tell my end users to NEVER give out passwords to anyone, even me. After several times, they finally said, "I'll make a note in your account to not ask for your password."
Idiots.
But why is the rum gone?
That's assuming you don't use Sneakemail and have thousands of disposable addresses to hand out. Or, assuming you meant the password to the e-mail account itself, you would need the adresses to the mail servers (POP3 or whatever); and of course, the sender's private key (who doesn't sign their mail nowadays?).
Quality, performance, value; you get only two, and you don't always get to pick.
"Workers are prepared to give away their passwords for a cheap pen, according to a somewhat unscientific - but still illuminating - survey published today."
Office workers give away passwords for a cheap pen
The Internet's nature is peer to peer - 20050301_cs_profs.pdf
I had a job that required me to handle on occasion things like people's SSN or credit card numbers, what have you. If the transaction was complicated enough and if it was on a day where I found myself doing more than a couple, I found I would remember people's info. Whole credit card numbers, their signiture, SSN, address, the works. People would find it disconcerting, to say the least, that I would just fill redundant paper work out from memory after having returned their id and plastic. On one occasion I had to remind them they were letting me write it all down.
This has been a problem for a long time in the military world. Instead of 'password' read 'safe combination'. People who had to manage multiple safes wrote the excess combinations on a sheet that was labelled with the highest classification of any of the safes and was stored in the highest classification safe available. Likewise, I use a password cache on my most secure machine.
By the way, it _is_ possible to come up with strong memorable passwords. Think of a phrase involving numbers and punctuation. Then translate it into a password by using the initials of the words (alternating capitalization), the numbers, and the punctuation. As an example, consider: "Don't forget 9/11/01!" That becomes dF91101! Research indicates the passwords generated by that algorithm are as strong as the randomly generated passwords some systems force unto users.
I also use a network password here at school that Windows can't handle. Basically, the network login script parsing on the machines used by students can't handle imbedded punctuation, but my research machine is OK with it, so my network password is only usable from specific machines in secure areas. It's not perfect, but it reduces the exposure.
My users do not have any access from outside of the company, so I do not fear hacks from outside. They do not have shell accounts either (only samba and pop3), so hacks from inside are limited, too.
They can use one another's samba accounts from inside of the company, though, and in fact they do quite a lot. Many accidents (like 'I lost all my mail' or 'where are my internet bookmarks') are clearly a result of that practice and every time I have to solve such an accident I suggest they change their password and keep it secret.
It never works though... people are lazy and/or dumb.
There are lots of things you can't do with humans because of human nature. Communism is one, speed limits are another, and expecting people to remember the sheer number of passwords they have to today is another. I have to keep them all in my Palm. Most of the people at work keep them on a Post-It. The password-mania of IT at work has become a joke amoung the employees. Get a grip!
What to do? You're the IT people, you tell me! Fingerprint readers? Retinal scanners? How about you just read the little badge that I wear around my neck all day anyway? The building security guys figured out that passwords don't work for building security, when will you guys learn the same lesson?
W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
Frats have retarded secrets like hand shakes and secret mottos. Some Ivy League frats have a secret president. Everyone tells their girlfriend all the stuff because nobody really cares.
-B
Same goes for people who open virus e-mails. For some reason, after I help people, they tend to stop doing stupid crap like that on my network. I guess they finally realized the error in their ways (And making them re-do 5 months worth of work seems to be a good enough incentive)
Like "Password Manager" :-)
:-)
a ge r.ht%6dl
WARNING WARNING DANGER WILL ROBINSON!!! BLATANT PRODUCT PLUG AHEAD!!!
I use Password Manager myself, because it's written in Java, and I can put the program along with it's datafile on a USB drive, then use it at work (WinXP), at home on my Linux workstation, or with my Powerbook. Check it out.
http://www.geocities.com/ramix_info/passwordman
---- The price of freedom is eternal vigilance. -Thomas Jefferson
When I was in school, one of the secrets was that the fraternities actually had a nicely put together book of tests for various classes. Foreign language, histories, etc. Pretty much all of the core classes' tests were in that book. One of my friends borrowed it for a laugh from a fraternity friend of his.
There's a difference between having a sysadmin that's insane and having one that understands reasonable protections based on the content being protected and the overall position of the system in question. If a single compromise could result in a $200 million dollar loss of sensitive information, maybe forcing people who access that info to use a 12 character password that's not vulnerable to a dictionary attack isn't such a bad idea, hmm?
Yet, I see it all the time: some stupid suit thinks they know better and wants to be exempt from the policy. Dysfuntion exists at every level, but when it runs rampant in people with authority, you have a real problem. What amazes me is that the excuse from these boneheads is always the same when something goes wrong: "well, I'm a MANAGER, I handle BUSINESS DECISIONS. You don't expect me to understand your technical mumbo jumbo, do you!?"
Uh, no dumbass.... I expect you to sit back, STFU, and let me do my job. You HIRED me to do this so you didn't HAVE to understand the technical mumbo jumbo... remember?
I'm sure not all management is like this, but from my vantage point, most of it is. It's so much easier for them to point fingers after the shit hits the fan than it is to sit down and work with the technical people from the start, I suppose. This whole story is probably a good example of that. I tried to get these bozos to pay for some of our front line people to take classes on preventing social engineering attacks. Something like 90 people would have been enrolled to the tune of $25K. They refused. So, to make my point, I told my buddy to get into the veeps office. Sure as all hell, he did it without raising any eyebrows... they thought it was a "cute trick" and still didn't sign anyone onto the class because they don't think anyone would ever try it with us. I then tried to point out that while WE might not have anything particularly valuable, we do act as interface to a much larger International that DOES have a lot of valuable assets that competitors and crooks would love.. no dice. Idiots, says I. Idiots. They hire people to do things they don't understand, then tell them how to do it anyway. That's like hiring a builder to build your house, then hanging over them all the time and telling them they're doing it wrong.
Alito: A vote for Alito is a punch in the eye to put that bitch back in her place!
Wow, what government do you work for? I'm also working a government job (the reason for anonymity) and not only does our security suck, but our IT department is worse. Their average response time to any problem is measured in weeks. (No, I am not kidding. It took me over a month to get a login after I started working here.)
And passwords, they have to be changed every month, however I know at least 4 other people's logins (by necessity, because I didn't have an account) and since you can't reuse any of your previous 24 passwords, they recommend that you just use your old password and add a counter to the end of it. (ie. password1, password2, password3, etc).
the different password systems for email, LAN logon, timesheets, billing, contracts, grants, etc., to be tedious at best and bewildering at worst. Since they are not allowed to have the same universal password, for obvious security reasons, nor is that password allowed to be a recognizable English phrase, they have a great deal of difficulty memorizing each one.
which is why I think a standalone program that stores all these different passwords would be helpful. A program that uses tough encyrption that does exactly what mozilla|firefox does in that there is a Master Password to unlock all your usernames and passphrases for web forms. The only points of failure I can think of are 1) your box, 2) poor encryption protocol, 3) D'oh! you forgot your master password.
To-do List: Receive telemarketing call during a tornado warning. Check.
Ed Skoudis (of http://www.CounterHack.net and other fame) had recently proposed at a SANS conference I went to that everyone should go with passphrases, rather than passwords. I have to agree. Why not remember "MyGoldenRetrieverIsUberCool" rather than "AB12CD!@%asd3asd"?
Either one requires you to know how to type, and a passphrase will more likely be albe to be typed without being a contortionist.
I'm living proof of this. I was waiting for a train at Liverpoot St Station in London, and took part in the survey once I realised there was a freebie involved. Every single question they asked I made up a false reply to, partly to get the free chocolate but mostly because I hate intrusive market researchers and people trying to profile me.
Sadly, I doubt they will ever realise how worthless their surveys are, after all the NYT still hasn't got the message after about a billion fake login names.
A pizza of radius z and thickness a has a volume of pi z z a
I do agree that it is hard to remember gobs of passwords, but at the university that I work at most people can't remember their passwords when I switch out their old computer for a new one. It makes my life a real joy because they don't know how the heck to get into their email/other application. Thank goodness for whatever little utility I've got that looks behind the astrisks...makes my life just a little easier. I could get the help desk to reset it, but that means that I have to have the client do it because they require a social security number.
And "I'm tired of passwords, so I'm going to give it to a stranger" doesn't really parse.
--- Ban humanity.
When I worked at a Fortune 70, we found that no employee over Sr Manager level could remember a password, even if written down where they could see it.
That's what they have secretaries for. Seriously, you don't really think that senior management will let IT dictate hoops for them to jump through. With a very few exceptions, senior management does not need high security. I suspect in (almost) all cases, physical security is much more important than computer system security.
What I've heard is the general advice to people who get keys to secure government areas when they ask how they should secure the key is this - secure it like you do your own house/car/etc (i.e., keep it on your keyring). You obviously have quite a vested interest in not getting your keys stolen, and it doesn't happen very often at all, so that's generally a good solution. Especially if it's unlabeled and combined with say, site access control.
So I see the password thing as similar. Keep them in your wallet. I for one always have my wallet on my person, or right next to my bed. Because I really, really badly don't want it stolen. So it should be safe for passwords.
Personally I use mnemonic aids to remember apparently random passwords, though. If you can touch type you can always just shift your fingers one space to the left/right/up/down and type a recognizable phrase, combined with use of the shift key, and have a secure password.
I know you mean this as a joke, but I want to take a second to remind people why biometric authenticaion is stupid:
* Your biometrics are not secret
* Your biometrics are not changeable
It sounds like biometrics could work well as a replacement for your username rather than your password.
The only problem I see is that they're a bit more private than a username. This will tend to lull users into considering the secrecy of their passwords less important. "Who cares if they know my password, they can't use it without my fingerprint." And that's true, but then your fingerprints are everywhere.
Try this: Pick a *good* password. For example: Take "Oh Captain! My Captain! Our fearful trip is done;" (A line from Whitman's "Oh Captain! My Captain!")
Now, your password is
(you switch the second "O" and the second "C" to avoid repeating characters) Now, say you have four systems: Unix, Mail, Login, Finance. Add one more character at the front/back/middle/somewhere. So you have one password with one extra character somewhere. For instance:OC!Mc!u0ftid;f tid;
OC!Mc!m0ftid;
OC!Mc!l0
OC!Mc!f0ftid;
Next time you switch passwords, pick a different line or a different poem, and maybe move where you put your extra character. Now I can't walk in to one system if I compromise another one (the point of SEPARATE passwords...) minimizing the impact of an intruder.
Linux: The world's best text-adventure game.