Slashdot Mirror
Giving Up Passwords For Chocolate
RonnyJ writes "The BBC is reporting that, according to a recent survey, more than 70% of people would willingly give up their computer password in exchange for as little as a bar of chocolate. Over a third of the people surveyed even gave out their password without having to be bribed, and most indicated that they were fed up with having to use passwords."
Yes, I am that desperate.
I use one password for anything I don't really care about (/. login, LWN login, etc.) and different ones for systems I do care about (webservers, mx machines, client machines etc). I couldn't have told them my care-about passwords anyway though - I don't remember them, I just remember how to type them in. If I have to tell someone, I have to go through the process of mentally "typing" the word - complete with shift keys etc...
:-)
:-)
It takes less than 5 minutes to remember a new sequence, just by typing it lots of times, and I find that if I *do* forget one from (say) 6 months ago, if I put my fingers through the first 1 or 2 chars, I get the whole sequence back... Holographic memory at its best
I've found this works much better for me than what I used to do (take 2 words, reverse them, catenate them, and take the central 8 chars) - the recovery of "forgotten" passwords is much easier when I let my fingers "remember" what to do... It also allows me to give clients obviously hard-to-forge passwords and easily use them
Simon
Physicists get Hadrons!
And apparently over 30% of those asked would just reveal their passwords without any bribery!
Troc
Troc's dubious podcast and blog: http://www.trocnet.net
My users do that all the time, if I am to believe that all those candies sitting in urns on desks serve a purpose! And to think my wife works at Nestle! JB
They didn't actually test these passwords they just said "I'll give you a bar of chocolate if you give me your password".
So people can just make it up.
Yes Mr "Researcher" if offered chocolate 79% of people can think of a random word.
Big deal,
John.
Without the ability to check that the passwords given are correct, surely the survey results will be totally inacurate?
If someone came up to me in the street and asked me for my password in exchange for a gift, i'd just tell them any old word to get the free stuff...
One bag of pork rinds, and I'll give complete superuser access to anybody!
Punk: Okay, you say you can't get the NVidia card to work in Red Hat. Let's go to the NVidia site and download--
Dude: My root password is money45!
Punk: [dope smack] NEVER DO THAT AGAIN!
Even back in the days I did call support for an ISP, sometimes I'd just ask their login name and they'd just blurt out, "My login is sueray22 and my password is newyork!"
It's YERAWANKER. Now where's my chocolate?
Oh, wait. You wanted my REAL password? Well, that'll cost you another chocolate bar. Of course I'll give you my real password this time. Would I lie to you?
"An unarmed man can only flee from evil, and evil is not overcome by fleeing from it." Col. Jeff Cooper
...at many of the places I've worked at is that the users have as many as a dozen passwords to remember for different systems, and each one expires at a different time and has different rules for how long and complex it has to be.
Most of them keep their passwords written down on a sheet of paper right on their desk.
for most internet users there is no real value attached to their computer accounts. it is not the same as the pin for your ATM card where, if shared, it would mean an empty account. hence it is understandable that they are willing to share this information.
.NET) will be enough to deal with fueling up a car or buying a bunch of roses. probably then the attitute will change, when some smart scammers burn some people's fingers...
this, i think, is a big problem and the onyl way to solve it is to re-educate people for them to understand that such a password is important and should not be shared. clearly an alternate solution would be to install fingerprint scanners on all computers (a viable option in the future), but that would not help overcome the erroneous attitute towards computer security. in fact, such scanners would work well as again people are used to the fact that their fingerprint makes them unique and should not be "shared".
finally, this will be an important concern in the future: already we are able to shop online and the future where all transactions go via the internet is near. one account (a la
Most likely, the people willing to give up their passwords have very little to protect. For many, it wouldn't be life altering if their email was read, their MP3 collection viewed and downloaded and their favorite version of solitaire copied as well. I would argue that the people with valuable data wouldn't give out such information (like many of us in this forum). Also, many people have the luxury that even if the system was maliciously accessed with their user/pass that there would be zero repercussions. They would shrug their shoulders and remember the delicious piece of chocolate they had the day before.
Most system administrator would wish that they had a company policy which allowed them to break the fingers of users who share their passwords.
But if users don't like using password, why force them. I think they would discover very quickly why it's needed. Nothing like a "You suck" email sent from a users account to the boss, to make them realise that may it's not such a bad idea.
A better solution would of cause be wide spread use of Kerberos, then at least they only need to enter their password once.
in the growing body of evidence to support my thesis that most people
really dont give a crap about anything past their next meal.
keep in mind that many people have to remember many passwords. this has the effect that the home password might be mami23, whereas the work password might be mami32...
back when i was a sysadmin i once ran a test: we had asked all users to use DIFFERENT password for the 2 NT machines we had and all the other linux workstations. i started cracking passwords on the linux box and found some after 48h (~5% of user passwords). then i used L0phtcrack (awesome tool!) on the NT machine and had about 45% of the passwords after 24h. guess what: from those 45% about half worked also on the linux boxes...
And I thought it was because we dont go outside. ;-)
.. how many people would give away their chocolate for a password?!
-el
PC.......$600
DSL......$20/month
nmap.....free.
Being pipped to the post by a reporter with a snickers bar.....Priceless.
There are some things even money can't buy, for everything else there's Masterfoods, Plc.
I'd only give up my password for dark chocolate.
Creator of the popular web game Proximity
Me! Me! My root password is "changeme".
Please mail the checque to
1A Merz St
Liverpool
This study brought to you by Klondike. What would you do for a Klondike bar?
I really hate signatures, but go to my website.
Kinda useless, if you ask me. I prefer to have 3-5 different passwords and use post-its attached to my monitor.
you realise that such a deal will ensure your getting rooted twice?
The second one might not be so pleasant.
Still, it's probably better than being an OpenBSD hacker and having never been rooted at all.
(and please don't mod up the karma whore who follows this going "don't stereotype geeks waa waa waa" it's a joke...laugh)
Occasionally you may HAVE to tell someone your password. Keep that in mind selecting one. Consider this exchange I had with one of my users a while back:
..." *blush* "Do I have to?"
... it's ... TPBP6969. It's my initials followed by my husband's initials. Please don't tell anyone!"
... personal password."
Bryan: "What's your password on this system?"
Tammy: "Uh
Bryan: "No, you can always call the help desk like you're supposed to, but I can't reset your password on this system."
Tammy: "Um
Bryan: "Considering your husband and I have the same initials I think I'll keep that one to myself. But in the future you might want to select a less
"An unarmed man can only flee from evil, and evil is not overcome by fleeing from it." Col. Jeff Cooper
That's assuming you don't use Sneakemail and have thousands of disposable addresses to hand out. Or, assuming you meant the password to the e-mail account itself, you would need the adresses to the mail servers (POP3 or whatever); and of course, the sender's private key (who doesn't sign their mail nowadays?).
Quality, performance, value; you get only two, and you don't always get to pick.
"Workers are prepared to give away their passwords for a cheap pen, according to a somewhat unscientific - but still illuminating - survey published today."
Office workers give away passwords for a cheap pen
The Internet's nature is peer to peer - 20050301_cs_profs.pdf
Any help will be gratefully recieved and results will be shared with all. Oh boy will they be shared........
And if you thought that was boring you obviously havn't read my Journal ;-)
Actually, I strongly suspect that most people will actually just come up with their password unless they had time to 'prepare' an answer. (particularly the people that will give up a password for a chocolate bar)
---
We spoke for about a half an hour. I don't recall a thing we said. - Colorblind James Experience
I gave my slashdot login/passwd away ages ago, and my karma's only gone up.
It sounds funny to the geek, who prides himself on the security of his passwords and winces every time his wireless provider asks him to say his password over the phone. h-d-asterisk--
"Asterisk?"
Yeah, hit shift-8. h-d-asterisk-captial-l-capital-v-lowercase-b-clos
I really hate signatures, but go to my website.
This has been a problem for a long time in the military world. Instead of 'password' read 'safe combination'. People who had to manage multiple safes wrote the excess combinations on a sheet that was labelled with the highest classification of any of the safes and was stored in the highest classification safe available. Likewise, I use a password cache on my most secure machine.
By the way, it _is_ possible to come up with strong memorable passwords. Think of a phrase involving numbers and punctuation. Then translate it into a password by using the initials of the words (alternating capitalization), the numbers, and the punctuation. As an example, consider: "Don't forget 9/11/01!" That becomes dF91101! Research indicates the passwords generated by that algorithm are as strong as the randomly generated passwords some systems force unto users.
I also use a network password here at school that Windows can't handle. Basically, the network login script parsing on the machines used by students can't handle imbedded punctuation, but my research machine is OK with it, so my network password is only usable from specific machines in secure areas. It's not perfect, but it reduces the exposure.
The problem with biometrics is that if someone compromises your "password" (never mind how), you cannot get a new one, unless you get new irises or thumbs implanted.
Passwords are used in part becuase of history, but mostly because they work and can be changed.
"Sir, your bio-passport is invalid due it being compromised. No, I'm sorry, sir, you cannot get a new one. No, not ever."
While password policies and the security that they provide are pretty much the recommended approach these days, they rely heavily on one resource that many people have a lot of trouble with: long term memory. Sorry, but it's 2004... where is voice print ID or fingerprint ID, or even dna sampling? MacOS was on the right track, but the technology was a little too early. Ahem!!! Time for the OSS/Free community to show the rest of the world where authentication is going. Voice Print ID should be a part of Gnome.
Un-news
There are lots of things you can't do with humans because of human nature. Communism is one, speed limits are another, and expecting people to remember the sheer number of passwords they have to today is another. I have to keep them all in my Palm. Most of the people at work keep them on a Post-It. The password-mania of IT at work has become a joke amoung the employees. Get a grip!
What to do? You're the IT people, you tell me! Fingerprint readers? Retinal scanners? How about you just read the little badge that I wear around my neck all day anyway? The building security guys figured out that passwords don't work for building security, when will you guys learn the same lesson?
W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
Those who would give up security for chocolate deserve neither.
Unknown host pong.
A friend of mine is particularly anal when it comes to security. He's a network security geek for a major college in the Boston area, and security is his life. Unfortunately, he'll interact with you when he's just entered Level 1 REM sleep.
About 7 years ago, he was crashed out on the floor of my apartment after a late night session. Since I was still coherent, I started saying random command prompts and command lines to him. He had just fallen asleep, and was finishing the prompts!
Me: rm -rf
Him: star
Me: apachectl
Him: restart
Me: shutdown
Him: -h now
And then I upped the stakes.
Me: username
Him: blurted out his username
Me: password
Him: blurted out his password
I left him an e-mail from himself that evening, and then went to bed. The next morning, he said "cute trick, but anyone can forge the From: header". I told him to go and double-check the received line, and he'd see that it was sent from localhost on a server that I didn't have an account on.
He was rather annoyed and amused at the same time...
Priceless.
PepperHacks - Hacking the Pepper Pad
"what would you do for a klondike bar"
*shakes head in shame*
e.
Build Your Own PVR/HTPC news, reviews, &
Chocolate stocks worldwide surged due to heavy buying form a someone knoew only as "3l33t hax0r"
You have 5 Moderator Points!
Which Helpless Linux zealot/MS basher do you want to mod down today?
Ummm... how is a computer password any different then a PIN number for most users? How many regular users do you know who use IE (or even Mozilla/FireFox) to save all of their passwords? Including their on-line banking usernames and passwords... all of their credit card usernames and passwords... and all of the sites that they trusted with their credit card information...
And dealing with the fingerprint issue... The Reg just had a write up about it...
Nephilium
The "I hate passwords" attitude is not merely (or even primarily, IMHO) a function of users doing something wrong. It is a function of poorly designed security, or of security designed for a different environment being reused for current systems.
Passwords came into popularity a long time ago. Things that have changed since the introduction of the password:
* Many people have accounts on many, many systems (thanks to websites with accounts).
* Users on such systems may not be primarily benevolent -- on a UNIX box used by a small bunch of researchers in the early 80s, a password may be an acceptable barrier to anyone poking around. A password on eBay, on the other hand, may be of interest to a number of less savory characters.
* The ability to attack systems has significantly increased. Internet accessability means that remote, hard-to-trace attacks are more common. A brute force attack on a computing system physically isolated in a building may be simply infeasible, and choosing "cheese" as a password may be perfectly acceptable -- such a thing is no longer reasonable.
* Computing power is much greater now. Attacks on password hashes (including those sent over the network) are much more feasible. The relative strength of passwords to CPUs has decreased logarithmically.
* Many systems require passwords frequently. If you are a defense contracting employee, you might have only needed your password once when walking in the door in the morning and once after lunch. Now, corporate intranets have passwords, Yahoo has passwords, Slashdot has passwords, eBay has passwords, etc. Many of these require passwords multiple times a day (or, if they have an option to cache a password, do not have sufficient data about the client side to know how long it is safe to continue to cache the data).
* The demographic of password users has changed. Almost everyone has many passwords now -- not just a couple of engineers or scientists, or the occasional person with an ATM PIN.
What I Suspect Needs To Be Changed
A couple of things that probably need to change:
* It needs to be standard (and have a common interface for doing so) for users to be able to delegate a subset of their authority. Few systems currently have authorization systems smart enough to allow users to delegate chunks of their power to other users for a short term (and audit any moves). This needs to be simple, *easy*, and secure. If Sharon wants to let Bob purchase something online and charge it to her credit card account, she needs a quick and easy way to say "I authorize Bob to spend up to $500 in the next week and charge it to my credit card." That could be via her cell phone or on a computer. Most systems should have at least several forms of authorized actions that can be delegated to other users that require no more than entering a limit on the degree of the actions taken. A list of actions that other users have taken with that authorization should also be easily visible.
* Where feasible, passwords should be replaced by smartcard/PIN combinations. It's easier to remember a four-digit PIN than a long, secure password, and for anyone that doesn't have physical access to a user's smartcard, the strength of the token on the card is much greater than that of a password. Currently, this is particularly disasterous in the form of credit card information. Currently, many vendors store full credit card information used in purchases in databases. If any such database is compromised, authentication data providing full access to money accounts is granted the compromiser -- this is, frankly, insane. Credit card providers have one effective line of defense against a compromised card -- they do statistical analysis against purchases, which isn't the most reliable method of dealing with such attacks, and requires intense monitoring of anything users do -- producing a strong disincentive to provide users with privacy. (I realize that there are a few attempts at improving t
May we never see th
If it was just documents of my work? who cares? My co-workers NEED to see those documents anyway!
What does my password protect? Private files? Am I supposed to have private files at work? I guess not. Secrit files then? Ok. possibly.
To track possible abuse? They're allowed to use my phone too, do I have to password-protect that too?
But hey, if it's about my admin password..
That's a different story.
Then I'd like to have some chocolate too!
Privacy is terrorism.
I know you mean this as a joke, but I want to take a second to remind people why biometric authenticaion is stupid:
When you're using somrt sort of key/password, you want it to meet the following criteria:
Many of the best security systems rely on "something you know and something you have". This means that there is a physical object, and some sort of password.
Biometrics are stupid because they rely on the secrecy of something like your fingerprints, which you leave on everything you touch. They're just not secret. And they're not changeable once the secret is out and the bad guys have your fingerprints.
It makes me cringe every time I hear about biometrics being used as a substitute for passwords, credit card numbers etc. What happens when I get a copy of your fingerprint (using a only piece of tape and some talc)? I can go around making purchases as you, and it's not exactly like you can cancel your fingerprints and get new ones.
The only place biometrics really shine are the times when the person doesn't WANT to be identified. You kinda have to carry your fingerprints around with you. For everything else, they suck.
I would much rather fork over my credit cards at gunpoint than be kidnapped or have my fingers chopped off.
Life is too short to proofread.
I use one password for anything I don't really care about (/. login)
/. login isn't through SSL. So I wouldn't use the same password for /. as for Citibank, etc.
Correct me if I'm wrong, but
Like "Password Manager" :-)
:-)
a ge r.ht%6dl
WARNING WARNING DANGER WILL ROBINSON!!! BLATANT PRODUCT PLUG AHEAD!!!
I use Password Manager myself, because it's written in Java, and I can put the program along with it's datafile on a USB drive, then use it at work (WinXP), at home on my Linux workstation, or with my Powerbook. Check it out.
http://www.geocities.com/ramix_info/passwordman
---- The price of freedom is eternal vigilance. -Thomas Jefferson
When I was in school, one of the secrets was that the fraternities actually had a nicely put together book of tests for various classes. Foreign language, histories, etc. Pretty much all of the core classes' tests were in that book. One of my friends borrowed it for a laugh from a fraternity friend of his.
It's still interesting to see that in two years of cybercrime and media frenzies that nothing has really changed...
Do you or your partner snore? - Visit www.snoring.com.au
Corporate Security Password rules:
As a matter of fact, there is only one word that meets all of these requirements. It is therefore the most secure password in the world, and so it has been assigned to you as your password.
John
Are the people who will not give their password, no matter what. As "the IT-guy" I require access to just about all computers here. And yes, that includes the end-user desktops/laptops. And there are some people here who simply refuse to give me the passwords to their system! Noooo, they have to type the password themselves. And that means I have to drag them from their meetings and such just so they can log in to their machine so I could work on it!
Hell, I have received maybe 200 passwords while working here, and I don't remember any of them. I don't keep them stored anywhere, and I don't have eidetic memory, so there's no risk. And still I hear the "I use the same password in several places, and I don't want to change all those passwords if I gave you my password!". If you are so careful when it comes to security, you shouldn't use the same password everywhere! And yes, you CAN give your password to the IT-department if they walk up to you and ask you for it. If you don't... well, we can always reset your password!
Sheesh, some people....
Lesbian Nazi Hookers Abducted by UFOs and Forced Into Weight Loss Programs - -all next week on Town Talk.
Ed Skoudis (of http://www.CounterHack.net and other fame) had recently proposed at a SANS conference I went to that everyone should go with passphrases, rather than passwords. I have to agree. Why not remember "MyGoldenRetrieverIsUberCool" rather than "AB12CD!@%asd3asd"?
Either one requires you to know how to type, and a passphrase will more likely be albe to be typed without being a contortionist.
I do agree that it is hard to remember gobs of passwords, but at the university that I work at most people can't remember their passwords when I switch out their old computer for a new one. It makes my life a real joy because they don't know how the heck to get into their email/other application. Thank goodness for whatever little utility I've got that looks behind the astrisks...makes my life just a little easier. I could get the help desk to reset it, but that means that I have to have the client do it because they require a social security number.
The survey is focused on their computer passwords. The responses from the people are typical considering the average person does not know how much is tied to that password. "I don't have anything special in my email that someone can read..." or "What can someone do with my password...?"
The survey should have also asked the following questions:
1) Please specify your major credit card number and expiration date.
2) Please specify your address, bank account number, and SSN (if it applied to citizens of the United States - otherwise insert THEIR form of special identification).
Would the numbers have coincided as to who revealed that particular bit of information? Absolutely not. The average person would see the risk in giving those pieces of information to a complete stranger.
If a direct association could be made between their Internet password and their money, those people would have guarded their password under lock and key. Why? Because the loss of money is readily understood, versus having to call an ISP and say "Someone hijacked my account."
Although people may be tired of using passwords (or PIN numbers), they are still a somewhat effective means of preventing improper access to their assets, be it Internet access, money, or personal information. The quality of the password is directly related to the importance of the stuff being protected.
The article cites that birthdates, pet names, etc. are common passwords. However, if someone applied the same level of protection on say...
Instead of asking that 16-digit number (an abstract version of a password), one were to ask "What is your credit card phrase?" Answer: "Buddy."
Instead of asking that expiration date, one were to ask "What is your age?" Answer: 30. These easy "passwords" would make is easier to make fraudulant charges on someone's account.
Public awareness of the importance of securing their own personal information is a key issue that needs to be resolved. Using an easy to understand analogy would be a good first step for those who are being surveyed.
Ayup
It irks me, because even if I wanted to use a completly different password for every login, there is no pattern or strategy I can follow to appease all of them.
"Love heals scars love left." -- Henry Rollins
And "I'm tired of passwords, so I'm going to give it to a stranger" doesn't really parse.
--- Ban humanity.
I wish I could use SecurID (or something like it) for everything. It would dramatically simplify my life.
Key to financial independence: Spend less than you earn. Save and invest the difference. Do it for a long time.
How do they know this doesn't just show people are dirty lying bastards. I'd give up a random string of charachters I made up on the spot for a bar of chocolate!
If you liked this thought maybe you would find my blog nice too:
Honestly, who do you know that bitches and moans about having to use a separate key for both their car and house/apartment?
Nobody, because people can easily see the reason for this. That doesn't mean it's a great thing. Lots of people hide keys, in case they misplace one--near the door to their house, in magnetic boxes under a fender, under a rock, etc. A system that relies on the memory and presence of mind of average (or, frequently, above-average) people to maintain security is going to be crackable by social means--always has been, always will be.
It seems to me that the reason we can't just accept this and get on with it is they tantalizing possibility of a technical fix. But, every time that gets brought up for discussion, technocrats like you start crying that its not THEIR problem--even though it manifestly IS their problem. Apparently, human nature is so frustratingly scatterbrained compared to machines that we're going to spend all our time crying about what lazy idiots the (l)users are, rather than finding a way to use the machines to fix the problem.
I have seen it done on three occasions, each time someone who has just fallen asleep ( cat/power napped ) at their desk.
and not chocolates when I enter my root password to login on websites such as Slashdot?
-- "I can't tell the future, I just work there." -- The Doctor
This is a bit off-topic, but a friend of mine had an account at a bank that would only allow you to access your information if you could answer a particular question. You could set the question and answer to whatever you wanted. His question was:
"What are you wearing?"
His response?
"I don't think that's an appropriate question."
--Stephen
Did you ever notice that *nix doesn't even cover Linux?
I know you mean this as a joke, but I want to take a second to remind people why biometric authenticaion is stupid:
* Your biometrics are not secret
* Your biometrics are not changeable
It sounds like biometrics could work well as a replacement for your username rather than your password.
The only problem I see is that they're a bit more private than a username. This will tend to lull users into considering the secrecy of their passwords less important. "Who cares if they know my password, they can't use it without my fingerprint." And that's true, but then your fingerprints are everywhere.
I'd gladly give up my password to many sites for a bar of chocolate. I'd be getting a great deal. Heck, I'll tell you all now: it's "password"... or sometimes if the sites use a dictionary check, I'll go for "password1".
A whole lot of the places I visit protect absolutely nothing of significance to me with their password. As in, maybe I can select a color scheme for a site, or similar. And for a lot of those, I know perfectly well I'll never go back to a site; I just have to do a one-time transaction. Exactly how concerned am I supposed to be that "hackers" might change my color scheme on a news website. Actually, a lot are even worse than that--like commercial newspapers (NYT and friends): I can't even change a color scheme, they just insist on me giving them demographic info. But it's a one way thing, you can't see or change it after "registration." Even if crackers -could- change how old the NYT thinks I am, why do I care about that exacty?
Opinions of security are probably harmed by the overuse of security measures where there is self-evidently no reason to have them. Casual users get in the habit of thinking passwords are just a nuisance... even when the -do- something significant.
Buy Text Processing in Python
At my wife's place of work (she's a research scientist for a major university) IT will delete the old passwords, then send out an email informing the employees that their passwords are no longer good and that they need to be changed.
Of course, to read your email, much less change your password, you need to log in. And you can no longer log in because your password has been deleted. Therefore, no one ever receives the email that their passwords need to be changed, nor could they do anything about it even if informed. Eventually enough people call up IT to ask them what the hell is going on, prompting them to restore the old passwords long enough for everyone to get on, read their mail, and change their password.
The IT department at her university has pulled this idiocy more than once. In fact, one time they restored the old passwords, everyone dutifully changed them, and then IT deleted the new passwords!
If ever there was an IT department where it was a requirement to have the word "LOSER" stenciled on one's forehead, this one takes the cake.
Max
My god carries a hammer. Your god died nailed to a tree. Any questions?
Try this: Pick a *good* password. For example: Take "Oh Captain! My Captain! Our fearful trip is done;" (A line from Whitman's "Oh Captain! My Captain!")
Now, your password is
(you switch the second "O" and the second "C" to avoid repeating characters) Now, say you have four systems: Unix, Mail, Login, Finance. Add one more character at the front/back/middle/somewhere. So you have one password with one extra character somewhere. For instance:OC!Mc!u0ftid;f tid;
OC!Mc!m0ftid;
OC!Mc!l0
OC!Mc!f0ftid;
Next time you switch passwords, pick a different line or a different poem, and maybe move where you put your extra character. Now I can't walk in to one system if I compromise another one (the point of SEPARATE passwords...) minimizing the impact of an intruder.
Linux: The world's best text-adventure game.