Slashdot Mirror

← Back to Stories (view on slashdot.org)

Giving Up Passwords For Chocolate

Posted by CmdrTaco on from the my-password-is-hershey dept.

RonnyJ writes "The BBC is reporting that, according to a recent survey, more than 70% of people would willingly give up their computer password in exchange for as little as a bar of chocolate. Over a third of the people surveyed even gave out their password without having to be bribed, and most indicated that they were fed up with having to use passwords."

27 of 710 comments (clear)

  1. I'd give up mine for sex! by walter_kovacs · · Score: 5, Funny

    Yes, I am that desperate.

    1. Re:I'd give up mine for sex! by AppyPappy · · Score: 5, Funny
      A guy on my hall gave up his fraternity secrets for sex.


      Our new tablet PC's have card readers. When I worked at a Fortune 70, we found that no employee over Sr Manager level could remember a password, even if written down where they could see it. So what do you do. We just gave them a blank password. Now they could do emails and spreadsheets but not passwords.


      Go figure.

      --

      If you aren't part of the solution, there is good money to be made prolonging the problem

    2. Re:I'd give up mine for sex! by Anonymous Coward · · Score: 5, Funny

      Cool. I'll bring the goat around about 7pm.

    3. Re:I'd give up mine for sex! by Ralph+Wiggam · · Score: 5, Interesting

      Frats have retarded secrets like hand shakes and secret mottos. Some Ivy League frats have a secret president. Everyone tells their girlfriend all the stuff because nobody really cares.

      -B

    4. Re:I'd give up mine for sex! by Ansonmont · · Score: 5, Funny

      Actually, the biggest Frat secret is the "Tell frat secrets for sex trick." Shh.

      IANAFB (Fraternity Brother)

    5. Re:I'd give up mine for sex! by kzinti · · Score: 5, Funny

      Are you kidding? Frats have two complete sets of secrets: the real secrets, and the secrets you "give away" for sex! Ask any girl hanging around the house if she knows the secret handshake. If you she shows you the "sex" secret, then you know she's been laid by a brother. (If she shows you the real handshake, then she's been laid by a brother who was too drunk to remember which was which.)

    6. Re:I'd give up mine for sex! by potifar · · Score: 5, Funny

      Just as long as nobody mentions the third sets of secrets, everything should be fine.

  2. Pork Rinds! by Anonymous Coward · · Score: 5, Funny

    One bag of pork rinds, and I'll give complete superuser access to anybody!

  3. A big problem... by Lord_Frederick · · Score: 5, Informative

    ...at many of the places I've worked at is that the users have as many as a dozen passwords to remember for different systems, and each one expires at a different time and has different rules for how long and complex it has to be.

    Most of them keep their passwords written down on a sheet of paper right on their desk.

    1. Re:A big problem... by Evil+Schmoo · · Score: 5, Insightful

      Absolutely. We're a government facility, including a few areas that are nominally very secure, and as such, we have an extremely good IT department, all of whom work tirelessly to prevent nasty people and things from seeing our noodlings.

      The problem is, the vast majority of people who work here are either academic researchers, who are used to open collaborative discussion and find passwords inherently distasteful, or administrative workers, who, while they may be very dedicated civil servants, find the different password systems for email, LAN logon, timesheets, billing, contracts, grants, etc., to be tedious at best and bewildering at worst. Since they are not allowed to have the same universal password, for obvious security reasons, nor is that password allowed to be a recognizable English phrase, they have a great deal of difficulty memorizing each one.

      Add in the fact that each password must be changed every six months at a minumum (monthly for some systems) and that passwords cannot be repeated for five cycles, and that's as many as fifty or so passwords over the course of a year for some administrative officers. That's a lot to ask, even for someone with a technically-oriented mindset.

      Recognizing that writing them in a booklet next to the desk- or lap-top is a problem, many offices have taken to writing them down inside a lockbox.

      Biometrics may help, but if our physical plant is any evidence, we'll be ten or so years behind the curve getting such systems installed.

  4. Re:Wait a minute by the_mad_poster · · Score: 5, Insightful

    Depends what type of password they're asking for. I can imagine my boss giving up some of his real passwords for a bribe because he thinks "big deal... that one's not protecting anything sensitive anyway". Except, that comes down to him not understanding that whole "weakest link in the defenses" problem. Yea, maybe THAT password isn't, but what does that give a malicious user access to that could be abused elsewhere? What apps level attacks are we now vulnerable to? What databases could be stolen? Could the attacker now impersonate you to get more information from other people?

    Management and business types, and of course home users, don't think security is a big complex model. They think "oh, we have a firewall... we're safe" and that's the end of it.

    --
    Alito: A vote for Alito is a punch in the eye to put that bitch back in her place!
  5. Re:Also over 30% will just tell you..... by bobbis.u · · Score: 5, Interesting
    But what use is a user id and password if you don't know where the computer is that it accesses?

    They should have tried doing the survey by knocking on people's front doors and asking them. I bet significantly less people would tell them then, because they would realise there was a much greater chance that the divulged information could actually be used.

    I am sure that somewhere in my town, there is a computer with the Windows login "Administrator", with password set to "password". Now in order for that information to be useful I still need to find that computer. (The only likely way is brute force scanning, which, by extension could be applied to the password cracking anyway.)

    Clearly, if the attacker was more malicious and started following you, etc they could get this information. However, most people will assume that noone else actually has a major reason to be interested in their PC or indeed downloading their pr0n collection. This is part of the reason why Joe Public does have such strong feelings about spyware as the average slashdotter.

  6. Re:Passwords and memory by Anonymous Coward · · Score: 5, Insightful

    Remembering passwords is easy. I have lots of them.

    The key is to make them memorable, pronouncable non-words. You can do this using passwdgen on linux. Just set it to the number of characters, add the "pronouncable" switch and - optionally - the "non alphaneumeric characters" switch and you'll have something that is very secure yet easy for YOU to recall.

    Further, what a bunch of whiney fucks. "Boo hoo, I have to use passwords. Boo hoo, I have to use a key to open my car door, house, bank deposit box, home safety, glove compartment, trunk. Boo hoo, I have to turn the knobs on doors and open them before walking into a building or home or car."

    Come on people.

  7. Re:Passwords and memory by mrwonka · · Score: 5, Informative

    try passwordsafe

    http://sourceforge.net/projects/passwordsafe/

  8. I'm not sure whether by Anonymous Coward · · Score: 5, Funny

    you realise that such a deal will ensure your getting rooted twice?

    The second one might not be so pleasant.

    Still, it's probably better than being an OpenBSD hacker and having never been rooted at all.

    (and please don't mod up the karma whore who follows this going "don't stereotype geeks waa waa waa" it's a joke...laugh)

    1. Re:I'm not sure whether by Throtex · · Score: 5, Funny

      don't stereotype geeks waa waa waa

  9. Re:Wow... I mean... wow... by Lumpy · · Score: 5, Interesting

    you have it easy!

    here they added the restriction that you password can not contain any characters that can be typed at the keyboard... oh and you cant use any of your last 50 passwords.

    Ok, so I'm kind-of joking... but their stupidity at corperate to make passwords insanely complex has weakened computer security as most users now have their password (and the last 20 or so) written down under their desk blotter, in the drawer or even on a post-it on the monitor...

    Oh and corperate's extreme wisdom has the last four of your SSN in your user ID, and they use that same 4 digits to verify who you are to tech support lines...

    so basically they, through extremely stupid decisions have significantly weakened the network and computer security here to the point that it is a gigantic joke.

    yay for MIS directors that have no clue!

    --
    Do not look at laser with remaining good eye.
  10. Slashdot's a secure site? by adamofgreyskull · · Score: 5, Funny

    I gave my slashdot login/passwd away ages ago, and my karma's only gone up.

  11. As Ben Franklin would put it... by k4_pacific · · Score: 5, Funny

    Those who would give up security for chocolate deserve neither.

    --
    Unknown host pong.
  12. Extracting passwords from sleeping sysadmins... by `Sean · · Score: 5, Funny

    A friend of mine is particularly anal when it comes to security. He's a network security geek for a major college in the Boston area, and security is his life. Unfortunately, he'll interact with you when he's just entered Level 1 REM sleep.

    About 7 years ago, he was crashed out on the floor of my apartment after a late night session. Since I was still coherent, I started saying random command prompts and command lines to him. He had just fallen asleep, and was finishing the prompts!

    Me: rm -rf
    Him: star

    Me: apachectl
    Him: restart

    Me: shutdown
    Him: -h now

    And then I upped the stakes.

    Me: username
    Him: blurted out his username

    Me: password
    Him: blurted out his password

    I left him an e-mail from himself that evening, and then went to bed. The next morning, he said "cute trick, but anyone can forge the From: header". I told him to go and double-check the received line, and he'd see that it was sent from localhost on a server that I didn't have an account on.

    He was rather annoyed and amused at the same time...

    Priceless.

    --
    PepperHacks - Hacking the Pepper Pad
  13. Because people have been doing security wrong by 0x0d0a · · Score: 5, Insightful

    The "I hate passwords" attitude is not merely (or even primarily, IMHO) a function of users doing something wrong. It is a function of poorly designed security, or of security designed for a different environment being reused for current systems.

    Passwords came into popularity a long time ago. Things that have changed since the introduction of the password:

    * Many people have accounts on many, many systems (thanks to websites with accounts).

    * Users on such systems may not be primarily benevolent -- on a UNIX box used by a small bunch of researchers in the early 80s, a password may be an acceptable barrier to anyone poking around. A password on eBay, on the other hand, may be of interest to a number of less savory characters.

    * The ability to attack systems has significantly increased. Internet accessability means that remote, hard-to-trace attacks are more common. A brute force attack on a computing system physically isolated in a building may be simply infeasible, and choosing "cheese" as a password may be perfectly acceptable -- such a thing is no longer reasonable.

    * Computing power is much greater now. Attacks on password hashes (including those sent over the network) are much more feasible. The relative strength of passwords to CPUs has decreased logarithmically.

    * Many systems require passwords frequently. If you are a defense contracting employee, you might have only needed your password once when walking in the door in the morning and once after lunch. Now, corporate intranets have passwords, Yahoo has passwords, Slashdot has passwords, eBay has passwords, etc. Many of these require passwords multiple times a day (or, if they have an option to cache a password, do not have sufficient data about the client side to know how long it is safe to continue to cache the data).

    * The demographic of password users has changed. Almost everyone has many passwords now -- not just a couple of engineers or scientists, or the occasional person with an ATM PIN.

    What I Suspect Needs To Be Changed

    A couple of things that probably need to change:

    * It needs to be standard (and have a common interface for doing so) for users to be able to delegate a subset of their authority. Few systems currently have authorization systems smart enough to allow users to delegate chunks of their power to other users for a short term (and audit any moves). This needs to be simple, *easy*, and secure. If Sharon wants to let Bob purchase something online and charge it to her credit card account, she needs a quick and easy way to say "I authorize Bob to spend up to $500 in the next week and charge it to my credit card." That could be via her cell phone or on a computer. Most systems should have at least several forms of authorized actions that can be delegated to other users that require no more than entering a limit on the degree of the actions taken. A list of actions that other users have taken with that authorization should also be easily visible.

    * Where feasible, passwords should be replaced by smartcard/PIN combinations. It's easier to remember a four-digit PIN than a long, secure password, and for anyone that doesn't have physical access to a user's smartcard, the strength of the token on the card is much greater than that of a password. Currently, this is particularly disasterous in the form of credit card information. Currently, many vendors store full credit card information used in purchases in databases. If any such database is compromised, authentication data providing full access to money accounts is granted the compromiser -- this is, frankly, insane. Credit card providers have one effective line of defense against a compromised card -- they do statistical analysis against purchases, which isn't the most reliable method of dealing with such attacks, and requires intense monitoring of anything users do -- producing a strong disincentive to provide users with privacy. (I realize that there are a few attempts at improving t

    --
    May we never see th
  14. Re:I weep for the future. by theLOUDroom · · Score: 5, Insightful
    Now, I just need to figure out how to do strong biometric identification over ssh or SSL-imap...

    I know you mean this as a joke, but I want to take a second to remind people why biometric authenticaion is stupid:
    • Your biometrics are not secret
    • Your biometrics are not changeable


    When you're using somrt sort of key/password, you want it to meet the following criteria:
    • Secret
    • Changeable
    • Hard to duplicate
    • Hard to guess

    Many of the best security systems rely on "something you know and something you have". This means that there is a physical object, and some sort of password.
    Biometrics are stupid because they rely on the secrecy of something like your fingerprints, which you leave on everything you touch. They're just not secret. And they're not changeable once the secret is out and the bad guys have your fingerprints.

    It makes me cringe every time I hear about biometrics being used as a substitute for passwords, credit card numbers etc. What happens when I get a copy of your fingerprint (using a only piece of tape and some talc)? I can go around making purchases as you, and it's not exactly like you can cancel your fingerprints and get new ones.

    The only place biometrics really shine are the times when the person doesn't WANT to be identified. You kinda have to carry your fingerprints around with you. For everything else, they suck.

    I would much rather fork over my credit cards at gunpoint than be kidnapped or have my fingers chopped off.
    --
    Life is too short to proofread.
  15. Re:Wait a minute by Andy_R · · Score: 5, Interesting

    I'm living proof of this. I was waiting for a train at Liverpoot St Station in London, and took part in the survey once I realised there was a freebie involved. Every single question they asked I made up a false reply to, partly to get the free chocolate but mostly because I hate intrusive market researchers and people trying to profile me.

    Sadly, I doubt they will ever realise how worthless their surveys are, after all the NYT still hasn't got the message after about a billion fake login names.

    --
    A pizza of radius z and thickness a has a volume of pi z z a
  16. Re:Passwords and memory by nomadic · · Score: 5, Funny

    True, but does turning a key force you to remember a complex stored memory? Nope.

    Finding my keys does...

  17. Re:Passwords and memory by Hans+Lehmann · · Score: 5, Funny
    try passwordsafe

    I just changed all my passwords to 'passwordsafe'. They seem to work just as well as all those hard-to-remember passwords I had before. That is what you meant, isn't it?

    --
    09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
  18. Password Rules by Baby+Duck · · Score: 5, Insightful
    My biggest gripe about website password is the lack of consistency in password rules.
    • Some let you use special characters.
    • Some don't.
    • The set of allowed special characters differs for those who do
    • Some are case sensitive
    • Some are smashcase
    • Some allow just numbers
    • Character length range is wildly variable
    • Some make you change your password and won't let you use your last X passwords
    • Some force you to do weird stuff like "at least one uppercase, at least one lowercase, at least one number"

    It irks me, because even if I wanted to use a completly different password for every login, there is no pattern or strategy I can follow to appease all of them.

    --

    "Love heals scars love left." -- Henry Rollins

  19. Re:Some password advice ... by binbag · · Score: 5, Funny

    One of my colleagues swiftly changed one of his passwords recently. It was analyst with a capital A and the 'y' replaced with a '1'. The day he changed it was the day he had to give it to a support techie over the phone, when she read it back as "anal first" he realised what he'd done...