Slashdot Mirror

← Back to Stories (view on slashdot.org)

Too Many Passwords

Posted by Zonk on from the setec-astronomy dept.

LK3 writes "A survey of 1700 technology end users in the United States released today reveals some interesting findings about password management habits. 'The results suggest that having to juggle multiple passwords causes users to compensate with risky security techniques and creates a drain on productivity by taxing the resources of IT support centers.' Further, corporate requirements of frequent password replacement further exacerbates the toll on human memory. Is the solution a master password, with all of the potential problems that represents, or biometrics, or are we stuck with post-it notes and a call to the help desk?"

7 of 516 comments (clear)

  1. as usual, blame the users for trying by yagu · · Score: 5, Insightful

    (BTW, this is basically a dupe from about four or five years ago...)

    From the article (and the post):

    The results suggest that having to juggle multiple passwords causes users to compensate with risky security techniques such as listing passwords on post-it notes (you know who you are)...

    First, I can't let this pass. I was on the IT team for a large company that had the described oodles of systems and oodles of passwords dilemma. And I'd been out on the floor where our users had to use these systems. The last thing in the world someone should be saying to them is, "You know how you are", as if these people are doing some wrong. Their jobs of dealing with the consumer public is hard enough without having to genuflect to the "security" (inconsistent, obfuscated, inane, ineffective, and myriad) measures of the systems from which they are supposed to server the consumers. I never had to deal with as many passwords as they did, but had I had to, I'd have been tempted to do the same thing.

    As for the dilemma of too many passwords... yeah, there are too many passwords. And the funny thing about that is, they (in my opinion) provide little to no security and may even subtract from the overall security of the network. Especially in a closed access building (which these users were), passwords were and are a hindrance, not an enabler. I'd submit the entire organization would function more effectively were they all allowed access to the various systems sans passwords once they'd entered the building. Most stolen and broken passwords are via social engineering, and half the social engineering is just gaining access.

    In the personal computing arena, I'd be awfully surprised if even 10% of the problems occur because of too many passwords. More likely it's because of incorrectly configured access levels for general users.

    I'm guessing the world of passwords will never go away, but in settings where users have to deal with many (in the case described above, literally hundreds) of systems and their various password paradigms, passwords SHOULD go away (NOTE: the use of the plural... I'd be okay with somehow consolidating total access down to ONE password). Somehow it must be comforting to PHB's to know their universe is multiply protected by multiple schema, whether or not it affords any protection.

  2. Re:I know how it feels... by Fulcrum+of+Evil · · Score: 5, Insightful

    Someone should invent a special "web token" of sorts that would keep you logged in.

    Tried that. Turns out, nobody wants all their online identities to merge together.

    --
    "We returned the General to El Salvador, or maybe Guatemala, it's difficult to tell from 10,000 feet"
  3. Re:Better than post-it notes by Urban+Garlic · · Score: 4, Insightful

    This can fail to comply with password rules -- the password for, e.g.,
    your web-request-line account for WXKE radio, zGZuvwaY, doesn't have any
    numeric or punctuation characters.

    I think a lot of people fail to distinguish between cases where strong
    passwords are needed, and where they aren't. For Amazon.com, with its
    stored credit-card data, and PayPal, and my bank, and my user account
    at work, obviously strong passwords are a good idea. But for slashdot,
    nytimes.com, and other sites that just require them for your user-state
    info, crappy passwords that never change are just fine, and putting those
    on post-it notes on the monitor is also fine.

    --
    2*3*3*3*3*11*251
  4. Re:Better than post-it notes by Ed+Avis · · Score: 5, Insightful

    Or better, just use your GPG keypair to identify yourself to start with. For example, when you register on a website you could paste in your GPG public key. Then to authenticate, the website encrypts a word with that key and shows it on a page; you decrypt it and enter the original word. So - no need to remember a password for this website, and if the website is cracked or just plain evil, they still can't do anything to access other sites since all they have is your public key.

    The browser could automate this pretty easily, of course

    --
    -- Ed Avis ed@membled.com
  5. Great idea, until... by jxyama · · Score: 4, Insightful
    You encounter very common "change your password every N months and it cannot be the same as the last X passwords."

    I wonder how long before we figure out that this very requirement frequently leads to sequencing of the password, which completely defeats the purpose of changing it every so often.

    I do like your idea, though, for places where I don't have to change the password every so often.

  6. Re:Better than post-it notes by nizo · · Score: 4, Insightful

    Or what I often do is have some short random string (for example "C@5") which I could prepend before all passwords. The upside is even if someone gets the card, and by some miracle they figure out what it is, they still don't have my passwords. Unless they can read my mind, in which case they will also realize I have a negative bank balance and will go find someone else to steal money from.

    --
    I Am My Own Worst Enemy
  7. Re:Information Security by 99BottlesOfBeerInMyF · · Score: 5, Insightful

    Something you have (physical key)

    Something you know (password)

    Something you are (biometrics)

    I strongly object to this bastardization of traditional authentication scheme theory. "Something you are" is a load of crap. It is an attempt to graft biometrics onto existing theory without evaluating how they really work. Biometrics identifiers are just something you have and need to be evaluated on their strengths and weaknesses on that basis. For the most part biometrics are something you have that you keep with you all the time and cannot easily remove or change. This is good in that it makes them harder to steal and less likely to be lost. This is bad because you cannot put them away somewhere safe and are constantly exposing them to the possibility of being copied. It is also bad because unlike other things you might have and use to authenticate, biometrics are almost impossible to change, so once compromised are a nearly permanent vulnerability. Finally, biometrics are bad because they can lead to the escalation of a crime in that their theft can be physically damaging. Take note of the man who was first kidnapped, then had his thumb cut off when car-jackers wanted to be able to start his fancy thumbprint lock car. Criminals don't need to be given extra motivation to commit mutilations.

    Biometrics proliferate these days largely on their "cool" factor. The more blinking lights and high-tech gadgets the more secure it must be, right? Sadly they are being used to replace either the something you know or something you have in traditional biometric schemes, with the end result being less overall security. Biometrics have their place, and that is in a tightly controlled environment, supplemented by human observers to prevent copies from being easily used, and as an additional security measure on top of "something you know" and "something you have" that can't be copied from your beer glass at the bar. They do not belong in an authentication scheme in place of either a traditional "something you know" or "something you have" unless your goal is to have very, very convenient placebo security that is trivially bypassed by design.