Poor Passwords A Worse Problem Than Poor Antivirus

dasButcher writes "Viruses and worms get all the headlines, but poor password management is a worse problem according to a new study by Channel Insider and CompTIA. As Larry Walsh writes in his Security Channel blog, VARs and security service providers say they find more problems with password management than antivirus applications when they do security assessments. While password problems are nothing new, Walsh and those posting on his blog correctly assert that users remain cavalier about passwords and businesses are doing too little to address this serious vulnerability."

It's all down to ridiculous password rules...

[musefrog]

I think one day, we'll look back at this period of needing umpteen different 8-16 character one capital letter one alphanumeric character passwords (changed each month!) with the same horror we now regard the times when the best solution to a serious leg injury was to cut the freaking thing off. With no anasthetic. Maybe it's not directly analogous, but it's just as barbaric and wrong and crazy!

Re:Sunflowers aren't so bad

[Shikaku]

And there is no malware possible that can read what's written on a post-it note.

Security cameras. If you know what to Google you can find all sorts of security cameras on the internet.

Or just walk in and look yourself.

Arora

[Sir_Lewk]

It's good to see Arora getting some more attention now. I've been using it now for more than half a year and I must say it's the first webbrowser I have actually liked in several. I would definetly consider it the best OSS webbrowser on linux right now, particularly if you're running KDE (although Arora is desktop agnostic, it is Qt). I've been fed up with Firefox's bloat (ever try comparing Firefox and Seamonkey these days? Guess which is heavier...) for some time and Arora is a nice change from that.

I have an idea.

[neokushan]

I'd like to make a proposition to everyone on slashdot.

For the greater good of humanity, we need to employ some social engineering. I suggest that all of us stop referring to it as a "password" and start referring to it as a "passphrase". With a little luck, it'll catch on and people will start using phrases instead of just words. This tiny change should cause people to create easily remembered passes that are in excess of 10 characters long.

poor password policies

[mayberry42]

I remember when working for a major financial firm in Boston, they had the most ridiculous password policies for each password. We had to have at least four or five different passwords according to what you needed to access, each with their own rules and limitations (size, characters allowed etc...). Not only that, but each password expired in different intervals. So basically every week, you'd have to change at least one password making the whole damn thing impossible to remember.So, what did people do? They wrote them down in little sticky-notes. Sure, I came up with my own schemes to facilitate remembering them, but nevertheless a forgotten password was bound to happen. It amazes me how paranoid firms are about some policies, yet leave the back door wide open due to such stupidity

Due to a recent identity-theft scare I had the other day, it made me realize the importance of safe-guarding the data with good passwords. Since then, I've used KeePass to generate and store all my 20-digit random passwords that I've since never have to remember (a backup, of course, is constantly made and stored in a safe place). Either way, I'm no security expert, but it seems to me an approach like this would be much more sensible than inconsistent password policies that expire randomly. Just my $0.02

Re:Sunflowers aren't so bad

[exley]

OK so I went and searched for "office security cameras" and that pretty much just turned up companies selling cameras. I then tried "office security cameras HOT XXX ACTION" and that DID yield me some results... But no passwords on sticky notes :( Rule 34 should kick in eventually, through, right?

Seriously though, I'm guessing most office security cameras are too low-res and they give a wide-area view so as to make it pretty damn difficult to be able to get someone's PW that way.

Re:Sunflowers aren't so bad

[flappinbooger]

As someone who does IT and computer work "in the field" for small local businesses in a small midwestern town, the "Just walk in and look" thing is more true than you might think. If you look like a clean-cut semi-geek with a laptop and an air of confidence, all you need to do is walk in.

Go up to the bored and underpaid secretary/receptionist who doesn't really give a flock, and say you're there to fix the computer in the back, or to fix the printer, whatever. Most likely they'll say "yeah, sure, whatever" and let you go on because they don't care, don't know, and most places DID have problems with the computer/printer/whatever the day before, and she will assume the owner called you.

Memory stick with a few choice apps, clickety click, and you can own the place whenever you want and nab whatever you want.

Oh, and all the passwords are either on a post-it on the monitor, under the keyboard, or are some variant of Password. Or, everyone knows it because it's the dogs name and ALL the passwords are the same.

"Oh, hey, can you give me the password real quick for this workstation right here?" (wants to be helpful and is embarrassed because they don't know jack about computers) "Sure, it's password123!"

One time the manager of a chiropractic/PT place was giving me access to the server because she needed me to do something, and I watched her peck in the password at 1 WPM. The password was "SPRAIN". I about busted out laughing.

Way too many places that should have security - lawer offices, medical offices, have open AP's and crap security. Actually, NO security. No backup, either. I'm turning things around as I go.