Slashdot Mirror

← Back to Stories (view on slashdot.org)

Poor Passwords A Worse Problem Than Poor Antivirus

Posted by timothy on from the sure-is-for-me dept.

dasButcher writes "Viruses and worms get all the headlines, but poor password management is a worse problem according to a new study by Channel Insider and CompTIA. As Larry Walsh writes in his Security Channel blog, VARs and security service providers say they find more problems with password management than antivirus applications when they do security assessments. While password problems are nothing new, Walsh and those posting on his blog correctly assert that users remain cavalier about passwords and businesses are doing too little to address this serious vulnerability."

5 of 247 comments (clear)

  1. It's all down to ridiculous password rules... by musefrog · · Score: 5, Interesting

    I think one day, we'll look back at this period of needing umpteen different 8-16 character one capital letter one alphanumeric character passwords (changed each month!) with the same horror we now regard the times when the best solution to a serious leg injury was to cut the freaking thing off. With no anasthetic. Maybe it's not directly analogous, but it's just as barbaric and wrong and crazy!

  2. Comment removed by account_deleted · · Score: 5, Funny

    Comment removed based on user account deletion

  3. Re:Sunflowers aren't so bad by KeithIrwin · · Score: 5, Insightful

    I agree completely. I generally tell people that it's far, far, far better to have a strong password which you write down than a weak one which you can remember. Simply moving the post-its from the monitor to a locked desk drawer would do a lot to decrease the security risk of writing them down.

    It's also not even vaguely clear to me why people feel that regular password changes are helpful or a good idea. As far as I can see, all they do is make it tougher for users to use strong passwords (due to being unable to memorize them), thus leading to weaker passwords and less security. An uncompromised password is an uncompromised password. They don't go stale.

    Regular password changes don't help decrease the likelihood of a system being compromised, they just offer some mitigation in the event that it has been compromised. However, given that an attacker probably will need only a few hours or days to slurp plenty of information or do plenty of damage, rotating passwords monthly isn't even likely to mitigate the compromise much.

    So the trade-off being made is that the system is now more likely to be compromised due to weaker passwords but in return, there's small chance that an attack will be stopped after the system has been compromised due to the password changing. That doesn't seem like a good trade-off to me. My best guess is that this advice is left over from a time when some systems had shared passwords. The regular password change was so that people who had been given the password to a system to do one thing wouldn't have access forever. Some places even used daily passwords so that they could give someone access for one day, but have their access reset the next day. But that advice has been carried over to individual user passwords in systems which use better access control technologies to manage access.

    These sort of reports don't stop and analyze what constitutes good password management. They just say "Passwords should be changed regularly. It must be true because everyone is saying it. This company doesn't change their passwords regularly, so they have poor password management." As such, they aren't really a good assessment of the problem.

  4. Author parrots common fallacy by whoever57 · · Score: 5, Insightful
    The author parrots out the common fallacy that passwords have to changed frequently:

    Even worse, good password management requires frequently changing passwords - every 30 to 60 days is the standard. Rotating passwords more frequently--every 15 days or so--is possible, but the panelist say it creates more of management and user headache that leads to more sunflowers by users who's memories can't keep up with changes.

    Until people get over this misconception and communicate to their users: "give yourself a good password. I won't ask you to change it so you can pick a strong password that you will remember and that will be the end of memorising passwords" Then stress what makes a strong password.

    --
    The real "Libtards" are the Libertarians!
  5. Re:Sunflowers aren't so bad by grumbel · · Score: 5, Insightful

    Simply moving the post-its from the monitor to a locked desk drawer would do a lot to decrease the security risk of writing them down.

    Or better yet, store it in your wallet. A place that is save enough for your money, credit cards and car keys should be save enough for a bunch of passwords. One could of course go one step further and get rid of passwords altogether and use a secure authentication device instead, with USB being commonplace everywhere that shouldn't be to hard to just use a USB device that does the authentication and encryption in a secure and easy to use manner.

    The core problem isn't that users chose insecure passwords, thats just human nature, the core problem is simply that hardware and software developers haven't build systems that work well enough with this "flaw" of human nature.