75% Use Same Password For Social Media & Email

wiredmikey writes "Over 250,000 user names, email addresses, and passwords used for social networking sites can easily be found online. A study of the data collected showed that 75 percent of social networking username and password samples collected online were identical to those used for email accounts. The password data was gathered from blogs, torrents, online collaboration services and other sources. It was found that 43 percent of the data was leaked from online collaboration tools while 21 percent of data was leaked from blog postings. Meanwhile, torrents and users of other social hubs were responsible for leaking 10 percent and 18 percent of user data respectively...."

Passwords

[geek]

As long as passwords remain the central method of authentication, this will continue.

Re:Passwords

My password is IAMGAY. That way, even if it got found out I can be confident no one will want to use it, because that would mean they are gay.

Re:Passwords

[Captain+Splendid]

Shame this isn't ten years ago. You coulda got some VC funding for that idea.

Re:Passwords

[ConceptJunkie]

As it is, this was pushed in a Microsoft security Hotfix for Vista a couple years ago...

Re:Passwords

That's funny... I have the same combination on my luggage.

Re:Passwords

[Abstrackt]

My password is IAMGAY. That way, even if it got found out I can be confident no one will want to use it, because that would mean they are gay.

What if they are gay? ;)

Your comment reminds me of the best password policy I've ever heard: offensive gibberish. If someone's password is suitably embarrassing odds are quite good that they won't share it with anyone.

Re:Passwords

[jDeepbeep]

So... being gay is both offensive and embarrassing?

Re:Passwords

To an AC, yes. TO this AC, no. Though I'm not gay, I don't find it offensive or embarrassing.

Now having the gay guy show off his ripping abs in front of all the straight girls is a bit embarrassing. For me that is.

Re:Passwords

Normally not... but then again ask Jet Blue.

Re:Passwords

[Cro+Magnon]

If someone's password is suitably embarrassing odds are quite good that they won't share it with anyone

One of my passwords awhile back had very nit-picky rules for passwords. After about a dozen attempts, I finally found one it accepted. I can guarantee I would never repeat THAT password.

Re:Passwords

As it is, this was pushed in a Apple security Hotfix for OS X a couple years ago...

FTFY

Re:Passwords

Unless your a Mac user

Re:Passwords

[Abstrackt]

So... being gay is both offensive and embarrassing?

The AC's comment just reminded me of that policy. If my comment came across as me thinking that being gay is offensive and/or embarrassing, I sincerely apologize as that was not my intention.

Re:Passwords

Oh, don't think I didn't hear you mumble 45%gHHf)l.!2o in your sleep!

Re:Passwords

[clone53421]

This takes Your Relationship with Anonymous Coward (666) to a whole new level (Sorry, this is not an option).

Re:Passwords

[Syberz]

My password is IAMGAY. That way, even if it got found out I can be confident no one will want to use it, because that would mean they are gay

...Not that there's anything wrong with that. /seinfeld

Re:Passwords

[Beardo+the+Bearded]

hunter2

Re:Passwords

[ArcherB]

My password is IAMGAY. That way, even if it got found out I can be confident no one will want to use it, because that would mean they are gay.

I think something like IB1owGoats would be better. That way, even if the hacker/cracker is a goat-blower, it's probably not the kind of thing they would be willing to admit. "Gay" just doesn't have the same stigma attached to it that it did when we were growing up.

Re:Passwords

[causality]

One of my passwords awhile back had very nit-picky rules for passwords.

Your passwords have very nit-picky rules for passwords? That's cosmic. Is that a Zen thing, like maybe a koan?

"But Master, how can a password create its own rules if it does not yet exist?"
"When you can tell me the sound of one hand clapping, then you will understand."

Re:Passwords

[commodore64_love]

>>>Using the same password on social sites and email

Was that wrong? Should I not have done that? I tell you, I gotta plead ignorance on this thing, because if anyone had said anything to me at all when I first started here that that sort of thing is frowned upon..... you know, cause I've worked in a lot of offices, and I tell you, if I had known I would not have done that.
.

My main fear is that my credentials are hanging-around on some ancient 90s website that I've long forgot about, it gets hacked, and my password gets out there for scammers to use. That would suck.

Re:Passwords

I don't think the botnet will be offended by your password. I pretty sure it doesn't understand or care what the passwords are when it does a dictionary attack.

Re:Passwords

[digitig]

Nice idea, until you find your computer has been hijacked and is acting as a torrent provider for classic MGM musicals.

Re:Passwords

[digitig]

I use KeePass, and it's entertaining to see how many sites force me to use a less secure password than the KeePass default settings generates.

Re:Passwords

hunter2

all i see is 7 stars

Re:Passwords

[hviniciusg]

See, i only see *******, i love this slashdot security mechanism. you could not see the guy password :D

Re:Passwords

[eleuthero]

You don't need to worry, Yahoo took down Geocities a bit back. ... or were you worried about Lynx login passwords?

Re:Passwords

[GarryFre]

Totally agree. What makes it worse is that now you are forced to log in for some of the most inane things. If I had to have a unique password for everything I would have to remember some 200 passwords or put them into a database protected by one. The problem isn't malware, and bots, its the people who write them.

Re:Passwords

[pspahn]

I think I will trademark FTFY. Every time some tool posts some FTFY comment, I can nail them for infringement.

Re:Passwords

[Thinboy00]

Oblig.

Re:Passwords

[blai]

*******

what do you mean?

Re:Passwords

[Fjandr]

Sites and services that prevent long passwords piss me off to no end. Seriously, capping a password at 8 characters? Not allowing non-alphanumeric characters? WTF? Someone had to intentionally write it to say "I'm sorry, your password is far too secure for us to accept. Please enter one that is sufficiently easy to break."

Re:Passwords

[mjwx]

What if they are gay? ;)

Mac users only comprise 3, maybe 4% of global users.

Re:Passwords

[loki_tiwaz]

in a communication system, only passwords can be used. it's like keys and locks. you need one and the other. the problem is that you shouldn't need more than one password when they already authenticate you to an email address.

the big concern i have is all these sites who require passwords and logins - how do i know their methods of storing this data is secure? do they hash the input and do hash comparisons? or do they save them in cleartext on their database? and think about all the places you encounter online, doing business with every single one of them requires a password. shouldn't you be able to have email as the primary linkage and eliminate the extra passwords?

this is what openid is all about. i'm quite confident google knows how to keep my password secret, but i dunno about all the ecom sites i use. or the irc chatroom i use. and all the rest. it makes me nervous and by and large i've not been stung by id theft but i worry about it all the time. if regular people knew what i know i think openid would be standardised as a login tomorrow and all 'private data' would require unlocking with a PKI key provided from the openid provider at the unlocking from an authorised user. i don't think id security has had nearly the amount of thought it deserves.

Re:Passwords

[FlyMysticalDJ]

I don't think that trademarks have grown so powerful as to allow you to have sex with whomever uses your trademark... I could be behind the times though.

Re:Passwords

I think I will trademark FTFY. Every time some tool posts some FTFY comment, I can make a complete ass of myself.

FTFY.

Re:Passwords

Don't call it Sex - Rape is not about sex it is about power.

"Leaked"?

[Pojut]

So wait...how exactly did they get hold of passwords?

Re:"Leaked"?

Hax0red sites!

Re:"Leaked"?

[KnightBlade]

While I was studying Info. Sec. at my univ, my professor at the time told the class about this research they had about passwords. They were going around gathering statistics by asking random people questions about their passwords- length, number of special characters, if they used the same passwords, the number of times they changed them and so on. He said what amazed him was that one in every 5-6 people would just tell them their password and ask is that good enough?

Re:"Leaked"?

[BergZ]

It's pretty amazing just how much of the world is based on trust isn't it?

Re:"Leaked"?

[alphax45]

I'm not surprised. A lot of people seem to fail at basic directions once a computer/technology is involved. Don't know why but it seems the brain goes into OFF mode.

Re:"Leaked"?

[Securityemo]

Scraping sites, using keywords to locate interesting data presumably. It says right there, "blogs, torrents, online collaboration services and other sources".
As in, people posted their passwords there and said something like "this is my password", right there in the open. As for verification, my best guess is they got the providers to agree to check the scraped list against their accounts. I don't think they'd try to log in to the accounts to verify them, as they're a reputable company and such an action would open them up for liability.

Re:"Leaked"?

My exact question as well. I could see them maybe getting information from a flaw in facebook, twitter etc, but then to get matching email passwords from gmail, yahoo, hotmail, your local ISP, etc?? This sounds fishy

Re:"Leaked"?

[ConceptJunkie]

It's pretty amazing just how much of the world is based on trust isn't it?

And it's equally tragic that it can't.

I don't think it's so much that people automatically trust each other, although that's certainly the case sometimes, it's more like it never occurs to too many people, unfortunately, that what they divulge could cause problems in the wrong hands.

For many years now, when someone asks me for information, my first thought is not to give the information, but to consider why I don't want to give it to that person. And I don't consider myself particularly paranoid with respect to what I share.

It gets tiring after awhile. Modern life in the 21st century requires a level of vigilance regarding information that probably never existed outside of the military, national security apparatus, law enforcement or some elements of business before a couple decades ago.

"Loose lips sink ships" was a common saying during World War II, but nowadays everyone must practice that level of vigilance over their own information all the time merely to be safe from criminals.

Re:"Leaked"?

[Securityemo]

Link to full description of the experiment: http://www.malwarecity.com/blog/the-limits-of-privacy-is-this-your-password-865.html

Re:"Leaked"?

[aGuyNamedJoe]

It's pretty amazing just how much of the world is based on trust isn't it?

Especially since, at least in the US, we seem to have been making crime stories the prime entertainment for decades, and there's a lot of money made from fear mongering.

Re:"Leaked"?

[fishbowl]

>"Loose lips sink ships" was a common saying during World War II

And today we know *way* too much, in way too much detail, about the location and movement of troops, their morale, reports of their actions, etc.

Re:"Leaked"?

[John+Hasler]

He said what amazed him was that one in every 5-6 people would just tell them their password and ask is that good enough?

How many of those were their real passowrds?`

Re:"Leaked"?

[e065c8515d206cb0e190]

I think the whole driving/road system is based on trust and it works quite well. It's potentially a very dangerous environment where the penalties for being reckless are not as bad as the potential damage you can cause. And yet it somehow works.

Btw I have to agree with one of the posts above, having your password be very offensive usually prevents you from sharing it at all. I do have such a password somewhere, and was horrified when a friend of mine cracked it.

Re:"Leaked"?

[plover]

It's not so much about trusting a person. Although that's an exploitable component for social engineers, social engineering is fairly rare, and it doesn't scale well. It's really about the machines in which we place that trust, and how those machines can be hacked. That's the easy part to scale up.

Hackers (specifically criminal types) operate on statistics. They don't care so much "which" websites they break open, they care about breaking into "some" sites and harvesting what can be found there. They also harvest the easy stuff: cleartext passwords, cleartext account numbers, etc. They won't run a deep password cracker on a million accounts, but they might run a simple /usr/dict/words kind of scan.

Of course once you've broken a thousand passwords on socialsite.com, you can try correlating those to majorbank.com and amazon.com and all the other potential sources of money. Again, you don't care if 900 out of a thousand fail, because you can still effectively steal from the 100 that remain.

Re:"Leaked"?

[Securityemo]

They got them like this: http://www.malwarecity.com/blog/the-limits-of-privacy-is-this-your-password-865.html

Re:"Leaked"?

[socz]

And today we know *way* too much, in way too much detail, ...

That sounds like an argument for why porn should NOT be put on bluray and in HD!

Re:"Leaked"?

Well, what do you expect when we think "self-interest" is "human nature," and we hold it up as the ultimate good? Most cultures in human history have seen it as an aberration, grounds for ostracizing and expulsion from the group.

I'd say we're all worried about the wrong criminals... if we were really vigilant about this sort of thing, the likes of BP would never have even gotten into the position to ruin a whole geographic area (for example).

Re:"Leaked"?

[Haffner]

Driving requires a license, that has a test associated with it. Also, criminal penalties are very easy to inflict on those who misbehave.

Re:"Leaked"?

[Not_Wiggins]

For many years now, when someone asks me for information, my first thought is not to give the information, but to consider why I don't want to give it to that person. And I don't consider myself particularly paranoid with respect to what I share.

Can totally relate to this. Probably the most "abused" personally identifying information in the U.S. is Social Security Number.

I was under the impression that it was meant only as a means of identifying you for taxes and (of course) social security benefits. It was not meant to be used for any other purpose.

And yet, for school loans, bank accounts (that don't have any interest), and even my dentist want it because, to them, it is a unique identifier.

I had debated if I should refuse to give them that information or just comply. To my shame, I have simply complied. I tried, at first, to argue it. But there were only so many times I could tolerate the "but, the system requires it... I don't know what to do about your objection" situations that I eventually gave up knowing that, someday, it would likely come back to haunt me.

But then I figured, it would haunt everybody, so perhaps I could shift the responsibility to a future "savior."
This isn't anything to be proud of, but "giving in" has certainly made life easier.

Re:"Leaked"?

[natehoy]

I suspect it has more to to with the progression of concepts.

Weapons: I had a rock, then I had a sling, then I had a bow-and-arrow, now I have a gun. I'm still hitting a target with a projectile. I take an action, something moves in roughly direction I tell it to, person or thing on other side hopefully develops a hole or wound where I intended. The method of projection and controls have changed, but the concept is the same (ready, aim, fire, yay! hit, shit! miss, target dead, target wounded, target VERY PISSED OFF).

Transportation: I had feet, then I had shoes, then I had a horse, then I had a bicycle, then I had a car. Again, still moving about, going 2 kilometers and turning left just takes less time but is the same concept. I take an action, something moves in roughly direction I tell it to, I hopefully get where I wanted to go. The controls have changed (legs->reins->handlebar->steering wheel) but the concepts aren't different (go, stop, turn left, turn right, etc).

Computers. I "power up" my "PC" and "monitor" and wait for my "desktop" in "Windows" to appear so I can "drag" a "cursor" then "double-click" on an "icon" on my "monitor" with a "mouse" to "open a window" so I can use a "program" called a "word processor" to write a "document" that is "saved" on a "subfolder" on an "external storage device" called "E:\" so I can "eject" the device before I pull it from my "USB port" on the USB "hub" that is plugged into my "case" and give it to a friend who can't read it because he uses "Office" on a "Mac" and my computer runs "Windows" so I needed to save it using a different "format" but I want to make sure not to "format" the "external storage device" to change the "format" but to "reopen" it and save it with a different "extension" and "file type".

That sentence made perfect sense, right? Of course it did. To you. But that's a shitload of novel concepts that someone who hasn't spent at least a few months in front of a computer to absorb in one sitting, yes? And that's all to write one document and save it. Nothing complex at all.

Few of these concepts have a pre-computer meaning, and when they do the analogies are distant and vague. The keyboard is analogous to a typewriter, but lacks the immediacy of space or the tactile "I push a letter, hear a bang, letter is on the paper in front of me".

It's not only that computers are new, but that they are completely new. We're not going from handwritten paper to books. We're going from immediacy to abstraction, and doing different things, and trying to express what those things are with poor analogies to similar things we've done before.

Look at most humans in a court of law. Look at many people when confronted with an engine that needs to be rebuilt, or even oil that needs to be changed. Watchmaking? Woodworking? Carving? Rolling a Kayak? Aviation? Knitting? Skiing? There are a lot of things that look really complex until you take the time to understand them, then you understand that they ARE really complex but not in the ways you imagined, and that "the bits I thought were complex are simple, but the bits I thought didn't exist are fucking complex" feeling will cause your brain to occasionally slide to "OFF".

It's called "being overwhelmed with too much new information all at once, with no way for Ye Olde Monkey Brain to categorize it into the neat little categories it's been using for the last x years."

In the case of computers, particularly if it's something you have no personal interest in but are told by someone else you need to master it.

Re:"Leaked"?

[causality]

I don't think it's so much that people automatically trust each other, although that's certainly the case sometimes, it's more like it never occurs to too many people, unfortunately, that what they divulge could cause problems in the wrong hands.

The common (or if you like, baser) term for this is "stupidity".

For many years now, when someone asks me for information, my first thought is not to give the information, but to consider why I don't want to give it to that person. And I don't consider myself particularly paranoid with respect to what I share.

I wouldn't call that "paranoid". I'd call it "responsible".

It gets tiring after awhile. Modern life in the 21st century requires a level of vigilance regarding information that probably never existed outside of the military, national security apparatus, law enforcement or some elements of business before a couple decades ago.

I consider privacy to be a type of freedom. I mean privacy in a very broad sense, including things like not being hit by an identity thief. Freedom has always required vigilance because the mechanisms used to compromise it seem innocuous until they are well-established. The nature of that struggle is just progressing from muskets to information, that's all. Otherwise there have always been cutpurses and common thugs, organized criminals, corrupt governments, and other parasites.

Re:"Leaked"?

[causality]

>"Loose lips sink ships" was a common saying during World War II

And today we know *way* too much, in way too much detail, about the location and movement of troops, their morale, reports of their actions, etc.

Much of which could be disinformation and/or propaganda. Much of which could be too general or too outdated to be of tactical or strategic value. War is about a great deal more than bullets and bombs. I think it's a safe wager that the truly important stuff is classified and the info carried by mainstream news networks is thoroughly intended for public consumption.

So I don't think this is something to worry about. Governments may be incompetent and slow to deal with many things, but if there's anything they are particularly good at and downright trigger-happy about, it's anything related to national security.

Re:"Leaked"?

And today it's harder to tell who the good guys and bad guys are - or more importantly, which ones are on your side. Which is why we need more information than we had 60 years ago.

Re:"Leaked"?

[John+Hasler]

You've got the trigger-happy part right, anyway. Good? Not so much. Then there is the matter of the definition of national security...

Re:"Leaked"?

[pnewhook]

And yet, for school loans, bank accounts (that don't have any interest), and even my dentist want it because, to them, it is a unique identifier. I had debated if I should refuse to give them that information or just comply. To my shame, I have simply complied. I tried, at first, to argue it. But there were only so many times I could tolerate the "but, the system requires it... I don't know what to do about your objection" situations that I eventually gave up knowing that, someday, it would likely come back to haunt me.

If they are just using it as a unique identifier (like your dentist) and have no legitimate reason to have it, just give them a fake one that you can remember. The only reason they are asking for your SSN is that you remember it and they dont have to worry about lost user names. If you give them a fake one there is no possible way that they can verify it. That's a lot easier than arguing about it.

Re:"Leaked"?

[ThatMegathronDude]

School Loans -> FAFSA (government aid/grants) -> fake info -> serving hard time for violation of federal law

Re:"Leaked"?

[drsmithy]

I think the whole driving/road system is based on trust and it works quite well. It's potentially a very dangerous environment where the penalties for being reckless are not as bad as the potential damage you can cause. And yet it somehow works.

Driving recklessly is something that tends to have very fast, very real and frequently irrevocable consequences. There's not really any aspect of using a computer that can come even close, for the average person.

Re:"Leaked"?

I think the whole driving/road system is based on trust and it works quite well.

I think the reasons that it works are, a) it's public behaviour and b) most people realise that they put their own lives at risk when violating the rules and yet, here in the US, I almost daily see morons talking on their cell phones or going through red lights. And I don't drive at all and mostly have better things to do than scanning the streets for retards!

Re:"Leaked"?

[drsmithy]

Although that's an exploitable component for social engineers, social engineering is fairly rare, and it doesn't scale well.

What ? Most major (and minor) malware outbreaks in the last decade were utterly reliant on social engineering to be effective. What do you think the standard "run this attachment is to see the dancing bunnies" is, if not a form of social engineering ? Heck, that latest Facebook scam only a few stories below this one is a perfect example of social engineering, and it's but one more in a long list to have hit that community.

Social engineering, as an exploit vector, is not only extremely common and scalable, but becoming more so every day.

Re:"Leaked"?

[pnewhook]

serving hard time for violation of federal law

I said *IF* they have no reason to have it.

Re:"Leaked"?

[Bryansix]

"Didn't I tell you not to trust anyone, Dr. Jones?"

Re:"Leaked"?

[plover]

Social engineering, as an exploit vector, is not only extremely common and scalable, but becoming more so every day.

Great point, I was considering only the human-to-human attacks on specially targeted victims and forgot the machine-to-generic victim type of attacks. You're absolutely correct.

But my point is still valid in that the "generic" attacks are based on statistics. An attacker does not have to achieve 100% success with any particular aspect of their attack. Any usable fraction of attacks can still yield a benefit.

Re:"Leaked"?

[kenshin33]

Dot know about US, but in canada the only entity entitled to have SSN is the government and the employer (although I'm not sure about the employer) for tax purposes, anything or anyone else has absolutely no right to have it, they can ask for it but you' under no obligation to divulge it.

Re:"Leaked"?

[tehcyder]

having your password be very offensive usually prevents you from sharing it at all

I don't really understand this argument, I don't think I've ever had to say a personal password out loud to someone.

However, I can see you'd want to be careful at work having FUCK_OFF_YOU_CUNT as your password, just in case your boss ever rang up when you were sick or something needing access to a file.

Re:"Leaked"?

[Not_Wiggins]

I believe the US is the same.
Interestingly, I just had to take my cat into the vet for surgery. They actually asked for SSN on the form (but mentioned it was optional). I mean... FOR THE VET?!? The abuse of SSN in the US is quite rampant despite there being a fairly clear rule about what SSN is meant to be used for *only*. 8/

Re:"Leaked"?

[machxor]

I don't really understand this argument, I don't think I've ever had to say a personal password out loud to someone. However, I can see you'd want to be careful at work having FUCK_OFF_YOU_CUNT as your password, just in case your boss ever rang up when you were sick or something needing access to a file.

It's not a good argument. You should never give your password out. There should be other ways to give your boss access to the file (ie: have IT modify permissions, VPN in and change permissions/password yourself, etc.).

Of course we could be talking about a non-ACL security solution but in general don't give people access to more than they need and never access to your account. As the theme of the comments have gone limiting exposure is always the best option. The password to a single excel spreadsheet is a lot less damaging than your domain password.

Re:"Leaked"?

[kenshin33]

http://www.servicecanada.gc.ca/eng/about/reports/sin/cop/section2.shtml
section 2.2 states clearly that if it has nothing to do with income the requestor is under no legal obligation to request it, thus you'r under no legal obligation to divulge it.
next time some asks for it (in canada anyway) tell them to go ****.

Use Password Hasher

[mbuimbui]

Use firefox extension's password hasher (http://wijjo.com/PasswordHasher). Then you only need to remember one password but can use it for a variety of sites. If any one site's passwords get leaked, you dont have to go around an update your password for all other sites.

Re:Use Password Hasher

And if you ever need to sign in from a computer that doesn't have firefox, and that extension, installed.....you are stuck.

Re:Use Password Hasher

[0100010001010011]

I use Password Composer (runs as a grease monkey script, so will run under Chrome or GlimmerBlocker).

Re:Use Password Hasher

[Terrasque]

I prefer http://www.hashapass.com/ - even have a pretty well working bookmarklet, and it's 100% javascript. Which means that you can save the page to a local file :)

Re:Use Password Hasher

I use the same word with various substitutions of letters for symbols (# for e, etc) and the same two symbols at the end in various order. So the passwords are all different, fairly strong, and if I don't remember them, there are only so many combinations.

Re:Use Password Hasher

And if you ever need to sign in from a computer that doesn't have firefox, and that extension, installed.....you are stuck.

But that would require us not being near our personal computing rigs, and THAT would require us leaving our geek caves, now, wouldn't it? Didn't think about THAT, now, did you, smart guy?

Re:Use Password Hasher

I think using last pass (https://lastpass.com/) is prob the best option, i believe it works on IE, FireFox, Chrome, even the iPhone and possibly even android and passwords are encrypted 2 times, just a thought :)

Re:Use Password Hasher

[The+MAZZTer]

Unless you have [url=http://portableapps.com/apps/internet/firefox_portable]Firefox Portable[/url].

Re:Use Password Hasher

[tool462]

In Tinfoil Hat Land, if you don't have FF installed, then it's likely not a computer you control*, and if it's a computer you don't control, then should you really be entering your password**?

* It must be a machine at work, friend or family member's house, public terminal like a coffee shop, public library, etc.
** If it's not your computer, you don't know who that computer has "been with". There could be key-loggers, cookie-trackers, syphilis. Who knows!?

Re:Use Password Hasher

And if you ever need to sign in from a computer that doesn't have firefox, and that extension, installed.....you are stuck.

Not quite, they have a website with a javascript generator so you don't need to be using firefox/that site. I guess you could even write a phone app to do the hashing and tell your password. See http://wijjo.com/passhash/passhash.html

Re:Use Password Hasher

[BJ_Covert_Action]

So I guess Chrome, Opera, Iron, Seamonkey, and dozens of other web browsers are completely insecure?

I know IE6 is a nightmare. I don't really pay attention to IE7 or IE8 because I don't use them. I know Chrome involves some privacy issues, and I suppose there is something that has to do with selective script management. From what I hear, however, Opera and Iron are supposed to be pretty damn secure. Also, SeaMonkey is supposed to be pretty decent. I can't talk about Safari because, like IE, I really don't care about it at all.

Of course, you prefixed your post with "In Tinfoil Hat Land..." so I suppose you were being somewhat sarcastic. But I am curious, do you really think FF is the only secure browser out there?

Re:Use Password Hasher

Any public computer that allows you to run firefox portable from USB probably has enough malware already installed on it to make anything you do futile.

Re:Use Password Hasher

[Seth+Kriticos]

I use a password manager for password storage and generation. Stores them nicely with AES. New password for all important stuff. I also upload it to my online storage, as no-one can do anything with it without the master password (which is also long, and computer generated.. it's fascinating what you can remember when you enter it a bunch of times on a daily basis).

Now as for the time I'm on the way: well, I don't trust Joe random PC. I'd never unlock my password DB on a machine that's not at least reasonably under my control and/or very trustworthy (means I only use them at home and at work, both Linux machines). Otherwise I could as well don't bother in the first place.

Truth is, people don't want to concern with security. Then they get burned. Does not help. They get burned more. Maybe sometimes the education system catches up, a few generations from now. Until then, no cake for Fred Ignoramus.

Re:Use Password Hasher

[BrokenHalo]

If I'm not traveling with my laptop, I now make sure I carry a Linux LiveCD. This is a result of an ill-advised (but unavoidable) online transaction I made on a machine that had been pwned in December 2008 when I was on a trip with my wife and a couple of other ladies. My mistake resulted in a spurious transaction being made on my Visa card. In this case, the bank picked it up quickly enough, and no real harm was done, but I was without access to a credit card for 10 days while it was all fixed up.

Re:Use Password Hasher

[The+MAZZTer]

Er.... whatever.

Re:Use Password Hasher

[Cro+Magnon]

The impression I got is, it's not so much the browser. It's the fact that the user doesn't control the computer. At work, I use IE7, but even if I used FF (or Opera, Iron, Lead, or whatever), I wouldn't do anything regarding important passwords (my /. pw doesn't count) on it.

Re:Use Password Hasher

[defaria]

Not necessarily. In a word - LastPass.

Re:Use Password Hasher

wow, you were able to determine exactly when the machine in question was pwned?

Re:Use Password Hasher

[BJ_Covert_Action]

Ah I get it. I didn't think I understood what was being said, but that's why I asked.

Re:Use Password Hasher

[jvkjvk]

So I guess Chrome, Opera, Iron, Seamonkey, and dozens of other web browsers are completely insecure?

Theoretically yes, those programs are totally insecure on any machine you do not own.

As are any other programs installed on that machine.

This is simply due to the fact that what you see isn't necessarily what you get. The machine may have any number of programs running that will hide the truth from you, steal your password as you enter it into Iron, Chrome, Opera, Seamonkey, or dozens of other web browsers.

In fact, how do you even know that you are running Opera, Chrome, or what have you on such a machine? Because it "looks like" it? Even checking the hash on that machine could give you a false security, if the Owner is good enough (that is, he can have the hash reported as correct even if it really isn't).

But I am curious, do you really think FF is the only secure browser out there?

That wasn't his point. His point was if it doesn't have FF it is likely not his machine, but has some other Owner. And then the rest follows as above.

Regards.

Re:Use Password Hasher

I was on a trip with my wife and a couple of other ladies.

Never use a credit card to pay a hooker, man! What's wrong with you?!

Re:Use Password Hasher

[tool462]

Cro Magnon was basically correct. The AC was making a comment about not having access to FF+ the pw extension. If it's a computer you have control over, say a new laptop, you can easily install the tools you need.

If you CAN'T install these tools, it's not your computer. It belongs to somebody else, like the list in my original post. If you're actually concerned with security, you should treat that computer as compromised and not enter in any secure data, like passwords.

The Tinfoil Hat Land comment, was meant to indicate I don't think most people need to be concerned to quite that level all the time. I.e., I trust that my work computer is about as secure as my home computer so I'm comfortable logging into various sites and services (say, Slashdot) from there.

On the other hand, you couldn't pay me enough to log into my banking site on a public terminal at a local coffee shop. Those things are the village bicycle.

Re:Use Password Hasher

[Dumnezeu]

And you deserve to be stuck, because you shouldn't authenticate from those places anyway!

Re:Use Password Hasher

LastPass.com is a better option because of the comments below. It hashes a combination of the username and password and then encrypts it with AES256. Its got plugins for all the popular browsers, works on all 3 major platforms, has apps for the popular smartphone markets, has a web interface if none of those work, and you can put the program and encrypted database on a USB drive, and it supports 2 factor authentication, and iron key.

Re:Use Password Hasher

[blair1q]

Lo.

Re:Use Password Hasher

[pdbaby]

I use LastPass which lets me store all my passwords and has an iPhone app for when I'm out and about (and if I'm more trusting, a client-side-decryption web-based system).
The only annoyance I have is when I need to set up an IMAP account (and then I just bring up the password for that account on my phone and type it in). You get all of the functionality (except the iPhone app) free.
It's a much better compromise for me... I keep non-web passwords too (like router passwords for when I need to go down to the datacentre)

Re:Use Password Hasher

This is why, imho, there should be a RFC specification for that purpose, so all browsers can implement it.

Re:Use Password Hasher

[jochem_m]

Just use a simple algorithm based on the site's domain, that you can do in your head if you need to. Add some letters (letters 1, 3, and 6 for example) from the domain at fixed spots in your password, and ROTn them.

Re:Use Password Hasher

Or just use a online password hash maker, like Password Maker, http://passwordmaker.org/passwordmaker.html
Works with any browser.

Re:Use Password Hasher

[BrokenHalo]

wow, you were able to determine exactly when the machine in question was pwned?

In this case, yes. In the preceding two months, I had been using *nix machines under my own administration, and in that 14-day period I was stuck with a Windows box which was locked down with a crappy AV program.

Same password

[stewbacca]

I'd use the same password for everything if they all had the same basic requirements.

Re:Same password

[Abstrackt]

I'd use the same password for everything if they all had the same basic requirements.

Keepass. You're welcome.

You can generate and store passwords to your heart's content and only ever have to type one when you open the database. It will also auto-type most forms.

Re:Same password

[stewbacca]

I'll give it a look (for the house). I can't use that at work, which is where I have about 18 different accounts, each with seemingly different password requirements.

Re:Same password

[Abstrackt]

I'm not sure if this will help you then, but it's possible to run it portable as well. Of course, that's only if your workplace lets you run software off a stick.

Re:Same password

[BJ_Covert_Action]

I'd use the same password for everything if they all "secured" shit that I didn't care about people knowing (read relationship status, hobbies/interests, favorite bands, and the latest gossip on my next door neighbor). Now, if this were a story about how 75% of the passwords used for social networking and e-mail accounts are the same ones used for bank accounts and logins associated with classified/proprietary information, then I think there would be something worth worrying about.

Re:Same password

[SQLGuru]

I use a set of passwords for varying levels of trust.

Highly secure passwords (usually site specific and follow good password rules) for banking, email, computer accounts, etc.
Medium secure passwords (usually follow good password rules but passwords may be used for more than one site) for trusted shopping sites (i.e. Amazon, etc.)
Medium-Low secure passwords (may not follow good password rules but still reasonably secure against dictionary attacks) for social media and for one-off shopping sites.
Low secure passwords (probably only stops low-motivated hackers, passwords re-used at multiple sites) for throw-away registrations and communities that have very little tie to my personal information

It's really more for convenience than security, but in areas where I need the security, I'll put up with the hassle.

Re:Same password

[Jeremi]

Keepass [keepass.info]

Don't worry, it's not a goatse link.

Re:Same password

[Abstrackt]

Keepass [keepass.info]

Don't worry, it's not a goatse link.

Thanks for that. Even I wasn't sure!

Re:Same password

yes, i have a similar set of rules. totally does not make sense to try to have every password i use be secure...in fact, the majority of sites i have logins to use the same password because i use it for doing things like...commenting. and it's just not worth it to me to remember different passwords for a gazillion message boards. if someone wanted to f with my life, they probably could cause me a lot of hassle once they got that password, but they couldn't get to my money, or email, etc. it's probably about as realistic a system as one can have until and if there is some better authentication system which becomes widespread.

Re:Same password

[stewbacca]

Not even allowed to bring a stick in the building, regardless if it has software on it or not. What makes that rule extraordinarily stupid is that we all have cell phones, and I even charge mine off the USB port. But hey, I'm not using an illegal USB stick!

Re:Same password

[stewbacca]

I'd like to do that too, but the different sites sometimes don't allow you. For example, my online classes require a number, but special characters are not allowed. My bank requires THREE numbers and 1 special character. My utility company requires 2 special and 2 numbers....it's harder just remembering the rules of the various sites than it is the password itself!

Re:Same password

Wait, you want them to secure what you don't care about people knowing? I'd think it would be the reverse. Sure, they can tell everyone about you being a superspy and what crimes you have committed, but don't you dare let them know your favorite band.

Re:Same password

Get Lastpass, put it on all your computers and on your phone. Access it with the browser plugin on computers you trust, and pull up the passwords manually when using computers you don't.

I don't even know my passwords to most any website anymore, and I highly enjoy the peace of mind that comes from knowing that no site knows my password to any other.

Re:Same password

[shellbeach]

I'll give it a look (for the house). I can't use that at work, which is where I have about 18 different accounts, each with seemingly different password requirements.

There are multiple options that work on smart phones (1password for the iPhone is one example, I used to use keyring on PalmOS (also works on maemo) and there's software that works on Nokia phones too. I've never used Android, but I'd be very surprised if there weren't a hundred options.) All use a single master password to protect your password database, and if you make that password long enough (mine is well over ten characters and uses uppercase, lowercase, numbers and punctuation) it'll never be cracked even if you lose your phone.

This type of software has been available ever since PDAs have been around. I'm amazed that nobody else has mentioned it as an option, for it is the obvious one.

Re:Same password

[TheThiefMaster]

I have:
email password (unique)
work password (unique, fecking secure)
secure password (used for home pc and websites which have my debit card details saved or otherwise need really strong security. Should probably separate this into more than one password)
insecure password (used for forums etc. Not actually insecure, but so many sites know it I should probably consider it compromised and start using a new one)

hmm

Problem is lack of importance

[sarbonn]

The problem is that a lot of people don't perceive email or social networking sites to be all that important, yet EVERYONE wants you to create a password for practically everything you do. I don't need a password to sign onto a site to look at stereo equipment, yet they force you to create one on some of those sites. On gaming sites where all I do is talk about games, I don't need 50,000 passwords for the different ones cause I don't care if someone steals my password there.

I don't care that I don't have all that much concern for facebook's password. If someone takes my account, it would be unfortunate, but is it really the end of the world?

Places where it might cause me economic misfortunate, well, those I care about, but everyone out there thinks that their site is so important for passwords.

Some places, it's important. Others, not so much.

Re:Problem is lack of importance

[jim_v2000]

That's why I use three different passwords. One is for sites I don't care about...like registering for a forum that I only need once. The second is for things that I'd like to be more secure, like forums I visit often, Facebook, my person blog, etc. The third is for critical things like email, online banking, shopping sites like Newegg and Amazon, etc.

Re:Problem is lack of importance

[rHBa]

Personally I use two repeated passwords which compare to your first two examples.

For banking, email and server logins I have unique passwords and an encrypted password manager to help me remember them.

Re:Problem is lack of importance

[Monkey-Man2000]

LOL! That's just as bad. If you lose the third critical password, you could be royally 0wned. Better to use three passwords and mix and match each one of them among the critical/secure and insecure things. Then if you lose one, you might lose one critical thing but not all the critical things.

Re:Problem is lack of importance

[nschubach]

What bugs me is when you are trying to find a picture of some car part or something along that line and you find a forum where someone posted an attachment that requires login to download.

Also, the fact that XDA forums requires login to be able to get anything worth going there for.

Re:Problem is lack of importance

[theJML]

Seriously. There are some sites that I really don't give a crap if they're hacked and steal my password. They can have fun with it for all I care, e-mail accounts are easily created and in this day and age the only thing I use them for are 'forgotten password' requests and spam lists anyway. Hell, if these people can figure out my logins in half the places I have to sign up for just to see a picture or download a user manual or software update they can have it. I can't even remember them most of the time.

Re:Problem is lack of importance

[jim_v2000]

That's not just as bad at all. If you didn't notice, people were getting their passwords stolen by using the same one everywhere, including the sketchy sites.

Re:Problem is lack of importance

[Monkey-Man2000]

OK, I see your point to an extent; I was weighting the likelihood of someone having your password equally between the different critical vs non-critical sites. While the approach you're suggesting would reduce the probability of arriving at a worst-case scenario to begin with if the less-critical sites are more likely to steal your password. But considering the success of banking/email phishing (critical but sketchy) in the general populace I think my strategy still may be better in general.

Re:Problem is lack of importance

[superdave80]

This is the reason that I only have four passwords based on the type of login:

1. Financial websites
2. Personal-critical (login to my computer, main email, etc.)
3. Personal-don't give a crap (slashdot, fantasy football, etc.)
4. Work

This system has worked well for me. Sometimes they have some lame requirement, but I just have a number that I add to the end of the password. Even if I haven't been to a particular website in a long time, I can usually login with no trouble.

Re:Problem is lack of importance

[pablodiazgutierrez]

You could add some additional salt to them by always appending/prepending a component of the domain you're logging in, like "passwordYahoo!". It'll shield you from most automated attacks.

Yup, Probably true

[IndustrialComplex]

I'll give a bit of a hint here, I do the same thing, just with a slight variation:

Mostly-Trusted media sites get the same password (obviously vastly different user names)
Slashdot, Fark, Broadband Reports, etc

Then I have my pseudo-trusted sites with their own password group:
Demonoid, imageshack, probably others.

Non-trusted sites get a random junk password each access = reset password
ie: low accountability not tied to a company name with 2-3 visits/year

My email gets its own password of 10+ characters

Work gets its own password of whatever the hell rules they implement this week. Tech support has to deal with LOTS of reset requests since I don't write it down, but they have a different password for every freaking service and every freaking service has a different password lifetime setting.

So aside from work, I really only have 3 passwords or so, but it helps break up the damage should one be compromised. Compartmentalized is probably the best description.

Re:Yup, Probably true

[Captain+Splendid]

See, this is why math is your friend. All I have to remember is a formula. I apply that formula to whatever it is I'm signing into, which produces a different (and alphanumeric) password for every instance. Complex, unique passwords without having to write anything down anywhere.

Re:Yup, Probably true

[c-reus]

so if someone were to figure out that formula, he'd have access to every account you have created?

Re:Yup, Probably true

[happyslayer]

Same basic process, though different criteria for me:

• Junk sites (one-time login for news, quick downloads, register-to-see, tech mailing lists) get the same low-end password. If I can't foresee any information that I care about going to that site, then it gets a basic throwaway. (I also misspell registration details so i have an idea if advertisers are getting that info).
• Slashdot, forums, etc: Also low-grade. Sorry, but if someone gets their rocks off posting crap as me, I can live with it. I've got enough First Life points to keep me busy.
• Personal email: Since I don't trust the email systems that are in the hands of others, I don't put anything on there I care about. (If someone wants to know that I'm asking my prof how to fix some code, more power to them--it'll bore them to tears.) Hence, it gets a medium-grade password.
• Online stores: Medium grade for one-time purchases, high-grade for repeat business.
• Own email system, bank, etc: High grade password, randomized (at least to the rest of the world) that it passes the basic dictionary-attack. For example, I somehow remember old phone numbers and bank accounts from 20 years ago (none of which are in use); add a couple of 1337-speak letters and you're in business.

Like the parent, it's really a matter of compartmentalization and damage control. If you don't own the system, it's not completely trustworthy. If it's your system, it's only modestly trustworthy. If you're doing something criminal/embarassing/stupid, it's better to leave all notes at the bottom of the Marianas trench.

Re:Yup, Probably true

[nschubach]

Now there's an idea... have an app that generates a hash of the site domain and a common password and use that as the password for that site. Then all you have to do is put the domain name and your password in a box and poof, instant alphanumeric/non-dictionary password.

Hmm.

Re:Yup, Probably true

[Captain+Splendid]

LOL, you've got it backwards. Instead of applying another fucking layer of abstraction, I just use my brain. When all you've got is a hammer...

Re:Yup, Probably true

[Captain+Splendid]

Good luck with that. I mean that sincerely.

Re:Yup, Probably true

[Flea+of+Pain]

Algorithm or it didn't happen.

Re:Yup, Probably true

[nschubach]

I got into programming to give my brain a rest! :p

Re:Yup, Probably true

[jvkjvk]

So, how many sites do you feel would need to be cracked to be able to reverse engineer your formula?

Just wondering.

Regards.

Re:Yup, Probably true

[IndustrialComplex]

it's better to leave all notes at the bottom of the Marianas trench.

I leave mine in the atmosphere, accessible to anyone interested in recombining the trillions of atoms and molecules that issued from my smokestack.

Re:Yup, Probably true

[Captain+Splendid]

Probably just one, if they're clever enough.

I should probably mention at this point that passwords for really important stuff (online banking, work passwords, webhost) follow a completely different, and much more difficult, set of rules, but that's only a few passwords. The formula I mentioned would get you access to slashdot, gmail, youtube and other sites so unimportant I'd be happy to have hacked just to learn never to use those sites again.

The general point was that's it's easy to construct a variety of long, alphanumeric passwords, without having to keep references to them all over the place as a memory aid. Of course these won't keep out dedicated attacks, but that's not the point either.

Re:Yup, Probably true

[jvkjvk]

Hmm. Considering the number of websites that get cracked and the passwords revealed it could be a problem.

Except for the fact that no person will ever be actually looking at it, or analyzing it.

This is a perfect case of security by obscurity.

That pass wouldn't be good for any other site and they would just ignore it. No one is going to madly go through random looking passwords for obscure patterns. Unless they are just really bored.

Someone who would be doing it maliciously wouldn't waste the development time on such a low probability success rate. There is no money in that.

Regards.

Re:Yup, Probably true

[apoc.famine]

See, I have a whole bunch of passwords. To remember them all, I have them written on an index card somewhere on my desk here. It's pretty damn secure, because the passwords are only labeled "Insecure Web 1", and "Secure Web 4" and stuff like that. On my computer (the password to it is not written down on the index card) I have an encrypted file (nor is that passwd written down) which contains stuff like "slashdot: Insecure Web 2". Put the two together, and you've got access to all my stuff. But the chances of someone being able to break into my house get the card, break into the computer, decrypt the file which matches passwords with websites, then figure out all my logins (which aren't written anywhere, but might be scattered across a few email accounts) is small. If someone cares that much, good for them. I'll buy them a beer for their troubles. Because that means I'm fucking important as all hell.

Paranoia

[deathtopaulw]

This password security paranoia drives me crazy. If someone wants your shit, they're going to get it. I'll tell you all right now, I have maybe 3 online handles that pop up everywhere. I use the same basic password for each (adding a 1 to the end on occasion where it's OMG REQUIRED). I'm sure if someone started googling me, they'd find out a lot. I wouldn't even be surprised if they could manage to dig up something years ago where I may have said something to someone and just given my password because they're a friend, or whatever. It's probably there, and it's probably there for you too. Failing that all they'd have to do is find all the places I exist, and try to find the least secure one/impersonate me/whatever.

I've lived this blasphemous insecure lifestyle on the internet for decades now, and have never once had an account compromised. Whether this is because I'm a worthless peon or because password security is bullshit is yet to be determined.

Moral of the story: be insignificant to the point that you're considered below the bad guys. Failing that, stop fucking worrying.

Re:Paranoia

Moral of the story: be insignificant to the point that you're considered below the bad guys. Failing that, stop fucking worrying.

When the bad guys' business model is based on harvesting the information of insignificant people, your theory fails really bad.

Re:Paranoia

Thanks for the challenge. Your e-mail account and personal information will be mine by the end of the week :)

Re:Paranoia

[Seismologist]

...If someone wants your shit, they're going to get it. I'll tell you all right now, I have maybe 3 online handles that pop up everywhere. I use the same basic password for each (adding a 1 to the end on occasion where it's OMG REQUIRED). I'm sure if someone started googling me, they'd find out a lot...

So, is this a challenge you are inviting...? Just saying because it seems like people have too much free time on their hands these days.

On topic to the post though, I find a (for me) good pw policy to go by for the multitude of sites out there is to have a basic password "frame" such as your hometown or whatever spelled backwards (to pass dictionay filters). This is easy for you to remember, and spelled backwards, the word is incompressible, seemingly random:

elttaes = seattle,

anozira=arizona,

nilreb=berlin

then you add on the frame for websites for online banking such as follows:

BOA## = Bank of America, ## = any digit(s) of numbers you like such as area code, year of birth, etc.

The password might end up looking like: elttaesBOA10

I know there are some sites that have silly PW requirements. I've seen requirements any or a combination that forbid some of the following:

- no special characters: " { ' / , @ ! etc. (escape character problems in code?)

- certain special characters ok, others not such as: @, !, %, (), * (why? hits to close to home, programming-wise? Afraid of invoking variables somehow through password string?)

- no number at end of password (this I've experienced only at financial institutions, must be an oracle DB thing?)

- no capitalization (why not...?, must be a MS legacy thing)

- not enough capital characters, too many capital characters (not sure why this is bad other than the ol' cap locks on thing)

- no all special characters (is this because of "!@#$%^&*()" abuse?)

- no repeating or incrementing, 1234... abcde... (but most likely 1!2@3#... aAbBcCdD... would be fine with such rules)

- no numbers at all (um ok...)

- too short / too long passwords

– misconfigured passphrase entry (I've been on a university SUN Unix systems where passwords were simply truncated to 8 characters; anything after the 8 legit pass phrase char, you can type wildly and your credentials would be accepted anyway.)

- then there’s keychain number thing (don’t remember what its called), biometric fingerprint, etc. in addition to password

Password Hashing (pwdhash)

[bradgoodman]

Password hashing let's you enter the same password for several sites, but changes it (i.e. hashes it) along with the domain name of different web sites - which means you are actually using a different password for every site

Furthermore, since the passwords are seemingly random characters (not words, or anything sensable) - they are generally quite strong.

"pwdhash" is the foremost system for doing this - there are several browser extensions and other tools for automating it

See: http://cynix.org/tools/superpwdhash

Re:Password Hashing (pwdhash)

[digitallife]

And now you can't access any of your websites from someone elses machine. Awesome!

Re:Password Hashing (pwdhash)

And now you can't access any of your websites from someone elses machine. Awesome!

From a security perspective, that would be a Good Thing.

Re:Password Hashing (pwdhash)

[VortexCortex]

That's why I made my own JS Bookmarklet that hashes the domain + my_password + static_salt.

When I need to access the site from somewhere else I can easily perform the computation on the command line (md5sum, sha1sum), or online using client side javascript.

If I can't get online to use the online tool, and the computer doesn't have a hashing tool then I really don't need to be entering my password in the first place.

Re:Password Hashing (pwdhash)

[bradgoodman]

Not true.

It is stateless - it doesn't store anything on your mahcine. The hash uses only the domain name, and a password you enter.

So, for example, if I am on another machine - I can run a pwdhash JavaScript hash generator from a web site, generate my password - and enter (copy/paste) it into the site I am trying to log into.

In reality, I have a program called KeyGrinder on my iPhone which allows me to generate them too - same passwords - algorithms, etc - so I generate my passwords using that, if I'm on a computer without a pwdhash too/extention/web-site hand.

Re:Password Hashing (pwdhash)

[bradgoodman]

superpwdhash is exactly that - a JS Bookmarklet that does it. But the hashes that it generates are "pwdhash" compliant - so it will generate passwords that are consistent with other pwdhash tools (like the firefox extensions).

Re:Password Hashing (pwdhash)

It's not exactly difficult to recreate the password. Put a program on your USB drive that can do the relevant hashing algorithm.

Unless you're a total idiot who shouldn't be on this website, it won't be a problem.

Re:Password Hashing (pwdhash)

[VortexCortex]

That's pretty neat, but I don't know how to perform a "'pwhash' compliant" hash myself... on the cmd line (you know, for when JS is disabled or unavailable).

When it comes to security I prefer approaches that allow me to "Trust No One".

Re:Password Hashing (pwdhash)

[LordVader717]

Website changes it's URI and you can't find out what it was? You're screwed?
Someone knows you use the tool? You're screwed (At least as much as you would be without it). And you'll probably lose them all at once by havin a Master Password.

Password Managers are the only sane way of creating and keeping track of secure passwords. They're not bulletproof but a hell of a lot better than some of the weird-ass "tips" people give you and other obscurities.

Re:Password Hashing (pwdhash)

[bradgoodman]

1. No - it works off of the domain name, (first two levels - e.g. "google.com" - not the whole URI, or even the machine name.

2. If someone knows you use the tool it doesn't matter - they still don't know your "master" password. And even if there is a web site security breach and they get your site password, and even if they knew that you used that tool - it's a one-way hash - so they can't get your master password even with all that info - e.g. other web sites you use with the same master password are not compromised.

Re:Password Hashing (pwdhash)

[digitallife]

Sounds fun. Try telling that to Cindy up in PR. You know, the kind of person who actually uses the same password for everything. Yup, problem solved!

As it turns out....

[Abstrackt]

Apparently 75% of the passwords tested were hunter2.

Re:As it turns out....

[SnarfQuest]

Actually, it was 123. And if they also checked suitcases...

Re:As it turns out....

What kind of a password is *******?

Re:As it turns out....

[colesw]

All I see is *******, is it suppose to show your password?

Re:As it turns out....

[Tejin]

Wow, they really let you enter 7 asterisks as a password?

Re:As it turns out....

[The_mad_linguist]

What, seven asterisks? I can't see that being very secure.

The Minions

[dpolak]

The average Joe has no clue or concept of security or the capabilities of hackers. They usually set a really easy password and use it everywhere.

This will not stop until there are technologies that can determine that the link you are clicking on in the e-mail is not the site you are intending to go to. To ask a standard user to use Thunderbird or another product that shows the hyperlink when you put your mouse over it is naive.

As long as there is a lot of money to be made hacking into the minion's PCs it will continue on. Hopefully they will be educated in school and over time it diminishes, but they are quite resourceful, the hackers are.

I have often wondered that...

[damn_registrars]

I wondered how many people would see a registration form that requires an email address and a password, and interpret that to be asking them for their email password. Considering how many people fall for really atrociously bad phishing scams it wouldn't surprise me that a lot of people would give away their email passwords on registration forms either...

Re:I have often wondered that...

Even if they choose a different password, in how many cases would they try to log in with there email password first, before trying the correct password?

Dilbert

[KnightBlade]

When it comes to passwords, this dilbert comic comes to mind- http://dilbert.com/strips/comic/2007-01-17/

Re:Dilbert

[Stargoat]

That's the kind of thing an idiot would have on his luggage!

The danger of too many password requirements

[Kepesk]

Hah, my worst enemy is a system where a password has to have:
- at least two uppercase letters
- at least two lowercase letters
- at least two numbers
- at least two symbols
- at least 12 characters
- no characters that repeat
- nothing that's in your personal records
- nothing from the dictionary that's over three characters
- nothing from a FOREIGN dictionary that's over three characters
- at least three characters different from your last 10 passwords

No joke, I used a system for years that had those exact password requirements. Worse yet, I had to SUPPORT this system. Sometimes it would take a half hour for me to help someone figure out a new password.

There is a danger in creating a password system with two many requirements, because I know very few people who used that system who didn't have their password on a sticky note on their monitor.

Re:The danger of too many password requirements

Aa1!Bb2@Cc3#

Next passwords:
a1!Bb2@Cc3#A
1!Bb2@Cc3#Aa
!Bb2@Cc3#Aa1
etc.

Or
Bb2@Cc3#Dd4$
Cc3#Dd4$Ee5%
Dd4$Ee5%Ff6^
etc.

Re:The danger of too many password requirements

[fishbowl]

> - at least three characters different from your last 10 passwords

I have a problem with that. Enforcing that requires a system to store your last 10 passwords in cleartext.

> I know very few people who used that system who didn't have their password on a sticky note on their monitor.

A system that tries to be as secure as what you describe, should include men with guns taking away anyone who puts a password on their monitor.

(Where I work, Men With Guns is literally a major part of our security infrastructure, which also includes RSA keys, strong password requirements, and awareness of individuals -- you can be in real trouble for not noticing something you should have noticed.)

Re:The danger of too many password requirements

[TheLink]

And it's a waste of time and productivity.

There is little security gain (or even decreased security as you mentioned).

The users will just get compromised by malware (keyloggers etc), or phishing scams (what prevents them from entering that same password to the phishing site if they think it's a legit site?).

It's like having a super expensive security system for a building, but people hold/open the doors for the pizza delivery guy/guy carrying stuff with both arms. Or let random cleaning staff into the most secure areas.

Re:The danger of too many password requirements

[RobertLTux]

the real joke is that this results in a smaller password "space" than could be possible
since without the stack of rules you have 12((26*2)+10 +10) possible passwords but you then lose

No repeats (which removes a swath of passwords)
2 upper case letters (which drops possible passwords by 36*2)
2 Lowercase letters (same deal)
2 symbols (which drops possible passwords by 10*2)
2 numbers (same deal)

say 20% possible passwords drop due to being dictionary words in some language
and i bet these passwords get changed like every week and are disallowed to repeat system wide

so in a good sized company will deplete the password space in say a year or so

Re:The danger of too many password requirements

[AndrewNeo]

Enforcing that requires a system to store your last 10 passwords in cleartext.

What? No it doesn't, you can still keep the hashed passwords and verify against that.

Re:The danger of too many password requirements

[Kepesk]

Hah, that's a great analogy. But a better one might be that it's like having a super expensive security system for a building, but making it so hard to use that people just cheat and leave their access card taped on the wall next to the door.

Re:The danger of too many password requirements

[ToasterMonkey]

Yah, encourage users to use an obvious pattern, good one. Then if I get one of your passwords I have it forever.

It's already bad enough in less severe environments where people do password++number every iteration
What is the point of enforcing password changes and history checks if you're going to use an easily guessable pattern?

People need to realize that password policy has sharply diminishing returns, and two factor authentication is sooooooooooooooo much better than just one more character class.

Re:The danger of too many password requirements

[Apocros]

We've got similarly inane requirements here, except the password length is 8+ characters and I don't think there are any foreign-language dictionary-based checks. and we have to change our passwords every 90 days. Coming up with new passwords is all kinds of fun.

What really gets me is the "3 characters different from the previous 10" requirement, which we have, verbatim. It seems like this would require storing the actual password, rather than a salted hash thereof. It'd be phenomenally awesome if the password database was hacked/leaked/etc.

Re:The danger of too many password requirements

Yes, that was sort of the whole point. The stricter you make the password requirements the more likely people are to find a completely insecure way to defeat them.

Re:The danger of too many password requirements

[clone53421]

That would tell you if that exact password was previously used. He said “at least 3 characters different”.

Re:The danger of too many password requirements

[Jeremi]

There is a danger in creating a password system with two many requirements, because I know very few people who used that system who didn't have their password on a sticky note on their monitor.

Not to mention that every additional requirement reduces the number of possible passwords. In the extreme case, there might only be a small number of acceptable passwords left, and it would be a simple task to generate that list and brute-force any account.

Re:The danger of too many password requirements

[Abstrackt]

I like Bruce Schneier's take on this problem:

"Simply, people can no longer remember passwords good enough to reliably defend against dictionary attacks, and are much more secure if they choose a password too complicated to remember and then write it down. We're all good at securing small pieces of paper. I recommend that people write their passwords down on a small piece of paper, and keep it with their other valuable small pieces of paper: in their wallet."

Re:The danger of too many password requirements

[TheLink]

What I find people do in real life is they jam/rig fire escape doors so that they can:
1) Have a smoke.
2) Get somewhere else faster (toilet, other dept, floor etc).

But that's not analogous to malware or phishing scams, hence my analogy of pizza delivery etc.

I bet more people get pwned via "drive-by malware" or phishing or trojans than brute-forced passwords.

So what you should do is figure out which group of people are more likely to get pwned, and design/structure your security accordingly. Even if it turns out the CEO is that group. The CEO doesn't really need full _direct_ access to everything, even if he/she thinks so.

Yeah the CEO will have secrets to keep, but the sort that are likely to get pwned are also likely to brag about stuff at a bar (or even facebook :) ). The others will put in the necessary effort to learn not to get pwned, and put up with the inconveniences.

Re:The danger of too many password requirements

[Omegium]

And the interesting thing is: my ATM Pin code is much more important to me than any of my passwords (except perhaps for my electronic banking password), and it is only 4 digits long, and I haven't changed it for years. And still there are systems with requirements like yours

Re:The danger of too many password requirements

[maxwells_deamon]

That was my first thought as well, But the issue turns on how you translate the requirement from english to code. I think most people would think it means something like the following:

xxxxDFGxx being the same as xxDFGxxxx (where x is a random lowercase character). Hashing algorythms would not catch this.

I do not think you could make a password checker that would be able to dissallow the above without keeping non hashed information of some sort. One could keep a copy of the old password _after_ it was changed but that is still not a good idea. (I could probably could software patent that idea, but it is still a bad idea)

Most stated (in English) password rules are not coded as stated to avoid keeping records of old passwords. Go ahead and try to figure out my sequence based on old hashes.

PS: Almost everywhere large that I have worked in the past few years that have had password rules about complexity and such. Then they come up with shared passwords that barely meet the rules. In some cases it was almost like you had a contest to see what the easiest to guess password you could think up that met the rules. Things like #Servername1

Re:The danger of too many password requirements

[stewbacca]

Sounds just like Army Knowledge Online (AKO).

Re:The danger of too many password requirements

[stewbacca]

Mod you up a million. How many people start with an uppercase letter and put 1! at the end of every password just to make sure they have at least 1 number and 1 special character?

Re:The danger of too many password requirements

[Xacid]

This is the EXACT same problem I face.

Actually was drives me more nuts is not only haven't a min password length but a max of something completely arbitrary.

"Password must be between 7 and 11 characters." WHO THE HELL DOES THAT? Go up to 32 at least and let the end user have a field day.

Re:The danger of too many password requirements

[aardvarkjoe]

Enforcing that requires a system to store your last 10 passwords in cleartext.

What? No it doesn't, you can still keep the hashed passwords and verify against that.

That would work if the requirement was just that the password be different than your last 10 passwords, but in this case the requirement is "at least three characters different from your last 10 passwords." It's possible that there are some fancy algorithms that could be used to store a hash of the password and still somehow determine if three characters match, but it's certainly not obvious to me how you could do it.

Re:The danger of too many password requirements

[Dumnezeu]

Sometimes it would take a half hour for me to help someone figure out a new password.

Why didn't you bother to find a programmer to write you a password generator?

Re:The danger of too many password requirements

[Omegium]

No. The requirement of at least 12 characters makes it a huge possible pool (about 69 * 10^21, assuming 80 different possible characters). Even if the other requirements limit this somewhat, there is still A LOT left.

Re:The danger of too many password requirements

It's possible that there are some fancy algorithms that could be used to store a hash of the password and still somehow determine if three characters match, but it's certainly not obvious to me how you could do it.

Seems pretty simple to me:

for(x=0;xlength(oldpw - 3); x++) {
    oldpw[x]=md5.hash(oldpw[x..x+3]);
}

(please don't correct this, it's pseudocode, not meant to be syntactically correct in any language)

Re:The danger of too many password requirements

[John+Hasler]

There is a danger in creating a password system with two many requirements, because I know very few people who used that system who didn't have their password on a sticky note on their monitor.

Whereas they should have it in a little address book that they keep with their cash and credit cards. I mean that seriously. Use strong passwords, use a different password for every account, and write them down. Yes. I said that. Write them down. There is no other way to get ordinary people to use multiple strong passwords.

Re:The danger of too many password requirements

[durdur]

It's not a complete waste. Very short passwords are certainly more crackable than longer ones, for example. But yes, sites can go overboard. http://software.intel.com/ is probably the worst one I've used recently.

Re:The danger of too many password requirements

[eleuthero]

I realize that this type of system is designed to make decryption next to impossible, but given the requirement that no characters repeat, your company's system actually decreased the number of potential passwords (though 12 s's in a row would probably be a bad password). On another note, which foreign dictionaries were polled?

Re:The danger of too many password requirements

[clone53421]

On another note, which foreign dictionaries were polled?

They had C3PO on staff.

Re:The danger of too many password requirements

[skiman1979]

Not to mention that having so many restrictions on passwords can significantly reduce the pool of possible passwords, making brute force password cracking even easier. But maybe no one does brute force anymore...

Re:The danger of too many password requirements

[do0b]

Awh great! Now I'll have to change the salt to my passwords! Thanks!

Re:The danger of too many password requirements

That's not so bad.

I used to have to deal with a (mainframe app) system that required you to choose a password which did not match anybody else's last 5 passwords.

"What do you mean I can't use the password I want just because somebody else used it earlier this year?!?"

Re:The danger of too many password requirements

[WhatsAProGingrass]

!QAZ@WSX3edc4 Yeah I agree, I think its stupid. Also, the government mypay.gov site is horrible as well. You have to mouse click the password on a virtual keyboard with letters all scrambled. So everyone over your shoulder can see what your clicking. You click slowly because the keyboard is scrambled.

Re:The danger of too many password requirements

[Larry+Lightbulb]

For a brief while I worked at a company which had similar rules, but also the IT staff chose the passwords each month and sent them the day before they'd become active to the rest of the company.

Re:The danger of too many password requirements

[Kepesk]

Makes sense to me, at least for certain things. If you lose your bank card, a thief has access to your bank account anyway, so what's the harm in putting your online banking password in the same place?

Re:The danger of too many password requirements

[John+Hasler]

If you lose your bank card, a thief has access to your bank account anyway, so what's the harm in putting your online banking password in the same place?

Except that when your wallet is stolen you usually know about it promptly and may be able to change your passwords (and cancel the cards) before they get used. When your easy to remember (and therefor easy to guess) password is guessed you don't know about it until too late.

Re:The danger of too many password requirements

[Fri13]

fk#kJ25@$£2sdl_kjg£4sjl-f£g223wWr_2£@£"!349#"9jfKjJsSdK£]Sd_Sdi_s!"9sdaSdjJs@!

I have four passwords hidden in there. I could print that to paper as one line and you would not find none of them.
The underlines are not borders or anything. They can or not be part of the password.

Make 10 lines of that to paper and you have list what you can use as you know from where to look.

Security is almost as good as password lists where you can use them only once and you need username to use them. As long as you dont write username (what is numbers/letters) to same paper or anywhere near (memoryze it), it is secure even to give the paper to random guy in the street or to Mr. Schneier.

Re:The danger of too many password requirements

[aardvarkjoe]

You could probably do that; however, then retrieving the original plaintext password would only require matching up the MD5 hashes of a set of 3-character strings. Which would kind of defeat the point.

It gets even worse... even different passwords

[rsborg]

... don't necessarily help.

Facebook's founder knows the importance of social media:

Mark used his site, TheFacebook.com, to look up members of the site who identified themselves as members of the Crimson. Then he examined a log of failed logins to see if any of the Crimson members had ever entered an incorrect password into TheFacebook.com. If the cases in which they had entered failed logins, Mark tried to use them to access the Crimson members' Harvard email accounts. He successfully accessed two of them.

So in this case, the victims didn't even have the same password, but accidentally used the email password for Facebook. Combined with a malicious site (which Facebook was for them) this can lead to leaked passwords.

The best solution to this is to use a password manager like 1password, roboform or KeepassX. I find 1password useful because it matches my password with the domain, preventing inadvertent entries. It's also a boon if you are developing with dozens of test and staging sites which change passwords often.

Re:It gets even worse... even different passwords

[The+MAZZTer]

So long ago Facebook used to keep permanent logs of entered passwords (at least, failed or off-by-one-letter ones). I wonder what they do now.

Re:It gets even worse... even different passwords

[SleazyRidr]

That's awesome on one hand, and scary on the other. I think I'll be a little more careful when I enter passwords from now on...

Re:It gets even worse... even different passwords

[Jayde+Stargunner]

This is actually really, really common.

I ran a database repository for a beta test of an MMO video game some years in the past as a side project. This site ended up being used by the development team for various reasons during the beta period, and members of the QM and GM teams were also instructed as to how to log in to check certain bits of data.

I had put in login logging to detect if people/IPs who shouldn't be there were trying to get to the data, but this had the odd side-effect of gathering a huge number of attempts of the GM/QA teams trying to use their in-game login as was the norm with their internal forums. This gave me about 12+ logins over the beta period of valid GM accounts with GM abilities even on the live servers. Luckily for them, I was not out to mess around and reported it to the QA manager at the time--but if I had wanted to be malicious, I could have done a huge amount of damage. (With some of the accounts being flagged as high enough access to more or less destroy/create anything on the live realms.)

People are generally just not careful with their credentials and often think that if it's ******* on the screen, nobody on the other end (e.g. a webmaster or database guy) can never possibly see what they entered.

Re:It gets even worse... even different passwords

[nschubach]

Wait, you're telling me it sends my actual password over the internet and not *******? WTF

Re:It gets even worse... even different passwords

Why the heck do they even store passwords for failed attempts? that is downright stupid and scary.

Potential Solution

When you try to sign up for a site, it could try to login to the email you give it using the password you provide, assuming it supports a standard protocol or is a well-known site. If it succeeds, it can reject the chosen password.

OpenID?

Lots of comments talk about password hashing, but where's the discussion on OpenID? You decide who proves that you are you, and how. Facebook Connect really needs to die and give way to email-based authentication (such as using your gmail/ymail as an openID).

Re:OpenID?

[nschubach]

OpenId is nice, but the site has to have support for it.

3 passwords

[JeanBaptiste]

thats all I care to remember. One for critical things (like work email, anything requiring a #CC), one for semi-important things (like gmail account), and one where I don't really care if it gets hax0rd (slashdot, reddit etc).

Yes I do have various different logins for work vpns and servers, this is more for personal type stuff.

Original writeup and description:

[Securityemo]

http://www.malwarecity.com/blog/the-limits-of-privacy-is-this-your-password-865.html

Crap...

[PmanAce]

Time to go add a '1' at the end of my email password, be right back...

Re:Crap...

[nschubach]

No, do like we do: change every 30 days so any attacker knows that the last two digits will be that month.

Well lets just...

[Rivalz]

Password protect our bios
Then our Hard drive
Then our Operating System
Then our router
Then our ISP
Then our Email
Then our website
Then our credit / bank cards (pins and codes)

I'm all for it but the thing that bugs me is why cant we write a paragraph for our passwords or at the very least a full sentence.
usually 8-64 characters is the min max range for a acceptable password. But what If I want my password to be the gettysburg address. Or maybe just the lyrics to a song. Why cant we have insanely complex passwords if we want? So until my password can be pi to the 100th digit dont come complaining to me when my passwords are the same for everything.

Re:Well lets just...

[Nadaka]

4#&7YagoR4fathers...

Re:Well lets just...

[Abstrackt]

If you're looking for that length wouldn't it just be easier to use a certificate instead of a long, but known value? I know very few sites use certificate-based authentication, but if you ever could use pi to the 100th digit as a password a certificate-based system would probably be easier to implement.

Internet security, nightmare mode

* Generate a unique 63 random ASCII characters passwords with https://www.grc.com/passwords.htm for EVERYTHING

* Memorize them all. No writing down, no password keeping software, no re-rolling for easier passwords to memorize.

* 7 proxies, VPN, no items, fox only, final destination

Re:Internet security, nightmare mode

[maxwell+demon]

Generate a unique 63 random ASCII characters passwords with https://www.grc.com/passwords.htm for EVERYTHING

I shall use a web site to generate my password? How do I know I can trust them? And why is this better than just base64-encoding 48 bytes from /dev/random?

Re:Internet security, nightmare mode

[nschubach]

And why is this better than just base64-encoding 48 bytes from /dev/random?

Because that's probably all he's doing.

SuperGenPass

[jridley]

I have the same password everywhere, but I use SuperGenPass so really I don't. I only have to REMEMBER one password, but what gets sent in to each site is different and looks like mWIfG7QG or something like that.

Re:SuperGenPass

How certain are you that your password generating/remembering program isn't a trojan that is also sending the passwords it's generating and the domain they were generated for to it's creator?

The problem with security is that ANY short cut that makes it less tedious for the user also makes it less secure.

Re:SuperGenPass

[Rary]

Why should I trust SuperGenPass? What happens if your site goes down?

SuperGenPass is open source. There is only one developer, but the source code is freely available and is regularly reviewed by independent programmers. As an algorithm, SuperGenPass is completely agnostic towards the input (your master password) and output (your generated passwords). All calculations and actions are performed locally by the Web browser on your computer; SuperGenPass does not transmit or store data.

In addition, this Web site does not collect or store any information. I do not keep access logs. All forms on this Web site are manipulated locally by the Web browser on your computer; they do not transmit or store data.

While my hosting service is generally very reliable, there are rare outages. If you use the Firefox / Safari / Opera version, outages will not affect your use of SuperGenPass. If you use the Internet Explorer version and you are concerned about outages, the "Customize SuperGenPass" page allows you to specify a different location for the hosted JavaScript file—your own server, the Coral cache, or the Google Code repository. I also recommend that you save a copy of the mobile version to your hard drive in case you need to generate a password while offline.

Re:SuperGenPass

[CeruleanDragon]

Damn, apparently mWlfG7QG is not your Slashdot password. I was hoping you were being taunting and I was being clever.

Re:SuperGenPass

[Retardical_Sam]

I just looked into SuperGenPass, and there are two things that scare me:
1) If any site that you use SGP on is compromised with an XSS attack and you're using the bookmarklet, they can harvest your _master_ password.
2) This post, from a seemingly intelligent cryptographic researcher stating that the basis of the math behind SGP isn't sound: http://stackoverflow.com/questions/554224/is-the-bookmarklet-password-generator-from-supergenpass-com-safe-to-use.

Re:SuperGenPass

[jridley]

It's a bookmarklet that I save on my browser. There is no transmission of the data nor pickup of javascript once installed. It's simple javascript, easy for any programmer to look at. I've looked it over. It's not a trojan.

There's also a version that you can grab and install on your own website for when you're using someone else's browser and can't install the bookmarklet. It's simple code too, I've looked at it and it's fine.

Password policy

[stanlyb]

That's why i have my own password policy. For stupid things like social sites, garbage emails, "required" registrations for something, etc, i use WEAK password generator. (my slashdot accoint has weak password too, lol). For company accounts, i use INTERMEDIATE. And finally, for my own computer, emails, and other private accounts, i use very STRONG password policy. Btw, the best password you could imagine of is some sentence, or even a poem, but written in some specific way, or even language... Can you guess my 100 characters long password in the neat future, keeping in mind that there is no written note of it?

firefox has that hash function

[circletimessquare]

but there's no reason why you can't have your own hash function in your head

take a root password, say "penguin"

say you are creating a password for slashdot

so your password for slashdot is "penguinslashdot"

but for gmail its "penguingmail"

this is an extremely simplistic algorithm. i'm just using it as an example to show you: remember a PASSWORD GENERATING ALGORITHM, not a password. then you have a unique password for every site, but you don't have to remember 500 different passwords

a REAL algorithm could be something like "the first letter of my root password plus the third letter of the website name's ascii character value plus 3 divided by my home phone number as a kid plus the second letter of my root password plus... etc"

or whatever

the actual password used for each site can be quite variable and the algorithm can still be hard to guess even with a hacker who knows three or four such passwords

the point is: you don't need to remember a password, you need to remember a password creating ALGORITHM, in your head, that only you know, which is infinitely more secure, but no harder to remember

Re:firefox has that hash function

[zoney_ie]

Actually I would say it is hard to choose such an algorithm that can't be guessed when you have one or two passwords, nevermind more. Such an algorithm relies on details particular to the place you're logging into, if you start obfuscating these details, it increases the complexity for the user too. As the algorithm gets better at not being guessable, you are more going to defeat the purpose of the algorithm - i.e. have a password that *you* can work out for a given situation.

Re:firefox has that hash function

[Fri13]

Humm... What?

Just joking...

You wonder? I know it happens.

[N0Man74]

I've been involved with tech support, and have been asked for help from family and friends. Many non-computer savvy people see these registrations and think that they are *supposed* to use their email address password there. When people (including my mother) have asked me for help to setup for random online accounts where they give their Yahoo email address (for example), they frequently ask, "so I should put my yahoo password in here?"

Even if they realize it's a second password, they will often use the same one anyway, which is often something as simple as their own first name in all lowercase. I told one family member that this was a very bad idea, and that good passwords are a combination of letters and numbers, so she began adding 123 to the end of her passwords...

These people don't realize how some accounts *can* be abused. Sure, many of us take security for things like social media sites less seriously, but don't forget that having an insecure Facebook account opens the door for someone getting access to your account and bombarding everyone you know with things like porn spam, phishing schemes, links to infect people with malware, people posing as you to commit fraud (such as posing as you to ask people for financial assistance for some personal emergency), or social sabotage.

Passwords are a mess, in general. Only a small minority exercise proper password security practices, there are too many sites that require passwords, and even those that of us that want to practice good password security (and realize the importance of it) are burdened with the mess of having 30 different logins and passwords for different sites.

I guess I should change my password!

[Tamran]

Remind me to change the password on my luggage!

So many passwords...

[rickb928]

...so little hope.

I use now 11 different combinations of 13 different passwords at work. A unique situation, yes.

But for personal, recreational access, I have only 16 different passwords for 22 different systems, from banking to email to social networks to my online servers. What a lot of fun. I have a list which is almost always obsolete, and keeping it in a PGP file is a nuisance. Teaching my wife how and where to open the file and get a password she hasn't used in months is no fun. She keeps a list of hers in the house. If they get into that, they got everything anyways.

I've been trying to use OpenID more, but it's not universal.

Oh, and when my eBay password got compromised a few years ago, I sat right down and change a BUNCH of other passwords... Just to be sure.

so do I, well three....

[AnAdventurer]

Why would I use different passwords? If one password is [stolen-guessed-hacked] everything is in jeopardy anyway. Our online security is a house of cards. I use one simple (for me, random for you) password at all these sites that have no personal data beyond an email address, another far more complex set for sites that have more information and a third for site that have financial or "real" data (my medical license, I am not a doctor or state account).

Re:so do I, well three....

[jayme0227]

I noticed something similar to this when I was going back and looking at the settings that I use for accounts that I set up long ago. If someone had my hotmail password, they could easily get several of my other passwords because they were set to e-mail my passwords to my hotmail if I had "forgotten" them.

Re:so do I, well three....

[mdwh2]

I agree - most social networking sites etc have the option to recover or reset passwords via email. So if your email is compromised, then they'll get access to these other sites too, anyway.

Why passwords don't work...

[SirMasterboy]

http://xkcd.com/538/

Counterbalance

[SuperKendall]

What if they are gay? ;)

That's why his usernames are all something along the lines of "IAM_NOT_GAY"

It's a sort of psychosexual firewall. Only someone who can embrace being gay and not gay at once may pass.

Or Pat.

Re:Counterbalance

[Abstrackt]

Only someone who can embrace being gay and not gay at once may pass.

Ah, a metrosexual then!

But on a serious note, why do we need to create a whole new subclass of male based on the fact that they can dress themselves without help?

Re:Counterbalance

[WillDraven]

So, as a bisexual I am uniquely suited to compromise this persons account.

Re:Counterbalance

So people can deal with it without having to think too much. Label? Good. Having to think about something new? Brain explodes.

Re:Counterbalance

Is it 2005?

Re:Counterbalance

[Rob+the+Bold]

So, as a bisexual I am uniquely suited to compromise this persons account.

And twice as likely to find a date, according to Woody Allen.

Re:Counterbalance

[bhiestand]

What if they are gay? ;)

That's why his usernames are all something along the lines of "IAM_NOT_GAY"

It's a sort of psychosexual firewall. Only someone who can embrace being gay and not gay at once may pass.

Or Pat.

The Republican strategy makes sense now!

Re:Counterbalance

I got that beat, I used to identify as bigendered, which meant that I felt that depending on my mood I would personify the male or female gender. My male side was essentially straight, and my female side wavered between bisexual and gay depending on her mood. So at times there were days when I would be both gay and straight in the same day.

Ah to reminisce on the younger years...

I just use...

[Ozymandias_KoK]

12345, same as my luggage. Lots easier to remember.

Not on Slashdot it isn't :(

Nick: Anonymous Coward
Password: IAMGAY

Login for "Anonymous Coward" has failed. Please try again.

Its about convenience

[digitallife]

Many people are going on about how they use a password manager or a hasher or some such which supposedly solves this problem of remebering passwords, but all they've really done is substitute one inconvenience for another. The reason people use one password everywhere is *convenience*. They do not want to remember a bunch of different passwords, or worse, forget them! Sure a password manager prevents that when you are at your computer, but now it's almost impossible to login unless you have your computer in front of you, which could be extremely inconvenient under certain circumstances, for example if you need to access an email while visiting family for dinner and didn't bring your laptop, or if you lose your computer.

People who use one password for everything are not going to stop unless a more convenient option arises, which is unlikely to occur. I guess the people who steal passwords will always have a job!

The Average User

[helix2301]

The average user does not understand security and the same password for everything makes it convenient. The problem is if you get someones password and you can get to sites like Amazon or ebay where you can really cause issues. People should use different passwords but they feel that's to much to remember or they will leave a password list laying around. Either way it's not secure and people can get hacked.

so how do we educate users...

[Lazy+Jones]

... do we implement checks whether the login details the user just entered work on gmail, Facebook, myspace, Skype, ICQ and warn the user accordingly? ;-)

Some trivia: on a site with domain XXXXXX.at roughly 0.5% of the registered users use XXXXXX as password (censored).

Same password

[Nethead]

I've had the same lame password for slashdot since I've opened the account. I've had no problems. Most of my friends know it. I use that password for MANY other things too. Not the bank account though, that one is never used anywhere else and, besides myself, only my wife knows it.

1,2,3,4,5.

[DarthVain]

If it's good enough for my luggage, it's good enough for my planetary shielding system.

Re:You wonder? I know it happens.

[longhairedgnome]

I've been involved with tech support, and have been asked for help from family and friends.

Can't we have a conversation, just once, without discussing them?

I have the same combination on my luggage...

> Apparently 75% of the passwords tested were *******.

Well, at least it's easy to type...

Nosirree! Not Me!

[ZosX]

I like to keep things secure so for e-mail I use 1234 as a password and for facebook I use 6789. No need to make it easy for someone to hax0r my accounts!

Re:Nosirree! Not Me!

[El_Oscuro]

Hey! How did you get my Slashdot Password?

DAMN RIGHT! WRITE YOUR PASSWORDS DOWN!

[John+Hasler]

Bruce is absolutely right. Encourage people to write their passwords down. Tell them how to do so securely. Issue them little black books and tell them how to keep them secure.

Re:DAMN RIGHT! WRITE YOUR PASSWORDS DOWN!

[Jedi+Alec]

Why little black books? Use something that we all have and are all paranoid about...our wallets. Something the size and shape of a creditcard should do the trick nicely. Heck, make it look like the fake stuff you get to show off the features of the wallet.

Re:DAMN RIGHT! WRITE YOUR PASSWORDS DOWN!

[John+Hasler]

Why little black books?

No particular reason. Brown, blue; whatever.

Use something that we all have and are all paranoid about...our wallets.

That, of course, is where you should keep your little black book.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Comment removed

[account_deleted]

Comment removed based on user account deletion

Use the KCP Method

[kenp2002]

Pick a pair of X'th letters.

Each site use the two Xth letters.

For instance if you use a password like "b@man1"

and you use the 3rd and 5th letter as your Xth letters

You password on amazon would be:
ab@man1o

Using the Xth letters to prefix and postfix your password. Other variations include doubling up on the front or back

aob@man1 or b@man1ao for example.

All the while your google password would be

olb@man1 or b@man1ol respectively.

Another variation uses the first vowel to pick what Xth letters you use adding more variety but easy enough to remember the method.

But how???

Did BitDefender mention what kind of tricks they used to to actually obtain the passwords? A test phishing attack? guessing the passwords based on user's info? I am just confused as to how passwords can be "found" online unless you use some intrusive method to obtain them, which borders on legality issues.

Time for a change...

[darkpixel2k]

SSH and GPG use one password and key everywhere--and remote hosts can't compromise my key or password because they never receive them or store them.

Maybe it's time for a change with respect to the retarded password systems we have out there: GPGAuth.

How is this news exactly?

People are stupid, we knew that. I use a different password for almost every site. I know many many people use the same password for every site, or use only a few passwords. No amount of bitching is going to get them to change something they don't want to. On the other hand, most people don't really have enough interesting to be attacked. "OOOhhh I got into his GMail, now I can read that email from K-Mart he got yesterday!"

symond

[symond1950]

Hat’s off. Well done, as we know that “hard work always pays off”, after a long struggle with sincere effort it’s done. --------- o The above statement is seen to be contradictory. The situation is very critical and need an experience complainer to resolve it. -------- o This conversation is going no where. It’s lacking the place of a good leader to head the things to come out on conclusion. Technology Details

sdddd

[symond1950]

Hat’s off. Well done, as we know that “hard work always pays off”, after a long struggle with sincere effort it’s done. Technology Details

That is so right...

[hesaigo999ca]

I use the same password and username on most gibberish accounts, exactly for this purpose, i do not need a special name for some unimportant website i use for reference for this or that, as i really only need it to post a question or answer, where as the important ones all have their own system, following an easy guideline like my user name for hotmail is xxxxhotmail@hotmail.com and password usually has some of the website name too, so that they are all easy to remember yet all the same when it comes to remembering the algorithm.

It's all very simple

[uninformedLuddite]

The best password bar none is 'aardvark'. How could someone ever crack that?

Re:compromise this persons account

[Zaiff+Urgulbunger]

uniquely suited to compromise this persons account

I've never heard it called that before!

PasswordSafe

I just checked in my PasswordSafe archive and I have 108 account entries, each with its own password.
What's your excuse?

Not exactly 75%

[AdamWill]

Haven't read the full article, but given what the Slashdot summary says, it seems it's rather '75% of people careless enough to lose their email or facebook password somehow used the same one for the other service'.

This is significant, because I rather suspect that the people smart enough not to use the same password for both things are the same people smart enough _not to post that password on their fucking blog_ (the type of mechanism the summary suggests the survey authors used to gather the samples).

Why this is particularly bad

[thisisauniqueid]

Why using your email password on any other account is particularly bad, and what to do about it if your password is stolen