Slashdot Mirror
Survey Shows How Stupid People Are With Passwords
wiredmikey writes "Another study was released to today that once again shows how careless people really are online. When it comes to safeguarding personal information online, many people don't seem to care very much, or don't think enough about it. In the survey of more than 2,500 people, some interesting and scary trends were revealed in how users handle their online passwords..."
In addition to securing web and database servers and only storing the passwords as hashes with salt added, websites should do more to protect the user passwords. This for example is why Slashdot hides your password as ******** if you accidentally happen to write or paste it to a comment - a practice every website should do.
was the "with passwords" part actually needed in the title? ;)
From TFA:
" 30 percent logged into a site requiring a password over public WiFi (vs. 21 percent overall)"
So what? thats what SSL and Certificates are for. Entering your password in a public computer - well, thats another story.
The way the password systems were designed to were stupid to begin with. Programmers designed password systems for people like themselves. The real issue is, programmers did not forsee the internet and the need for easy authentication at multiple sites with strong keys.
I still don't know why Microsoft and other OS makers have not bought out roboform to integrate it into their OS and change the culture over time.
http://www.roboform.com/
Roboform generates unique passwords and makes "click button" authentication easy, and you can back up your encrypted passwords on USB sticks, etc.
For example, the article asserts that 4 out of 10 people have shared a password in the last year. I've done that. I shared the password to one of my email accounts with my twin who needed access. And after he was done I changed the password. Much of the data here is very hard to actually show is bad without more context for what exactly people were doing. Also, while we're discussing these issues, obligatory xkcd - http://xkcd.com/792/.
Working in an enterprise, one of the biggest excuses I hear from people when I talk to them about password security is they will say "oh my account doesn't do much" or "its not a big deal if someone gets my stuff".
They have no idea that its not so much about them having their stuff (which incidentally probably indeed doesn't matter much), but just people having access to accounts that they shouldn't. I usually tell them why its important after they give me an excuse like that. But most people just don't seem to care. But of course they care when something happens.
People are stupid. News at 11.
Can anyone tell me why 99% of
Best password solution available.
What? ******* isn't good enough for you? I love how the new Slashdot converts your password into asterisks! So convenient!
Reviewing just the first hour of video games.
It's a bad idea to use the same password everywhere, so I just set the password as my username and pick a new username on every website.
What, you mean "password" isn't a good enough password? I figured the more obvious it was, the less likely someone would actually try to use it!
My mom always said, "Jim, you're 1 in a million." Given the current population, there are 7000 of me. God help us all!
Also, regarding: "And 30 percent remember their passwords by writing them down and hiding them somewhere like a desk drawer."
I think writing down your password isn't that bad of a choice (especially for online passwords, not the one that logs you into your computer).
I'm not the only one who thinks that way: http://www.schneier.com/blog/archives/2005/06/write_down_your.html
So, what, we're supposed to have a different password with special characters and nothing significant to us (like dates) for each of the 150 online accounts we have? Oh, and if we write down the passwords somewhere so we don't forget them we're dumb too? Whatever! Maybe if we all had photographic memories that would be a realistic options, but there's just no way it's going to happen like that.
It's just a crappy system, we should be using public key encryption with our private keys stored on a USB key - or some other similar scheme, where we don't have to memorize a million randomized passwords in order to not have our identity stolen.
Anyone who has ever worked in any form of tech support can tell you that most people readily volunteer their password to anyone they think they need help from in the tech community, even though we didn't need it or ask for it.
"Can you show me how to make the font bigger? My password is kitty123."
Younger people are especially likely to take online security risks. Webroot found that among 18 to 29 year-olds...
The bad practices don't surprise me. But it's disturbing that younger people are more lax about security, even though they are (by and large) more tech-savvy than older folks. I realize this is also the MySpace/Facebook generation that broadcasts personal information all over the internet, but these stats aren't just dumb teenagers.
If anything, I would hope that people who are more familiar with technology would understand the risks better, but that's not the case here... and that's perhaps a more worrying trend than the overall disregard of safe practices.
FTA: "Smarten up, folks. It's really not so hard to setup some solid password practices. Again, since most of our readers don't really fall in this category, at least try to open the eyes of those around you."
Are we talking 'A Clockwork Orange' style?
Otherwise, I don't think anything can help.
He who knows best knows how little he knows. - Thomas Jefferson
4 in 10 respondents shared passwords with at least one person in the past year.
> 4 in 10 are married?
Nearly as many people use the same password to log into multiple Web sites, which could expose their information on each of the sites if one of them becomes compromised. (A separate recent study revealed that 75% of people use the same password for Social Networking Sites and their email accounts)
> If I have a hotmail account and a twitter account, which I never use, should I create strong, unique passwords for both? Why?
Almost half of all users never use special characters (e.g. ! ? & #) in their passwords, a simple technique that makes it more difficult for criminals to guess passwords.
> Examples of weak passwords: Pingeico4 due7Johh Eexee9ot Soobanah6 Ja3sahte
2 in 10 have used a significant date, such as a birth date, or a pet's name as a password – information that's often publicly visible on social networks.
> Some people have disposable passwords for useless login credentials. A New York Times account doesn't require a strong password.
Most of these conclusions are neither scary nor stupid.
retinal scan
If you want to keep your users safe you should issue them a secure random password by default and make them log in with it at least once before giving them the option of changing it. That way many of them will just store the password in their browser and not bother changing it to something that they use elsewhere. Weak passwords shouldn't be allowed at all.
Ideally you wouldn't want them saving it in the browser to begin with and can prevent that if you wish, but if you make them remember the password they are probably going to use a password that is also used on other sites.
But a desk drawer is a terrible place to keep that paper, in your wallet is a much better place.
Yeah, it depends on what you're protecting against. If the purpose of online passwords is primarily to prevent other online users from accessing your account, then writing the password down in a notebook on your desk is safe. Insofar as the purpose is to protect your account from someone who has access to your desk, it's not safe.
It's important to remember that security depends on context.
One very good solution is to use pwdhash:
https://www.pwdhash.com/
You can install it as a local plugin for Firefox or as bash/ruby scripts on your computer.
You only need to remember one strong master password, and forget about the rest.
You get something like this, depending on domains (no phishing!) & the length of your master password:
+1xhTRy7T for ebay.com
fRrL2nI7+ for amazon.com
TYZyfI0u+ for facebook.com
3yL+WQBF7 for skype.com
+KwIr4FId for delicious.com
Enjoy!
I've been using a variation of the same password for years. It was secure when I first started using it, its not so secure anymore. Although, if it were any more secure, not even I would know what my password was. Password security is getting nearly impossible considering many sites and resources expect you to update your password every few months.
"86 percent do not check for a secure connection when accessing sensitive information when using unfamiliar computers"
Seriously, now. A website with "security" in the title really ought to at least try to present credible security analysis!
*facepalm*
Yes, we all have a gay old time making fun of those stupid users. But to be fair, we're talking about systems that should have been designed with the expectation that they would be used by stupid people. Yet these systems do not take that in to account. There must be a lot of stupid developers and admins.
Sure. I have accounts with information I share with my wife. For example, our joint bank account. [Do not feel free to add rant about online banking here.] One bank account = one set of sign in credentials. So how do we work this situation without sharing passwords?
I have a dozen different systems with separate sign-ons at work. No, this is not exaggeration. I am actually rounding down to a dozen. Should I remember a dozen different passwords? Because of course It's a no-no to write them down.
And that's just at work. Add to that the dozen or so social sites (/., fb, support boards for my tv, car, universal remote, NAS, DVR, etc.)
Is there anyone who doesn't reuse passwords? I bet it's just the folks using some password manager app. For those folks: did you write that app yourself? No? And yet you trust it with all your passwords?
Why is this on a list of stupid things users do? I've seen plenty of systems that did not allow special characters in passwords. Admins can be stupid as well.
And this is actually not a good point at all. Allowing (or requiring) more characters in the password is better than adding special characters to a shorter password.
And see the previous point about reusing passwords. When I change my passwords at work, I chose a password that conforms to the least secure system (lowest max character limit, fewest allowed character classes, etc) so that I can have a single password for all those systems.
Okay. This is stupid.
Using the same password for most of the sites I visit isn't a security risk because those sites themselves aren't that important. If someone hacks my NY Times login, does it matter? What would they do with my message board accounts anyway? Post spam? Hasn't that already happened to a few people you know already? It's not a big deal.
Now if you use the same password for your bank, ebay, or paypal, it's a different story. But it's pointless to try to remember dozens of passwords for inconsequential sites.
Telling someone else your password is only a risk if they are untrustworthy. There are a few people who I trust with a lot more than my online information, these people can know my password. If they wanted to screw up my life that's the last thing they'd need or use.
This sentence no verb.
Users are careless with their workplace computers because it's not their data and they don't care what happens to it.
A work that expires before its copyright never enters the public domain and thus enjoys eternal copyright protection.
Why are we still choosing and typing in passwords? Replace the password repo with a key repo. The site should generate a large random password for each user. We could do it with the password fields now. Simply automatically generate a big (100 character), secure password when someone applies for an account and get them to cut/paste it into the password field, the browser will automatically cache it. The user never has to see it again. Hell, I bet javascript could even do it automatically.
keypass safes/password wallets are far more secure than having the same username/password everywhere.
Deleted
So what do people think of Lastpass and the like? It gives a single point of failure and you have to trust them (which I do for everything apart from my bank stuff). It does allow you to use impossible to guess (nor remember!) passwords though with a different one for each account.
wot no sig
The problems with variable password rules makes it harder to create password systems. More importantly, usually we don't really need one. Really, is there any need for a site like moviefone to have a password? I mean really, it's a freaking movie website list. Let them track you with a cookie, not a login and a password. I don't agree to give my credit card number to my grocery store permanently just to get "one click" payout, what possibly reason would I do it for a freakin movie ticket. Honestly, even slashdot could work almost as well without a real password. Just set it up so that it has a username that does not show the last 4 letters, and the only way to change the password is by asking them to send a reset to the email account you signed up in. A 4 letter password plus an email reset would work fine for something as unimportant as tech news site with commenting. I mean really, would it be that horrible if someone stole your slashdot identity? It's not a bank account for god's sake. Or set it up with a camera ID system.
excitingthingstodo.blogspot.com
Who can remember "aL8+4#ys!Gk=^" ? Should I write it down somewhere? And I should use a different password for each of the 50 services/sites I use? And I should change my password in each site every month? And never repeat a password?
Birth is the leading cause of death.
What percentage of online systems store their user's passwords one-way encrypted (let alone encrypted)?
--------
* Sigh *
For work it seems that various departments love to use solutions only available over the internet:
And this is just for work. None of these services have local clients that can run off-line. Only a handful are integrated with AD/LDAP. Finally, several have rotating passwords that need to be changed every month. @#$%#$
I hate the fact that I have well over 20 passwords. I also have at least 5 different machines that I need to use.
Give me a better option, please!!!!
Considering this "article" also rails on people for not using a different password on every website, I don't know what he expects people to do with them.
When you throw 100 passwords at people and want to enforce "strong" passwords on all of them (which he also complains about), what option do people have but to store them somewhere? Paper is a useful media for this purpose.
This article is bullshit, really. Some of the things he complains about are the direct cause of other things he complains about. Make up your fucking mind.
-- "So they told me that using the download page to download something was not something they anticipated." - Bill Gates
Seriously. Don't ever share, use unique passwords every time, don't write it down, and always make them strong, and thus unmemorable... All rather useless in the end. My 60-sem-odd accounts on line with weak as hell practices have yet to be hacked (not that I'd care all that much in most cases). The one account I cared about and put heavy protections on got keylogged rendering all that wonderful protection worthless. These security experts really need to clue in and realize that this system of password management for security is impractical, ineffective, and unrealistic.
I regularly recieve RSA tokens w/ PW & UID on them.
Some even take the time to label them w/ a labeling machine.
and they make it all the way back to ME. Unfortunately I have no authority to do anything about this but alert my boss.
Nearly as many people use the same password to log into multiple Web sites, which could expose their information on each of the sites if one of them becomes compromised.
I bet the author of this report has a key ring with his house keys, car keys, office keys etc all on them. He's risking much more than 'information' surely if one, thus all of them becomes compromised. Stupid Stupid Stupid!
Virtually nothing will protect you from people who have access to your desk. It takes only seconds to install a trojan: less time than the time-out on your password-protected screen saver. You're vulnerable unless you explicitly turn it on every time you leave your desk. Usb key loggers are easy to install and conceal, as are web cams that can watch you typing your passwords. If your cpu chassis is accessible after you leave for the day, an attacker can install a trojan even if you are methodical about locking your desktop. Whole-disk encryption can help. But who goes to all these lengths? Physical access trumps all.
I use a laptop, and lock it in a drawer when it's not in my possession. But I don't imagine that I'm invulnerable.
The real problem is the use of passwords at all. Passwords are a terrible security mechanism for a lot of reasons, the two most prominent being that people are terrible at creating random strings and even worse at memorizing them.
As for the issue of writing things down, to be honest, for the majority of people that is not such a bad thing. For most people, the threat model is anonymous crackers on the Internet trying to gain unauthorized access to an account; anonymous crackers are not going to be able to read a password that you wrote down and keep in your wallet.
Palm trees and 8
The way the password systems were designed to were stupid to begin with. Programmers designed password systems for people like themselves. The real issue is, programmers did not forsee the internet and the need for easy authentication at multiple sites with strong keys.
I still don't know why Microsoft and other OS makers have not bought out roboform to integrate it into their OS and change the culture over time.
http://www.roboform.com/
Roboform generates unique passwords and makes "click button" authentication easy, and you can back up your encrypted passwords on USB sticks, etc.
That's just Microsoft. Apple has had such a system for years (Keychain) that generates random passwords and stores them in an encrypted, systemwide database.
All this ****ing time I thought that it was the ****ed up Slashdot censorship that replaced **** in my posts with asterisks. I guess I shouldn't have chosen **** as my password.
But I don't imagine that I'm invulnerable
You never should imagine that your are invulnerable, regardless of what sort of measures you take. Even the measures taken by the government to protect TOP SECRET data can be defeated by a powerful enough adversary.
Palm trees and 8
Have a look.
It's not perfect, but it's easy. You carry a card around (or a mobile phone app) and remember mnemonics like "Smiley Green 16" and "Heart Pink 12" for each site, which amount to x,y,length for looking up your password on the card.
If you lose the card you can regenerate it, but finders have no way of knowing how to look up your password. If you write your mnemonics on a sticky note attached to your monitor, it doesn't matter because no one has your card.
Also the Android app means no card needed. At no point do you give your passwords to any third party.
Not affiliated with the author, just a fan.
I agree completely. If the desk drawer locks, that makes it more secure, because you can have a long, unintelligible password that would be impossible to remember. I keep my important passwords in my wallet with my other valuable paper for exactly that reason.
Free Martian Whores!
i've worked in a company where every 6 months everyone was assigned a randomly created password that met all the complexity rules. of course it was impossible to remember since most people had 2-3 passwords for the domain and an application they used. people just wrote it down and had the paper with them all the time.
the idiot admins felt important since they thought everything was secure with their james bond system
Having passwords accessible in some fashion for family in the event of death is good, but not considered very often.
Write them down, or put them on a thumb drive in a safe... I knew most of my Dad's passwords when he died quite unexpectedly. It simplified a lot of the financial issues.
Maybe it is a general security problem, but banks will let you do things online with a password that you'd need certified court documents and a death certificate to do in person: transfer money between accounts, pay utilities from the account. Anything that has online, recurring payments needs to be dealt with (eg NetFlix).
My plan, as yet unimplemented, is to put all that stuff in an encrypted TrueCrypt file (on a thumb drive or unprotected PC) and give my family the password to that file.
Help! Help! I'm being repressed!
I worked for an organization that decided to update it's LAN password policy to not allow any 3 or more letters the same as the users name, a dictionary of obvious words such as "password", the company name, department names, and to not allow any five characters to be the same as the previous password.
... and not give sufficient notice to 10,000 employees ...
This locked out upwards 50% of accounts and bought chaos on the company, flooded the helpdesk with calls.
I certainly write mine down. Sure there's a chance someone can break into my home, steal my post-its and flash drives, but what are they going to get anyway?
I don't have online banking, that's safe. They can get my slashdot password though and other forum passwords - is the danger that someone might use my account to say something even more stupid than I can?
What's the use of having really secure passwords to protect something that's not valuable? I might put stocks and gold bars in my safe, but I'll leave my dirty socks on the floor.
The author may be amplifying his poitnt a bit too far in a few places. In particular:
" 86 percent do not check for a secure connection when accessing sensitive information when using unfamiliar computers."
The problem is accessing sensitiveinformation AT ALL using unfamiliar computers. The little lock icon is irrelevant if the system has a keylogger.
" 14 percent never change their banking password."
With a strong enough password, changing it confers little advantage.
" And 30 percent remember their passwords by writing them down and hiding them somewhere like a desk drawer."
The problem is not so much writing them down, but hiding them in an insecure location. (The current threat environment for most people makes memorized weak passwords a larger risk than written strong passwords.) If people kept their password list stapled to five hundred-dollar bills, you can bet they'd keep it safe enough!
With reasonable men I will reason; with humane men I will plead; but to tyrants I will give no quarter. -- William Lloyd
People aren't the problem passwords are the problem.. I wrote on my blog about it and I'm not going to copy paste all of it here...
http://www.sorin7486.com/2010/10/12/password-hell/
rather pissed now so I'm going home X-(
When I was 15 I figured out my first law of nature. Said law is, "People are generally stupid."
In the 27 years since I first figured that out, I have seen no evidence to the contrary.
If I were God, wouldn't I protect my churches from acts of me?
Back in the 1980s, when the Bradley IFV was just coming out, I saw a 60 Minutes piece on the vehicle. It complained that the Bradley had too high of a profile, making it vulnerable. It claimed that the Bradley was too cramped internally. Thus, it was both too big and too small. In a similar vein, it was too well armed and not well armed enough, and too well armored while not being armored enough. The real stupidity that is usually revealed by these "people are stupid" pieces is generally that of the writer of the piece.
-- Two men say they're Jesus. One of them must be wrong. - Dire Straits
The article states that if you find it difficult remembering all your passwords, you shouldn't be writing them down or keeping them in a Word document, but rather using a password management tool. But which one? A google search for "password manager" brings up a bajillion hits. But how do I know I can trust ANY of them to keep my passwords secure? For all I know, I could be downloading malware and giving every single one of my passwords to some criminal.
Just make an algorthym for your password. That way every site has a unique password, and you don't need to remember any paswords.
Say for Slashdot - your method might be number+letters from site+ fixed set of letters
So for slashDOT pass might be 2DOTwrd
For gooGLE 2GLEwrd
for yaHOO 2HOOwrd
etc
The weakness is if someone figures out your "method", so I use a few different methods - one for banking, another for social, and one for garbage sites.
My main bank acccount has its own separate comlpex password.
..........FULL STOP.
I use Password Safe to store my passwords; I have about 60 entries in my database. No, I'm not kidding. Between work and personal systems the number of passwords to keep track of is insane. Some don't allow special characters, some don't allow passwords > 12 characters (so no passphrases for you!) Worse, some are using "wish it was two-factor" schemes now, requiring me to know other pieces of information that are no better than a password anyway. They're often worse because they are based on information that can be found in public records or by some snooping into my personal life. Fortunately, I have pre-memorized answers for all the common questions (mother's maiden name, oldest sibling's middle name, high school, etc) that are not the correct answer so no one can guess them by checking ancestry.com.
Of course at work, we have a bunch of passwords that all have different expiration schedules. They've slowly been integrating things into the single sign-on system, but that is a work in progress. The funny part is the SSO system doesn't expire passwords and the password reset system is accessed by logging in with SSO, which totally defeats any notion of expiring passwords. Yet the policies remain in place. Expiring passwords are stupid, let me pick a good complex password and keep it.
Unfortunately there are too many players and too many commercial interests to easily change anything now. Similar to the problems with SMTP, if anyone had forseen the problems and managed to get sysadmin buyin in the early 1990s, then you could have made stuff like OpenID an internet standard. Then when everyone was rushing to get on the web in the early days, they'd grasp around for any info on current standards and practices and they would have implemented them. Let this be a lesson to you, even in simple matters like providing example code with your SDK: People will copy your simple crappy example code and it will end up being "the way" to do it, no matter how many disclaimers you put on it. Half of all password forms, expirations, and restrictions are just copies of what people have seen on other websites or in other applications. Sometimes bad design sticks around forever.
Natural != (nontoxic || beneficial)
Assuming the user doesn't lock his screen when leaving it, and that the user runs with elevated privileges and doesn't have to authenticate to install anything.
Instead of a trojan, change out their keyboard with an identical keyboard with a built-in keylogger. Then change it out again when you're ready to harvest.
But then "they" might get a DNA sample from the socks to create clone and then train it to feign amnesia and authenticate itself as you via biometrics.
Be sure and burn all your toenail clippings too.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
Also quoting Bruce, this headline should be rewritten entirely. The survey isn't showing how stupid people are, it's showing where users put their priorities. In this case, users value convenience over security, in an overwhelming number of occasions. Most of the time, *I* prefer convenience over security, and behave accordingly, though I also choose appropriately on occasions when security does matter.
The Quirkz Handbook of Self-Improvement for People Who Are Already Pretty Okay
Like anything else, it's a matter of trust. If you'd let them have a house key (SO, close friend, child, parent) why would you not trust them with a password? When I took my netbook to my friend Mike's house, who I've known for decades and fixed computers for him, he readily gave me his network password, and there was absolutely nothing wrong with that. He knows I'm not going to fuck him over.
Free Martian Whores!
You know the author is clueless because he thinks that not using special characters means your password is bad.
The "special character" myth is mostly something that's implemented because the computer can easily check for special characters and give phony reassurances to the clueless corporate overlords that they have secure passwords.
"p@ssW0rd" is a much poorer password than "smcgedbf," but it's easy to check and reject the second one. Of course, "smcgedbfstcpcawbhgc" is even better.
The last job I worked at was like Netflix but catered to a conservative Christian demographic. The most commonly used passwords were: movies, 123456, popcorn, [the company's name], jesus1.
3A 4E 22 05 C1 83 0B 7A
It's random, but my posting it here is probably considered illegal to someone.
From TFA:
" 30 percent logged into a site requiring a password over public WiFi (vs. 21 percent overall)"
So what? thats what SSL and Certificates are for. Entering your password in a public computer - well, thats another story.
For example most of the people I know (I fit in the younger generation category) have four to five passwords. They have a common trash password for sites they don't really care about being compromised (say slashdot). Than a different one for ones with personal data, but nothing critical. And than separate ones for email and financial stuff. Yes they share passwords between sites, yes they share passwords with loved ones (duh). But this is all done in a "smart" manner, not a dumb one.
Don't forget to steal their keyfob.
But a desk drawer is a terrible place to keep that paper, in your wallet is a much better place.
Really? I know this is what Bruce Schneier advocates, but to me this means that having your wallet stolen means all of sudden your bank passwords are gone too. Given how much more likely it is to be robbed outside your home than it is to have someone break into your home, this seems completely backwards to me. You would call someone crazy for taping their PIN to the front of their ATM card, but putting all your passwords in your wallet is just about the same thing.
I already knew people had a tendency towards stupidly simple and easy to guess passwords. Saw them all the time working as a bench technician, had to deal with family and friends who refused to listen to my ideas on what they could do to make better but still easy to recall passwords. Now that i work in an ISP call center, it's even worse. Lots of people leave their passwords the default, other change it to something that could be guessed in minutes. If I had to guess, maybe 1 in 20 actually uses both letters and numbers, and even then it's not a toughie to figure out. They clamber for security on their wi-fi, and then promptly use a password that could be figured out in minutes, making that security next to pointless.
The only way I see things changing is to make a sort of reward system out of setting passwords. Refuse to allow passwords that are letters only. Use a meter of sorts like I've seen in a few applications where use of greater complexity gets you a bigger line and a ranks it from bad to good to great to excellent, etc. If the system makes them feel smarter or more secure in their password, a lot of folks would probably go for it.
On the other end, a lot of password systems need to change. There are far too many out there that refuse to allow special characters, leaving you only able to use case and numbers as a means of making it difficult. Some of these are online banking system password schemes, and it's laughable when they talk of taking security so seriously, and then you hit that retarded limitation.
If the author of this hyperbole really wants to be heard, maybe he should work on his people skills.
His paranoia has blurred his understanding of English. I am not "stupid" because I use the same password on multiple websites or I have my browser save my password--the word I prefer is "practical", or "lazy", or "why the hell do I even need a password to login to this shitty page?"
I have not "lost control" if I give my wife my password to my Amazon account.
And "passwords are forgotten frequently"? You think? Because guys like this want us to use ridiculously complex and different passwords for every aspect of our digital existences.
People like this guy need to get some perspective and understand the risk/password-complexity trade-off. Not being able to access my own stuff is a form of security risk.
If someone gets my password what do they have? They can post as me on slashdot? A dozen or so forums? They can use my Consumer Reports account for nefarious purposes? My medical records and bank account both have their own separate security system in which I'm forced to use the password they give me, and if anyone gets it wrong 3x in a row their automated system literally calls my cell on the spot. All of my work passwords are for firewalled applications. So really, this idea that your average internet user has need of all this security is just stupid. Really, the last line of defense in security is the password. The system should be setup to be secure enough that even if someone does get your password there's little to nothing they could do with it.
This is probably more of an Ask Slashdot type of post, but I'm reading through the article, and I know anyone can agree on "LOL u texted me ur password via text its abc123" and its immediate idiocy scale.
Looking to the more proactive side of things, I have to question how we best fix this. Let's take a look at three of the suggestions:
"One site, one password"
Okay, this makes sense. Let's play this out, because I think this is a common one with solid foundations for why many of us do it. I have an awesome password. My password is "23mQi*f4". This is a secure password, and it works great for my online banking site.
I also pay my credit card bills online. Okay, no problem. "galacticpotato84%jfd(" is my password for that one.
3 more credit cards, 2 webforums, three news sites, one credit union, 5 gaming sites, 2 web email accounts, and an amazon account later I now have almost 20 passwords, all of which are unique, and you're telling me I can't save any of these credentials in my browser? And I shouldn't write them down, obviously.
So now I need to, in a perfect world, have a next-world memory, or some sort of security manager for all these passwords. As a technology professional, I'm not even sure the best answer (My closest guess is a password manager, but that's an all your eggs in one basket kind of deal) to this - certainly you can't expect regular joes to know how to handle this.
"Change your passwords often!"
Again, at face value, no one is questioning this. This makes sense. But when you get down to applying it - now I've got 18 passwords that need to be updated yearly/monthly/whatever. This is more an extension of the problems outlined above than a brand new set of problems, but it definitely complicates things.
"Make your password unique"
This seems to go in direct conflict with the first point. I need 20 different passwords for 20 different sites, and each with their own, unique, yet "memorable sentence" as the site says structure.
I'm not arguing any of these points, I think they make sense, and I think it's really easy to laugh at someone who's password is hunter2, and it is texted, emailed, and shared to everyone and their mom.
I think it's a lot harder to proactively fix this in a reasonable way, that the masses can consume. It's EASY to say "Change your password, idiot". But really, how do we get this assimilated into our culture? Futhermore - what is it really helping? In all these studies i've never seen anything that's to me, functionally useful, IE:
- Risks of using a shared but secure password (Not written down, committed solely to memory, shared with no outside persons or systems. 64 character string, alphanumericspecial)
- Risks of using unique, secure passwords that are stored in external media (Written on a piece of paper and stored in a safe, stored in a password manager)
- Risks of using semi-unique, secure passwords that are committed to memory using some sort of algorithm (IE: Amazon - i04&f_24amazon, Ebay - i04&f_24ebay, Slashdot - i04&f_24slashdot)
My problem with these articles is everyone knows the basics - and even those that don't know the basics can easily comprehend "This is bad, don't do this". What is never emphasized is how to easily transition to a better scheme, and what it actually offers you. Maybe I've been jaded and corrupted by the corporate world, but if you can't give me some idea of an ROI, all i'm going to do is look at your proposed plan or idea and then ignore it and move on to the more critical issues to me.
Virtually nothing will protect you from people who have access to your desk.
Security is never about absolutes. Absolutely nothing will protect you 100% of the time from all possible eventualities, yet we still employ security measures. The general purpose to security is to increase the difficulty of an attack, decrease the possibility of meaningful success, and increase the possibility of catching the attacker.
So for example, simply putting a screensaver password on my computer might improve my security substantially. It gives casual attackers with limited technical knowledge and limited availability to my computer a relatively small window of attack-- they must get access to my computer in the period of time between when I leave my desk and when the screensaver kicks on. They must then install a trojan (or whatever you would suggest) in the short amount of time before I return to my desk and leave the area without being detected. But then there are other issues too-- they have to make sure the trojan won't be detected by my security package; they need to make sure the computer is more or less in the state that I left it, so as not to arouse suspicion; they may need to trigger the screensaver so that I don't come back and think, "why isn't my screensaver active?"
Yes, if they get access to my CPU while I'm out sick, they could try to get access a few different ways, but that all assumes that there aren't other people around the office, there's no security, and there are no cameras which would catch them in the act. It also assumes the attackers are substantially sophisticated to get past a simple password.
So there's a lot to consider. However, I can tell you right now that a simple screensaver password would be plenty of protection to keep my wife from reading my email. My wife isn't very technical, and even if you gave her physical access to my CPU and as much time as she wanted, she wouldn't know what to do.
And that's what I meant by "security depends on context". You have to ask things like:
Without knowing the context of what the information is, who the authorized personnel will be, and who the potential attackers will be, you can't begin to evaluate the effectiveness of a security scheme.
like slashdot does and hide passwords in posts automatically, e.g. mine is **********
The article is more retarded than most, but rather than bash it, I'd like to point out what I think is the root of the problem.
Multiple sign ons for every site.
Why do we still not have global single sign on? If not global at least a few defacto standard ones that are actually safe to use. It'd take some browser integration and use some proper challenge/response and one time pad so that when you're authenticating to a 3rd party site it doesn't do the site any good to retain the auth info from your auth provider or yourself ...
Come to think of it, why don't we just use Kerberos for everything? Seems like with DNSSEC we could easily have a global authentication system for every app, all controlled by their respective owners.
Then you only need one password or key (whatever 'key' translates too would be entirely up to the end user and authentication provider. You could use digital signatures, hardware devices, simple passwords like now, whatever you wanted in the end for authentication. Tickets are your friend.
Then you just need one, really unique, secure password that you can actually remember.
The downside is, you've just put all your eggs in one basket, but thats more or less the way it works now anyway, at least this way people would be using a better basket and not showing its contents to nearly as many people where it can be stolen.
If you stop looking at it as a geek and start looking at it as a normal user, passwords are ridiculous to manage and don't really relate to a real world key all that great.
Users aren't stupid, the system is, and users don't know how to fix it, and we're not doing our job by not fixing it to make it actually usable rather than unmanagable.
The solutions are already there, and if anyone mentions openid you should be smacked in the face. Its a complete joke from a practical perspective.
Lets start using the systems that were created by really smart people a long time ago rather than inventing new ones that suck.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
Just reply with your login and passwords and I'll tell you how dumb they are.
"You'll get nothing, and you'll like it!"
I hear someone outside my office talking on a cellphone giving out their password
just uneducated or unconcerned. I talk with a lot of people every day and people calling in about password resets fit into 3 catagories: uneducated, not concerned and stupid. I've talked to really smart people who couldn't be bothered to remember the password of an account they log into once a month. I also talk to older folks that didn't grow up with computers like we did and then there's the stupid ones that just can't grasp such concepts as 8 characters with numbers and letters. The poll is faulty and should be ignored.
"We are just a war away from Amerikastan. When god vs god the undoing of man." Dave Mustaine
coupled with their stupidity toward passwords, is the problem.
Turns out that a lot of SSH passwords aren't very secure. Like, who is really surprised by that...
Found on bruce schneier's blog.
I have seen websites which:
- require more than 8 characters
- require 8 or fewer characters (great security there!)
- require special characters
- disallow special characters (!)
- require mixed case
- are not case-sensitive
- require numbers and letters
- require that password not start with a number
- other stupid rules I can't remember
So many of those are so stupid, and the result of horrid programming. I want all my passwords to be a minimum of 9 characters, have plenty of symbols, and (and no sites ever require this) have no dictionary words in them.
Now it is possible for me to come up with a personal algorithm I can use and remember which would allow me to create a unique password for every site and still not be decipherable by someone who collected three of my passwords. (Sure, if you somehow got a dozen, maybe, just maybe you could figure it out; but that's unlikely since it uses weird associations from my personal past experiences for some of the characters and sometimes even for the number and kind of characters.) But there is no way I can implement a good algorithm given all the variances noted above.
I can't tell you how many times I've been locked out of accounts for getting my password wrong; only to find out when I'm resetting it that this particular system has some weird (and fundamentally stupid) combination of the above rules.
And you gotta love the spinoff of that. Typing in numerous variations of what I think is the right password. Seems insecure all by itself.
And as an aside... Who ever came up with the stupid idea that substituting numbers for letters is somehow secure? Do they honestly think that a hacker could never think of that, even though every idiot with fingers already has tried it? Really? If your company makes "trinkets" you think "tr1nk3ts" is a good password? WTF?
This is a nice way to keep your passwords nice and random, but only have to remember one good one: http://www.clockwork-computing.com/CryptaPass.aspx
http://www.youtube.com/watch?v=MAfAVGES-Yc&feature=player_embedded har har har
I'm beginning to think there's excessive paranoia about a very narrow conception of security.
I am asked to invent at least one password a day. Most often, it's for something for which there is no need for any security. In fact, given that users, who are asked to make up passwords frequently, at a moment's notice, understandably reuse passwords, requiring a password where it isn't really necessary actually undermines security.
Every bank I've used, and as far as I know, every bank, requires a four-digit PIN for ATM access. That means that the single most important password most people use daily is a very weak one -- offset by the second form of authentication, the ATM card. ATM cards are frequently left in ATM machines by mistake. How much time do people spend worrying about the security of their bank PINs?
The real stupidity that is usually revealed by these "people are stupid" pieces is generally that of the writer of the piece.
So true. You even did a great job of demonstrating that exact principle with your own .sig:
-- George Bush is unliterate. - Jesse Jackson
That really sounded like one of those 'too good to be true' quotes - so I googled it - and sure enough, it is.
Jackson was parodying Bush when he said that for Bush to compare school vouchers to the Brown v Board of Education ruling was unliterate fuzzy history. "Unliterate" being a dig at Bush's propensity for neologism and "fuzzy history" a reference to Bush's claim during the 2000 presidential debates that Al Gore's points about Bush's own budget proposals were "fuzzy math."
But, as you said, this "jesse jackson is stupid" quote just says more about you than it does Jackson.
And anyone thinking of accusing me of liberalism, bite me.
I just couldn't resist the irony, "too good to be true" guotes/beliefs being my particular interest.
When information is power, privacy is freedom.
I was assuming desk at work, and most folks have a cube to make matters worse.
I want all my passwords to be a minimum of 9 characters, have plenty of symbols, and (and no sites ever require this) have no dictionary words in them.
How is %j@L:[`.^ any more secure than %j@Cat`.^ ? The inclusion of a word makes it easier to remember, and no less difficult to crack. Maybe easier to shoulder surf, but a stern glare, harrumph, and eventually shoving the rude shoulder surfer out the door beat that. In fact, I'll take a long passphrase filled with actual dictionary words (and maybe a misspelled one or odd symbol) before going back to a short, impossible to remember password with silly entropy rules.
http://keepass.info/ -free, open source and solves most of these password problems well. Version 1 has Linux, Mac, Windows, Andriod and IPhone clients. Works great in conduction with dropbox.
maybe a misspelled one
bingo.
Their critieria is a bit strict.
Honestly, if someone manages to hijack the password for my slashdot and forums accounts, its not that big a deal. At worst, they can pretend to be me on a forum somewhere.
I keep a few separate passwords for email, all of them secure, I keep a very secure one for banking type activities online that I change on a regular basis (same goes for email).
I keep another password for things I assume are completely insecure, and don't care if people break into it ever. This is for things like game downloads and the like.
For my actual bank... I don't go online, at all, it doesn't exist on my computer, I recieve bank records by mail, and keep them in a filing cabinet. Why? The bank "forgets" records after a few months, and charges a fee to dig through my accounts. So instead, I keep a permanant record so I have a physical court usable record of my finances, and deal with the bank for major issues in person directly. I can't get more secure than that.
I don't really understand why we are all still using passwords! We are coming into a new age of technology every day, so why aren't we already using thumbprint identification? I have to use a thumbprint/6 digit pin/CAC card identification to do just about anything at work. Wouldn't it be much easier to just have a thumbprint machine at every station, and all of your certifications are matched up to that print? So if you log into a bank site (which has already been set up to your print) on any machine, it registers the certification and automatically logs you in? Why are we not going that route? Espensive to start yes, but in the end i'm sure that would be more secure.
I never understood the argument of using special characters in a password. if these are a requirement - how are they making the password harder to guess algorithmically? but it does make it more difficult to remember & enter - especially on different locale keyboards
Or you could like.. use an OS with a good password management system.
Fuck people are dumb.
It's not their fault if their work computer gets compromised.
It's either the fault of Evil Hackers (TM), or more commonly, the IT department.
Either way, they don't have to deal with the repercussions of their actions. Someone else does. And not surprisingly, this type of relationship (that is, one where someone else bears the brunt of someone else's bad decisions) is so commonplace in corporate America that almost no one notices anymore.
When users see their employer using Windows for that "high security" project, it sends a very clear signal that either the company doesn't care about security, or considers security an "IT problem", or possibly both. If the company doesn't care about security, why should the employee?
The society for a thought-free internet welcomes you.
Thats because Windows is retarded, and despite the ancient advice to "NEVER SHARE YOUR PASSWORD", you, the administrator, cannot easily access the user's settings without either A) resetting their password (and causing them to worry to no end), or B) asking for their password. Want to fix those font settings in firefox? Whoops! Thats per-user, not per-machine; youll need to log in as them if you want to fix it.
MickeyMinnieDonaldDaisyHueyDeweyLouieGoofySacramento
8 characters and a capital. OK?
Kill the spiders to save the butterflies. It's only rational until you realize by doing so you've become the spider.
To make it even easier to remember, you then post that silly phrase as your sig on /.
-this way your password is always there when you need it.
-------
Sally had often real trouble playing even nice 1 summer
Musings: I use really crappy passwords in places where I really don't care - that is on sites that I think shouldn't bother me with passwords in the first place. My contact info, email etc., is publicly available in various places so I don't care about protecting that at all - it's a lost cause.
My normal passwords are based on mnemonics and won't be broken by dictionary searches, but I don't use many special characters. I also use the same passwords for many different sites. So far I haven't had any incidents at all but if something would happen, I think I have made sure my life won't be ruined. The credit cards have moderate limits and I don't write about my ball gag fetish.
I have one strong password I use for really important systems, but I end up using it so rarely it sometimes slips out of my mind.
I don't think it is reasonable to expect people to use different strong passwords on every site, not even "important" sites such as social networking. Even if I did, every once in a while I would certainly forget which password goes where and thus give away the wrong one, at which the nefarious site will have won anyway.
My password is 1
Slowly waving my hand - "This is not the sig you are looking for."
I believe you mean "Bean Gogh."
"tr1nk3ts"
Whoops. That was totally insecure. I meant: tr1nk3t5,
Nobody would EVER crack with that.
SuperGetPass / SuperChromePass FTW. You pick one password. It gets hashed against the domain name in your browser to generate secure non-reversible passwords for each website. You only have to remember one, and you don't have to keep any dubious encrypted "password vault" on your computers or "in the cloud."
The problem with throwaway accounts, usernames and passwords is you really never know when an account will become important later. Let's have a thought experiment. You create an online mail account "wigli547sancho" at Yahoo.com from your home PC (with of course, your IP address logged and traceable to your home address). You use that email address to register for an online webinar on iSCSI SAN storage from Dell you need to watch from work, because it's a throwaway address and you're worried Dell will send you spam. The webinar makes your userid visible when you make a comment, or as general practice. You register with the same user ID and password on a discussion board you googled immediately after the webinar to follow amplifying discussion, so you can post a comment. In the registration you gave the same throwaway userid, password and email address. The discussion board operator, by creatively feeding Google with keywords and presenting a credible forum to respond to this webinar opportunity now sees an upswing of several hundred users, many of whom will have exploitable account info. The process for him is automated, so the extent of his effort is to subscribe to these events from all vendors and build keyword lists that people might search for following such events - AI hasn't gotten so far that such things can be totally automated yet (though I hear the work is in progress and the suggestions are becoming very good).
Now we get to the automation. Blackhat account harvesting engines definitely include bulletproof hosting options that feature blogging engines with SEO features. Given advance notice of the event they seed thousands of blogs with keywords likely to be searched for after such an event on a time cycle that peaks on the actual event. Dell iSCSI blogs are scarce, so becoming the definitive reference is low-hanging fruit. The AI definitely has gotten good enough to take "Dell iSCSI" and search the web, harvest comments and appropriate them to simulate a real discussion blog about that topic with grammatical, synonym, and/or spelling permutations - and to permute across those variables to take ownership of the googlespace for that micromeme. You've probably stumbled across several of these semi-incoherent pseudoblogs already and considered them some misfired auto-translation effort, but that's not what they are. Since they become trending topics thereby, they reach the top of Google's search results for a few hours and become the results you click on after the event. Given the basic login information they can try permutations of owning the email account. Some email account providers limit or rate-limit attempts to login and lockout and alert on multiple failures but most don't. The cracking scripts are online account provider login attempt rule aware, so they won't attempt logins that result in notifications. They don't have to compromise every account - only the least diligent, and that's you because for you this is a "throwaway" account.
Once they have access they'll change the recovery email address and password so they own it utterly. If the change engine requires a captcha they include features that farm the same captcha image out to a different blog where a human will helpfully enter the required text in order to gain access to a completely unrelated feature and topic. That answer is then automatically forwarded to the site that demanded a captcha of the bot. The account is owned mere seconds after creating the account on the blackhat blog - no human intervention is required. You lose access to your throwaway account, and figure you've forgotten the throwaway password that went with it. You forget it and move on.
Some anonymous criminal now owns your throwaway account. Now what will they do with it? Expand the account to all the free options that Yahoo offers? Send Pharma spam? Use it as storage for the worst imaginable porn? Store prerelease videos and albums? Use it as the base address for Myspace, Facebook and Twitter accounts to resell likes, fans,
Help stamp out iliturcy.
Different passwords for websites? I'm flat out remembering which password logs me in to my work computer in the morning thanks to our corporate policies. When I first started here we had a policy of changing passwords every 6 months. That's it. Now we change every 2 months, passwords must meet a minimum complexity and must be significantly different to the previous password. As a result we've gone from a workplace where everyone felt nice and secure to a workplace where every user has their password on a post-it on their screen because no one can keep track of how to log in on any given day.
Until you can, somehow, make it contractually their problem.
Athy, athier, athiest.
> It complained that the Bradley had too high of a profile, making it vulnerable.
> It claimed that the Bradley was too cramped internally.
There is nothing wrong with that summary.
Its silhouette istoo tall for an active combat participant on the battlefield. It is not capacious enough as an APC. The reasons for this lie entirely with the project managers.
The DoD insisted that the original design be compromised with the addition of a turret with an autocannon to engage light AFVs, then added TOW because it would need to defend against MBTs when using the cannon, then TOW reloads and additional armour to defend against the MBTs that were alerted by the initial TOW launch etc.
Meanwhile the infantry accommodation was being cut to make space. Instead of returning to the original M113-replacement spec, the Army was forced to reduce the size of a mounted fire team. Dismounted infantry capability suffered accordingly.
The Bradley is the exemplar of getting everything wrong.
People "don't care" doesn't translate into stupid or careless. It means they don't care. For most web sites, it really doesn't matter. "Reusing" passwords? I already have list of > 60 unique passwords. If I didn't reuse passwords, that would > 200. I suspect nobody can maintain > 5 passwords without writing them down, and that sort of defeats the purpose, no?
>Until you can, somehow, make it contractually their problem.
You might, I suppose, make end users responsible for any security compromises the company deems them responsible for causing.
But I believe the system should be set up so that users can't cause those problems to begin with.
Want strong passwords? Enable a scheme that forces users to have passwords of a certain length, with a certain number of numbers and non-text characters, disallow repeating-pattern passwords and password reuse.
Want to prevent attachments from causing problems? Screen them at the server.
Want to prevent users from finding malware on the web? Put tools in place to limit their internet access.
In short, don't put a mission-critical piece of equipment on every employee's desk whereby if they don't use it right it can seriously compromise your business.
Nearly every business has some sort of process or equipment that must be used exactly right, every time, by highly-trained (and usually highly compensated) people, and yes, if they screw up the consequences for the company and that employee are dire.
But to expect this level of alertness for every computer user in the company is silly and unrealistic. Especially for staff positions, where they have neither the training nor financial motivation to really care.
A work that expires before its copyright never enters the public domain and thus enjoys eternal copyright protection.
My bank has 2 differnet login accounts to access a joint bank account.
If one locks him or herself out, the other person still has access to the account and is fully authenticated....
Many people don't write a will, or write one that is vey specific about who gets what, so giving passwords to one of the parties that may inherit something is a recipe for disaster.
You should give passwords to nobody since the appropriate way to deal with money on a bank account of a deceased person is to follow the legal niceties to ensure everybody is treated fairly.