Slashdot Mirror

← Back to Stories (view on slashdot.org)

Survey Shows How Stupid People Are With Passwords

Posted by CmdrTaco on from the your-password-is-trustno1 dept.

wiredmikey writes "Another study was released to today that once again shows how careless people really are online. When it comes to safeguarding personal information online, many people don't seem to care very much, or don't think enough about it. In the survey of more than 2,500 people, some interesting and scary trends were revealed in how users handle their online passwords..."

17 of 427 comments (clear)

  1. What about logging in over public WiFi? by Superken7 · · Score: 4, Insightful

    From TFA:
    " 30 percent logged into a site requiring a password over public WiFi (vs. 21 percent overall)"

    So what? thats what SSL and Certificates are for. Entering your password in a public computer - well, thats another story.

    1. Re:What about logging in over public WiFi? by janeuner · · Score: 3, Insightful

      Which has nothing to do with "How Stupid People Are With Passwords"

    2. Re:What about logging in over public WiFi? by interkin3tic · · Score: 4, Insightful

      Also seems like he's making a fuss over nothing when it comes to 41% sharing passwords. Sharing passwords with strangers online is one thing. Sharing a password with your wife, assuming you trust her, not that big of a deal.

    3. Re:What about logging in over public WiFi? by Rob+the+Bold · · Score: 3, Insightful

      Sharing a password with your wife, assuming you trust her, not that big of a deal.

      It's a big deal and not a good idea. When your security is broken for whatever reason (trojan, key logger, intrusion, etc...) you don't want to have the extra trouble that a tiny possibility of a doubt exists that maybe, just maybe, your wife did it.

      In that case, one probably has a more fundamental problem, one that is not limited to the scope of passwords and online accounts.

      --
      I am not a crackpot.
    4. Re:What about logging in over public WiFi? by Sancho · · Score: 5, Insightful

      Came here to say this. The article talks about how stupid these practices are, but there are reasonable reasons for doing most of them.

      Nearly as many people use the same password to log into multiple Web sites, which could expose their information on each of the sites if one of them becomes compromised. (A separate recent study revealed that 75% of people use the same password for Social Networking Sites and their email accounts)

      I reuse passwords because it's simply not possible for me to remember more than about 20 password/username/site tuples. I have a password "scheme" that I use to make memorable passwords, but I have to deal with sites which:
      - Have restrictions on the username that means I can't use my normal one
      - Already has my usual username taken
      - Have restrictions on the characters/length of the password
      etc.

      So I have a few throwaway passwords that I don't care about, and I use those most places where I don't care if the account gets compromised. Why do I care if someone gets access to my deepdiscountdvd account?

      Almost half of all users never use special characters (e.g. ! ? & #) in their passwords, a simple technique that makes it more difficult for criminals to guess passwords.

      Password complexity is complex. What's better, an 6 character password with special characters or a 13 word phrase? Using a special symbol is not a panacea of password security.

      12 percent have shared a password in a text message (vs. 4 percent overall)

      It depends upon how important that password is, but in general, I'm not worried about people sniffing my SMS messages. If I'm going to share a password with someone, I generally consider that password to be useless anyway.

      Passwords are forgotten occasionally, often or always by over half of consumers (51 percent).

      No kidding? I thought it would be higher. I guess the main reason it's not higher is because people re-use passwords.

      I use "access to my e-mail address" as my credential for a lot of sites, when I can't be bothered to remember the password or store it in my keepass database (which, itself, has about 50 passwords in it.)

      86 percent do not check for a secure connection when accessing sensitive information when using unfamiliar computers

      Ever, or sometimes? I mean, some sites don't even use SSL for authentication (*coughcough*)

      14 percent never change their banking password.

      If you use a good password, and you assume that the bank itself hasn't been compromised, why change it?

      Overall, the article seems fairly useless.

  2. I'm not convinced this is as bad as described. by JoshuaZ · · Score: 4, Insightful

    For example, the article asserts that 4 out of 10 people have shared a password in the last year. I've done that. I shared the password to one of my email accounts with my twin who needed access. And after he was done I changed the password. Much of the data here is very hard to actually show is bad without more context for what exactly people were doing. Also, while we're discussing these issues, obligatory xkcd - http://xkcd.com/792/.

    1. Re:I'm not convinced this is as bad as described. by master_kaos · · Score: 3, Insightful

      exactly. I have "shared" my password to for different accounts. I change my password, give them the new changed password, after they are done with it change it back. And using the same password with multiple sites? So what? For shit I don't care about if my account gets comprimised I used my generic password. For my secure stuff I will use a different passwords.. but sometimes they are the same or close to it.

  3. 30% remember their passwords by writing them down by Superken7 · · Score: 4, Insightful

    Also, regarding: "And 30 percent remember their passwords by writing them down and hiding them somewhere like a desk drawer."

    I think writing down your password isn't that bad of a choice (especially for online passwords, not the one that logs you into your computer).
    I'm not the only one who thinks that way: http://www.schneier.com/blog/archives/2005/06/write_down_your.html

  4. Password authentication is dumb by dredwolff · · Score: 5, Insightful

    So, what, we're supposed to have a different password with special characters and nothing significant to us (like dates) for each of the 150 online accounts we have? Oh, and if we write down the passwords somewhere so we don't forget them we're dumb too? Whatever! Maybe if we all had photographic memories that would be a realistic options, but there's just no way it's going to happen like that.

    It's just a crappy system, we should be using public key encryption with our private keys stored on a USB key - or some other similar scheme, where we don't have to memorize a million randomized passwords in order to not have our identity stolen.

  5. Among the findings by janeuner · · Score: 3, Insightful

    4 in 10 respondents shared passwords with at least one person in the past year.
    > 4 in 10 are married?

      Nearly as many people use the same password to log into multiple Web sites, which could expose their information on each of the sites if one of them becomes compromised. (A separate recent study revealed that 75% of people use the same password for Social Networking Sites and their email accounts)
    > If I have a hotmail account and a twitter account, which I never use, should I create strong, unique passwords for both? Why?

      Almost half of all users never use special characters (e.g. ! ? & #) in their passwords, a simple technique that makes it more difficult for criminals to guess passwords.
    > Examples of weak passwords: Pingeico4 due7Johh Eexee9ot Soobanah6 Ja3sahte

      2 in 10 have used a significant date, such as a birth date, or a pet's name as a password – information that's often publicly visible on social networks.
    > Some people have disposable passwords for useless login credentials. A New York Times account doesn't require a strong password.

    Most of these conclusions are neither scary nor stupid.

  6. Re:30% remember their passwords by writing them do by nine-times · · Score: 4, Insightful

    Yeah, it depends on what you're protecting against. If the purpose of online passwords is primarily to prevent other online users from accessing your account, then writing the password down in a notebook on your desk is safe. Insofar as the purpose is to protect your account from someone who has access to your desk, it's not safe.

    It's important to remember that security depends on context.

  7. Simple: It's not their problem. by maillemaker · · Score: 4, Insightful

    Users are careless with their workplace computers because it's not their data and they don't care what happens to it.

    --
    A work that expires before its copyright never enters the public domain and thus enjoys eternal copyright protection.
  8. The password requesters are most of the problem by gurps_npc · · Score: 3, Insightful

    The problems with variable password rules makes it harder to create password systems. More importantly, usually we don't really need one. Really, is there any need for a site like moviefone to have a password? I mean really, it's a freaking movie website list. Let them track you with a cookie, not a login and a password. I don't agree to give my credit card number to my grocery store permanently just to get "one click" payout, what possibly reason would I do it for a freakin movie ticket. Honestly, even slashdot could work almost as well without a real password. Just set it up so that it has a username that does not show the last 4 letters, and the only way to change the password is by asking them to send a reset to the email account you signed up in. A 4 letter password plus an email reset would work fine for something as unimportant as tech news site with commenting. I mean really, would it be that horrible if someone stole your slashdot identity? It's not a bank account for god's sake. Or set it up with a camera ID system.

    --
    excitingthingstodo.blogspot.com
  9. Re:30% remember their passwords by writing them do by Tridus · · Score: 3, Insightful

    Considering this "article" also rails on people for not using a different password on every website, I don't know what he expects people to do with them.

    When you throw 100 passwords at people and want to enforce "strong" passwords on all of them (which he also complains about), what option do people have but to store them somewhere? Paper is a useful media for this purpose.

    This article is bullshit, really. Some of the things he complains about are the direct cause of other things he complains about. Make up your fucking mind.

    --
    -- "So they told me that using the download page to download something was not something they anticipated." - Bill Gates
  10. Re:The really distressing thing... by AthanasiusKircher · · Score: 3, Insightful

    perhaps young people do understand online security better. . . http://news.slashdot.org/story/10/03/16/1931214/Users-Rejecting-Security-Advice-Considered-Rational

    Thanks for the link. The article is interesting. However...

    Most of the supposed sins highlighted in the article are junk.

    That's not what the article from your link says. I quote from it:

    While we argue that it is rational for users to ignore security advice this does not mean that the advice is bad. In fact much, or even most of it is beneficial. It's better for users to have strong passwords than weak ones, to change them often, and to have a different one for each account. That there is benefit is not in question. However, there is also cost, in the form of user effort.

    In other words, the linked article is about why users may be acting in a rational manner (in economic terms) by ignoring security advice, not that the advice is "junk." Getting fire insurance is also a waste of time and money for most people (and perhaps not getting it could be considered a "rational" decision according to some economic logic), but if your house burns down, you might have some real problems.

    The reality is that people who better understand online security find that there are plenty of solutions out there to make their lives as easy (if not easier) than those who engage in bad security practices. Just because you don't reuse passwords doesn't mean you have to have them all memorized, for example. There are effective ways to manage such things without a high user cost in time and effort.

    If people understood online security better, they'd make use of such technological solutions to be both safe and efficient. That's not what TFA says, though.

  11. Study fails to take a lot into account by zbobet2012 · · Score: 3, Insightful

    For example most of the people I know (I fit in the younger generation category) have four to five passwords. They have a common trash password for sites they don't really care about being compromised (say slashdot). Than a different one for ones with personal data, but nothing critical. And than separate ones for email and financial stuff. Yes they share passwords between sites, yes they share passwords with loved ones (duh). But this is all done in a "smart" manner, not a dumb one.

  12. Re:My first law by ChatHuant · · Score: 3, Insightful

    When I was 15 I figured out my first law of nature. Said law is, "People are generally stupid."
      In the 27 years since I first figured that out, I have seen no evidence to the contrary.

    Looks like Mark Twain was a bit faster than you.
    Quoting him:
    "When I was a boy of 14, my father was so ignorant I could hardly stand to have the old man around. But when I got to be 21, I was astonished at how much the old man had learned in seven years."