Slashdot Mirror
Survey Shows How Stupid People Are With Passwords
wiredmikey writes "Another study was released to today that once again shows how careless people really are online. When it comes to safeguarding personal information online, many people don't seem to care very much, or don't think enough about it. In the survey of more than 2,500 people, some interesting and scary trends were revealed in how users handle their online passwords..."
Working in an enterprise, one of the biggest excuses I hear from people when I talk to them about password security is they will say "oh my account doesn't do much" or "its not a big deal if someone gets my stuff".
They have no idea that its not so much about them having their stuff (which incidentally probably indeed doesn't matter much), but just people having access to accounts that they shouldn't. I usually tell them why its important after they give me an excuse like that. But most people just don't seem to care. But of course they care when something happens.
Younger people are especially likely to take online security risks. Webroot found that among 18 to 29 year-olds...
The bad practices don't surprise me. But it's disturbing that younger people are more lax about security, even though they are (by and large) more tech-savvy than older folks. I realize this is also the MySpace/Facebook generation that broadcasts personal information all over the internet, but these stats aren't just dumb teenagers.
If anything, I would hope that people who are more familiar with technology would understand the risks better, but that's not the case here... and that's perhaps a more worrying trend than the overall disregard of safe practices.
retinal scan
One very good solution is to use pwdhash:
https://www.pwdhash.com/
You can install it as a local plugin for Firefox or as bash/ruby scripts on your computer.
You only need to remember one strong master password, and forget about the rest.
You get something like this, depending on domains (no phishing!) & the length of your master password:
+1xhTRy7T for ebay.com
fRrL2nI7+ for amazon.com
TYZyfI0u+ for facebook.com
3yL+WQBF7 for skype.com
+KwIr4FId for delicious.com
Enjoy!
The way the password systems were designed to were stupid to begin with. Programmers designed password systems for people like themselves. The real issue is, programmers did not forsee the internet and the need for easy authentication at multiple sites with strong keys.
I still don't know why Microsoft and other OS makers have not bought out roboform to integrate it into their OS and change the culture over time.
http://www.roboform.com/
Roboform generates unique passwords and makes "click button" authentication easy, and you can back up your encrypted passwords on USB sticks, etc.
Because having unique passwords for every site makes it very different to use another computer at random. Storing on a USB stick is great, except when I want to log in from my iPhone and need to find some way to view that password. Or lose my USB stick and want to check my e-mail while in Russian on business. Simply put, it's terribly inconvenient for the average end user - the only way that they'd be willing to go along with it is if the passwords could be retrieved over the internet with a master password - which would give a single point of failure and be even less secure than the current system.
Track your TV Shows with your iPhone - FREE
So make them longer and less randomized.
Pick a new sea shanty for each site and replace some of the letters with numbers or symbols. People easily remember songs, so a couple verses should be no big deal.
It's just a crappy system, we should be using public key encryption with our private keys stored on a USB key - or some other similar scheme, where we don't have to memorize a million randomized passwords in order to not have our identity stolen.
You can actually do that now with OpenID and a smartcard (actually, you don't need the smartcard but it's more secure than a USB/flash dongle).
Problem is most places don't implement OpenID (yet?).
The ratio of people to cake is too big
Seriously, either you rely on password reuse, you have the world's greatest memory or your vitally dependend on some software to track your passwords and if you lost that, you've lost everything.
In order of difficulty and importance I remember roughly four passwords:
1. The full disk encryption, it's for everything I don't trust the intartubes with.
2. My online bank password, you can pull a lot of BS but don't touch my money.
3. My webmail password - both as it's personal and as it gives other logins.
4. My "everything else" password - for most forums and shit.
That does not count the PIN on my ATM card, my logins at work or any of the other of the many things I ought to remember. That also doesn't count that I regularly have to swap between three different user ids because "Kjella" is often taken. That's enough for one mind, and I've heard I'm fairly good at remembering things. For people that seem to have enough just remembering their PIN I just don't see it happening without help. And given the reliability of HDDs and most people's ability to take backups, I'd suggest a note in your wallet. And maybe a backup of that too, since I know several who have lost their wallet or had it stolen.
Live today, because you never know what tomorrow brings
Having passwords accessible in some fashion for family in the event of death is good, but not considered very often.
Write them down, or put them on a thumb drive in a safe... I knew most of my Dad's passwords when he died quite unexpectedly. It simplified a lot of the financial issues.
Maybe it is a general security problem, but banks will let you do things online with a password that you'd need certified court documents and a death certificate to do in person: transfer money between accounts, pay utilities from the account. Anything that has online, recurring payments needs to be dealt with (eg NetFlix).
My plan, as yet unimplemented, is to put all that stuff in an encrypted TrueCrypt file (on a thumb drive or unprotected PC) and give my family the password to that file.
Help! Help! I'm being repressed!
Back in the 1980s, when the Bradley IFV was just coming out, I saw a 60 Minutes piece on the vehicle. It complained that the Bradley had too high of a profile, making it vulnerable. It claimed that the Bradley was too cramped internally. Thus, it was both too big and too small. In a similar vein, it was too well armed and not well armed enough, and too well armored while not being armored enough. The real stupidity that is usually revealed by these "people are stupid" pieces is generally that of the writer of the piece.
-- Two men say they're Jesus. One of them must be wrong. - Dire Straits
My wife locks me out every time she accesses our bank account. Our credit union has implemented a new "security" feature where the account number and password remembers the cadence that you enter the information. If the cadence doesn't match, it rejects it. I type a lot faster then she does, so my cadence is never even close to what her's is.
This is something that irritates me quite a bit -- don't the people who insist on at least one capital letter and at least one numeric know that they reduce the number of possible combinations that way?
If you insist on at least one capital letter, one lower case letter, one digit and one symbol, you have reduced the number of combinations to 1/360th. Or, to put it another way, if it would have taken a year to brute-force all passwords, it will now only take a day.
The only thing that is more irritating are pre-generated "security phrases" in case you lose your password. Just because I do business with you gives you no right to know what my mother's maiden name or name of my first pet was (and, besides, those types of questions aren't safe either -- a dedicated criminal would have few problems finding that information).