Slashdot Mirror
Survey Shows How Stupid People Are With Passwords
wiredmikey writes "Another study was released to today that once again shows how careless people really are online. When it comes to safeguarding personal information online, many people don't seem to care very much, or don't think enough about it. In the survey of more than 2,500 people, some interesting and scary trends were revealed in how users handle their online passwords..."
In addition to securing web and database servers and only storing the passwords as hashes with salt added, websites should do more to protect the user passwords. This for example is why Slashdot hides your password as ******** if you accidentally happen to write or paste it to a comment - a practice every website should do.
was the "with passwords" part actually needed in the title? ;)
From TFA:
" 30 percent logged into a site requiring a password over public WiFi (vs. 21 percent overall)"
So what? thats what SSL and Certificates are for. Entering your password in a public computer - well, thats another story.
The way the password systems were designed to were stupid to begin with. Programmers designed password systems for people like themselves. The real issue is, programmers did not forsee the internet and the need for easy authentication at multiple sites with strong keys.
I still don't know why Microsoft and other OS makers have not bought out roboform to integrate it into their OS and change the culture over time.
http://www.roboform.com/
Roboform generates unique passwords and makes "click button" authentication easy, and you can back up your encrypted passwords on USB sticks, etc.
For example, the article asserts that 4 out of 10 people have shared a password in the last year. I've done that. I shared the password to one of my email accounts with my twin who needed access. And after he was done I changed the password. Much of the data here is very hard to actually show is bad without more context for what exactly people were doing. Also, while we're discussing these issues, obligatory xkcd - http://xkcd.com/792/.
Working in an enterprise, one of the biggest excuses I hear from people when I talk to them about password security is they will say "oh my account doesn't do much" or "its not a big deal if someone gets my stuff".
They have no idea that its not so much about them having their stuff (which incidentally probably indeed doesn't matter much), but just people having access to accounts that they shouldn't. I usually tell them why its important after they give me an excuse like that. But most people just don't seem to care. But of course they care when something happens.
It's a bad idea to use the same password everywhere, so I just set the password as my username and pick a new username on every website.
Also, regarding: "And 30 percent remember their passwords by writing them down and hiding them somewhere like a desk drawer."
I think writing down your password isn't that bad of a choice (especially for online passwords, not the one that logs you into your computer).
I'm not the only one who thinks that way: http://www.schneier.com/blog/archives/2005/06/write_down_your.html
So, what, we're supposed to have a different password with special characters and nothing significant to us (like dates) for each of the 150 online accounts we have? Oh, and if we write down the passwords somewhere so we don't forget them we're dumb too? Whatever! Maybe if we all had photographic memories that would be a realistic options, but there's just no way it's going to happen like that.
It's just a crappy system, we should be using public key encryption with our private keys stored on a USB key - or some other similar scheme, where we don't have to memorize a million randomized passwords in order to not have our identity stolen.
Younger people are especially likely to take online security risks. Webroot found that among 18 to 29 year-olds...
The bad practices don't surprise me. But it's disturbing that younger people are more lax about security, even though they are (by and large) more tech-savvy than older folks. I realize this is also the MySpace/Facebook generation that broadcasts personal information all over the internet, but these stats aren't just dumb teenagers.
If anything, I would hope that people who are more familiar with technology would understand the risks better, but that's not the case here... and that's perhaps a more worrying trend than the overall disregard of safe practices.
4 in 10 respondents shared passwords with at least one person in the past year.
> 4 in 10 are married?
Nearly as many people use the same password to log into multiple Web sites, which could expose their information on each of the sites if one of them becomes compromised. (A separate recent study revealed that 75% of people use the same password for Social Networking Sites and their email accounts)
> If I have a hotmail account and a twitter account, which I never use, should I create strong, unique passwords for both? Why?
Almost half of all users never use special characters (e.g. ! ? & #) in their passwords, a simple technique that makes it more difficult for criminals to guess passwords.
> Examples of weak passwords: Pingeico4 due7Johh Eexee9ot Soobanah6 Ja3sahte
2 in 10 have used a significant date, such as a birth date, or a pet's name as a password – information that's often publicly visible on social networks.
> Some people have disposable passwords for useless login credentials. A New York Times account doesn't require a strong password.
Most of these conclusions are neither scary nor stupid.
retinal scan
Yeah, it depends on what you're protecting against. If the purpose of online passwords is primarily to prevent other online users from accessing your account, then writing the password down in a notebook on your desk is safe. Insofar as the purpose is to protect your account from someone who has access to your desk, it's not safe.
It's important to remember that security depends on context.
One very good solution is to use pwdhash:
https://www.pwdhash.com/
You can install it as a local plugin for Firefox or as bash/ruby scripts on your computer.
You only need to remember one strong master password, and forget about the rest.
You get something like this, depending on domains (no phishing!) & the length of your master password:
+1xhTRy7T for ebay.com
fRrL2nI7+ for amazon.com
TYZyfI0u+ for facebook.com
3yL+WQBF7 for skype.com
+KwIr4FId for delicious.com
Enjoy!
I've been using a variation of the same password for years. It was secure when I first started using it, its not so secure anymore. Although, if it were any more secure, not even I would know what my password was. Password security is getting nearly impossible considering many sites and resources expect you to update your password every few months.
"86 percent do not check for a secure connection when accessing sensitive information when using unfamiliar computers"
Seriously, now. A website with "security" in the title really ought to at least try to present credible security analysis!
*facepalm*
Users are careless with their workplace computers because it's not their data and they don't care what happens to it.
A work that expires before its copyright never enters the public domain and thus enjoys eternal copyright protection.
What I find works best is taking the first letter of every word in an easy to remember phrase. For example, "poor aunt sally slipped while out racing dogs". Er, wait...
They say a little knowledge is a dangerous thing, but it's not one half so bad as a lot of ignorance. - Terry Pratchett
The problems with variable password rules makes it harder to create password systems. More importantly, usually we don't really need one. Really, is there any need for a site like moviefone to have a password? I mean really, it's a freaking movie website list. Let them track you with a cookie, not a login and a password. I don't agree to give my credit card number to my grocery store permanently just to get "one click" payout, what possibly reason would I do it for a freakin movie ticket. Honestly, even slashdot could work almost as well without a real password. Just set it up so that it has a username that does not show the last 4 letters, and the only way to change the password is by asking them to send a reset to the email account you signed up in. A 4 letter password plus an email reset would work fine for something as unimportant as tech news site with commenting. I mean really, would it be that horrible if someone stole your slashdot identity? It's not a bank account for god's sake. Or set it up with a camera ID system.
excitingthingstodo.blogspot.com
Considering this "article" also rails on people for not using a different password on every website, I don't know what he expects people to do with them.
When you throw 100 passwords at people and want to enforce "strong" passwords on all of them (which he also complains about), what option do people have but to store them somewhere? Paper is a useful media for this purpose.
This article is bullshit, really. Some of the things he complains about are the direct cause of other things he complains about. Make up your fucking mind.
-- "So they told me that using the download page to download something was not something they anticipated." - Bill Gates
Having passwords accessible in some fashion for family in the event of death is good, but not considered very often.
Write them down, or put them on a thumb drive in a safe... I knew most of my Dad's passwords when he died quite unexpectedly. It simplified a lot of the financial issues.
Maybe it is a general security problem, but banks will let you do things online with a password that you'd need certified court documents and a death certificate to do in person: transfer money between accounts, pay utilities from the account. Anything that has online, recurring payments needs to be dealt with (eg NetFlix).
My plan, as yet unimplemented, is to put all that stuff in an encrypted TrueCrypt file (on a thumb drive or unprotected PC) and give my family the password to that file.
Help! Help! I'm being repressed!
Back in the 1980s, when the Bradley IFV was just coming out, I saw a 60 Minutes piece on the vehicle. It complained that the Bradley had too high of a profile, making it vulnerable. It claimed that the Bradley was too cramped internally. Thus, it was both too big and too small. In a similar vein, it was too well armed and not well armed enough, and too well armored while not being armored enough. The real stupidity that is usually revealed by these "people are stupid" pieces is generally that of the writer of the piece.
-- Two men say they're Jesus. One of them must be wrong. - Dire Straits
Assuming the user doesn't lock his screen when leaving it, and that the user runs with elevated privileges and doesn't have to authenticate to install anything.
Instead of a trojan, change out their keyboard with an identical keyboard with a built-in keylogger. Then change it out again when you're ready to harvest.
What I find works best is taking the first letter of every word in an easy to remember phrase. For example, "poor aunt sally slipped while out racing dogs". Er, wait...
Or just use the whole phrase? Much easier to remember, and suddenly your brute-forcing work goes from around 70^(avg. # chars) to like 600,000^(avg. # words) - and that doesn't count variations for punctuation/capitalization, etc. Little annoys me more than upper limits on password length.
For example most of the people I know (I fit in the younger generation category) have four to five passwords. They have a common trash password for sites they don't really care about being compromised (say slashdot). Than a different one for ones with personal data, but nothing critical. And than separate ones for email and financial stuff. Yes they share passwords between sites, yes they share passwords with loved ones (duh). But this is all done in a "smart" manner, not a dumb one.
Virtually nothing will protect you from people who have access to your desk.
Security is never about absolutes. Absolutely nothing will protect you 100% of the time from all possible eventualities, yet we still employ security measures. The general purpose to security is to increase the difficulty of an attack, decrease the possibility of meaningful success, and increase the possibility of catching the attacker.
So for example, simply putting a screensaver password on my computer might improve my security substantially. It gives casual attackers with limited technical knowledge and limited availability to my computer a relatively small window of attack-- they must get access to my computer in the period of time between when I leave my desk and when the screensaver kicks on. They must then install a trojan (or whatever you would suggest) in the short amount of time before I return to my desk and leave the area without being detected. But then there are other issues too-- they have to make sure the trojan won't be detected by my security package; they need to make sure the computer is more or less in the state that I left it, so as not to arouse suspicion; they may need to trigger the screensaver so that I don't come back and think, "why isn't my screensaver active?"
Yes, if they get access to my CPU while I'm out sick, they could try to get access a few different ways, but that all assumes that there aren't other people around the office, there's no security, and there are no cameras which would catch them in the act. It also assumes the attackers are substantially sophisticated to get past a simple password.
So there's a lot to consider. However, I can tell you right now that a simple screensaver password would be plenty of protection to keep my wife from reading my email. My wife isn't very technical, and even if you gave her physical access to my CPU and as much time as she wanted, she wouldn't know what to do.
And that's what I meant by "security depends on context". You have to ask things like:
Without knowing the context of what the information is, who the authorized personnel will be, and who the potential attackers will be, you can't begin to evaluate the effectiveness of a security scheme.
Geez, you're awfully cynical for a 27 year old.
I have seen websites which:
- require more than 8 characters
- require 8 or fewer characters (great security there!)
- require special characters
- disallow special characters (!)
- require mixed case
- are not case-sensitive
- require numbers and letters
- require that password not start with a number
- other stupid rules I can't remember
So many of those are so stupid, and the result of horrid programming. I want all my passwords to be a minimum of 9 characters, have plenty of symbols, and (and no sites ever require this) have no dictionary words in them.
Now it is possible for me to come up with a personal algorithm I can use and remember which would allow me to create a unique password for every site and still not be decipherable by someone who collected three of my passwords. (Sure, if you somehow got a dozen, maybe, just maybe you could figure it out; but that's unlikely since it uses weird associations from my personal past experiences for some of the characters and sometimes even for the number and kind of characters.) But there is no way I can implement a good algorithm given all the variances noted above.
I can't tell you how many times I've been locked out of accounts for getting my password wrong; only to find out when I'm resetting it that this particular system has some weird (and fundamentally stupid) combination of the above rules.
And you gotta love the spinoff of that. Typing in numerous variations of what I think is the right password. Seems insecure all by itself.
And as an aside... Who ever came up with the stupid idea that substituting numbers for letters is somehow secure? Do they honestly think that a hacker could never think of that, even though every idiot with fingers already has tried it? Really? If your company makes "trinkets" you think "tr1nk3ts" is a good password? WTF?
When I was 15 I figured out my first law of nature. Said law is, "People are generally stupid."
In the 27 years since I first figured that out, I have seen no evidence to the contrary.
Looks like Mark Twain was a bit faster than you.
Quoting him:
"When I was a boy of 14, my father was so ignorant I could hardly stand to have the old man around. But when I got to be 21, I was astonished at how much the old man had learned in seven years."
MickeyMinnieDonaldDaisyHueyDeweyLouieGoofySacramento
8 characters and a capital. OK?
My password is 1
Slowly waving my hand - "This is not the sig you are looking for."
"tr1nk3ts"
Whoops. That was totally insecure. I meant: tr1nk3t5,
Nobody would EVER crack with that.