Passwords Are the Weakest Link In Online Security

Orome1 writes "It's not surprising to find that 79% of consumers use risky password construction practices, such as including personal information and words. The recent Gawker breach and a detailed analysis of breached passwords show undeniably that passwords continue to be the Achilles' heel of the average Internet user. This insecure trend sadly doesn't shift as 26% of users reuse the same password for important accounts such as email, banking or shopping and social networking sites while 29% had their own email or social network account hacked, and over half (52%) know someone who has had a similar problem."

WRONG

[binarylarry]

Users are the weakest link.

Re:WRONG

[sco08y]

Users are the weakest link.

Really? How often do people leave their keys lying around? Or blindly hand them to a stranger?

People can be pretty responsible with secure tokens when they understand the protocol to use them.

Not ideal case for study

There's lots of buzz going around about the Gawker breach and discussions on how good/bad the passwords were. I looked at the websites that Gawker owned and most of them are tech websites, frequented by people that have some knowledge of security and computer systems.

I would assume that much of the readership is like myself. They know that access to their Gawker account is the most sacred and guarded of personal intrusions, and would thus treat security as the utmost important thing. My Gawker password was the ultimate in high security. It was a 280 character alpha-numeric password containing my social security number, all of my credit card numbers, my date of birth, my address, every password to every other website I use, plus all of my wife's data. That way I know that anyone who tried to crack my Gawker password could never do it, and all my information would be safe.

Wait, no, I got that backwards. Sorry, I used "cock" as the password for Gawker... probably. You see, if I were to log into Gawker, I would assume that the password was about as secure as writing it on the bathroom wall. In addition, I know my browser would remember whatever stupid password I typed and I wouldn't have to remember it for more than 30 seconds. Furthermore, if someone hacked it, and posted a stupid comment as "bullcrapgawkeruser222" I would likely neither notice nor care. If I did care, I would create "bullcrapgawkeruser223" with a password like "cockk".

Even more likely, if I ever commented more than once on any Gawker owned site, I probably just created a new account because I forgot I had an old one.

So, can we stop doing ultra-security analysis on what is probably a bogus set? Next I'm going to see an analysis on how insecure Masterlock combination locks are because the users don't use uppercase letters and punctuation.

The amount is the problem

[houghi]

How many places do need a login? Websites, computers, programs, ...
If all websites would use openID, that would solve already a lot. However many places give me my login and then ask me to change that every month. At work every first day of the month I change all my passwords. That takes me about 20 minutes.

So I have several passwords depending on level
1. Generic websites. Lowest security level (e.g. Pa55word)
2. Work related. These will change every month and will include some sort of year/month where only that part changes (e.g. 10Work12 for this month)
3) Provider related pass word for email and connection (Resused semi-random 8 charcater password)
4) Personal password for local system and openID and banking(Reused semi-random 8 carcater password. Different from 3)
5) Secure password for encryption, ssh and the like (Loooong semi-password of at least 16 characters.)

So the moment I am forced to change passwords where I used first 3 or even 5, I will go back to less secure of 2.

The main problem is that each security person treats their security as if they are the only one and treat security with the standard error. Solving a social problem with a technical solution. It is very hard to explain people that changing passwords every month will LOWER the security.

It is the nature of people to find the way of least resistance and as long as security people do not understand that, nothing will change.

I sometimes feel that it is not about security, but about reliability. Reliability is moved from the IT department to people who do not understand security, because they 'did something' and now it is not their issue anymore. That is why they also look only to the security of 'their' system and not at security as a whole.

Re:Bad Passwords Are the Weakest Link.

[grumbel]

No, the weakest link is the flawed authentication mechanics that requires you to use passwords in the first place. Bad password are just the natural result of that. If you want to fix the problem, you have to fix the way users authenticated themselves, not just chose a better password.

Re:Bad Passwords Are the Weakest Link.

[bitingduck]

I have a mobile phone (two, actually). I also live in a hole in the ground (not quite literally, but close) that's a cell shadow with intermittent coverage at best, and zero signal a lot of the time. Your authentication scheme won't work there, and will also be spotty in my office, which is smack in the center of a building.