Slashdot Mirror
Passwords Are the Weakest Link In Online Security
Orome1 writes "It's not surprising to find that 79% of consumers use risky password construction practices, such as including personal information and words. The recent Gawker breach and a detailed analysis of breached passwords show undeniably that passwords continue to be the Achilles' heel of the average Internet user. This insecure trend sadly doesn't shift as 26% of users reuse the same password for important accounts such as email, banking or shopping and social networking sites while 29% had their own email or social network account hacked, and over half (52%) know someone who has had a similar problem."
Users are the weakest link.
Mod me down, my New Earth Global Warmingist friends!
There's lots of buzz going around about the Gawker breach and discussions on how good/bad the passwords were. I looked at the websites that Gawker owned and most of them are tech websites, frequented by people that have some knowledge of security and computer systems.
I would assume that much of the readership is like myself. They know that access to their Gawker account is the most sacred and guarded of personal intrusions, and would thus treat security as the utmost important thing. My Gawker password was the ultimate in high security. It was a 280 character alpha-numeric password containing my social security number, all of my credit card numbers, my date of birth, my address, every password to every other website I use, plus all of my wife's data. That way I know that anyone who tried to crack my Gawker password could never do it, and all my information would be safe.
Wait, no, I got that backwards. Sorry, I used "cock" as the password for Gawker... probably. You see, if I were to log into Gawker, I would assume that the password was about as secure as writing it on the bathroom wall. In addition, I know my browser would remember whatever stupid password I typed and I wouldn't have to remember it for more than 30 seconds. Furthermore, if someone hacked it, and posted a stupid comment as "bullcrapgawkeruser222" I would likely neither notice nor care. If I did care, I would create "bullcrapgawkeruser223" with a password like "cockk".
Even more likely, if I ever commented more than once on any Gawker owned site, I probably just created a new account because I forgot I had an old one.
So, can we stop doing ultra-security analysis on what is probably a bogus set? Next I'm going to see an analysis on how insecure Masterlock combination locks are because the users don't use uppercase letters and punctuation.
Hang on, I have to look at my post-it note on the side of my monitor so I can remember all the 20 character complicated passwords for each web site I visit and secure application I use. Especially since I can't remember them as well since I started changing them every six weeks.
Passwords become pointless when you can't remember them and can no longer access the site/service/program that they were put there for to protect. Passwords are pointless when you have to keep cheatsheets in order to 'remember' them (cheatsheets that can be stolen, copied, or lost; making it impossible to for access what you need and possible for others to...).
Either some other method than passwords like those time based random PIN generator fob watchama-call-its we get to log into VPNs at some companies, or we just learn to deal with it.
-- I ignore anonymous replies to my comments and postings.
And I would say that it's even worse when you can't type your question. Too many people know my mother's maiden name, my first car, my high school -- and I assume much of this information can be had publicly as well. If I were to imagine trying to get this information on someone, I'd just call them or their family, pretend to be some High School Reunion Committee, and say "We are celebrating the class of 1987 at Shrub High" and they'd probably go "Oh no, I'm graduated in 1992 at Rose Garden High". Then reply "Oh really? I guess you're the wrong Joe Blow, I'm sorry for your trouble, thanks bye."
Multiple attack vectors over one secure password, ridiculous. I think GMail at least does the semi-sane thing and instead of security questions, uses a phone number to verify you if you would ever lose your password.
And that's what is needed, identity verification if the password fails. Not a cheap way to do that in an automated and very dumb way.
There was, also for years, really dumb advice such as to never write a password down. That is unrealistic given the number of passwords someone needs to know today and leads to using the same password again and again. Now, you don't have to write it unencrypted, you could use Rot13 or, even better, some other code of your devising -- but it's better than keeping all this in your head in this day and age.
You obviously not had to deal with the average user. I run a web site that has accounts and many non-tech users and many people can't even understand the concept of password let alone asking them to upload a public key. I regularly get complaints that our site isn't "user friendly" because the person can't manage to even remember their username... so anything that is even slightly more complicated or involves something that they don't deal with in every day life it's right out.
Biometrics are pretty dubious for widespread use. They sure do add that "just like the movies" flavor to flashy secure facilities(and, as long as their use is rare, they are likely to be stolen only in the most targeted of attacks); but the majority of them are dangerously weak(and impossible to change).
Were they to be used widely, it would be a matter of months before huge numbers of people had their biometric data skimmed with enough resolution that fakes could be constructed with relative ease(imagine the problem of ATM card skimmer devices, already cheap and common, spreading to biometric verification systems: is that "broken" biometric verification setup on the door/atm/whatever actually broken, or transmitting high resolution scans of your fingerprints to some gang even now?) If you do get skimmed, what are you going to do about it?
As long as they are largely a novelty, confined to a few specific situations, you really have to be Somebody Important for your prints to be pulled off your glass at the bar and used to access your system; but, if you try to use it at a population level, the probability that attacks will become widespread rises enormously.
lback in 2003.
Sigh .... back in 2003. It must be nice top be young
That "detailed analysis" of the Gawker breach needs to be stricken from the web. The passwords that were decrypted were the easiest passwords in the set for the most part. That's why they were able to decrypt them. They were in dictionaries or their hashes were already on lookup tables. Then some joker takes those decrypted passwords and acts as if they are in any way representative of the rest of the passwords that could not be decrypted.
Idiotic.
1 (short ton / firkin) = 89.1432354 slugs / keg
This isn't news. It's common sense. Of course people and their passwords are the weakest link. Same thing in physical space. You can have the best lock in the world, but if you make copies of the key and are careless with them you'll get robbed.
combination codes are the weakest link in bank vaults.
But what if one site only allows lower case letters and another requires a mix of lower and aupper case and special characters? Are you really going to remember that if you visit the sites infrequently?
This kind of thinking pisses me off. (Agent Smith voice) If only we didn't have this... problem... these... users... life would be so much easier!
In your honor I'm gonna go and change a bunch of my online account passwords to simple English words. What's that sound I hear? Ah, it must be hackers beating down the doors to read my email. Maybe they will also get into my bank account and pay my bills or something.
Tsunami -- You can't bring a good wave down!
How many places do need a login? Websites, computers, programs, ...
If all websites would use openID, that would solve already a lot. However many places give me my login and then ask me to change that every month. At work every first day of the month I change all my passwords. That takes me about 20 minutes.
So I have several passwords depending on level
1. Generic websites. Lowest security level (e.g. Pa55word)
2. Work related. These will change every month and will include some sort of year/month where only that part changes (e.g. 10Work12 for this month)
3) Provider related pass word for email and connection (Resused semi-random 8 charcater password)
4) Personal password for local system and openID and banking(Reused semi-random 8 carcater password. Different from 3)
5) Secure password for encryption, ssh and the like (Loooong semi-password of at least 16 characters.)
So the moment I am forced to change passwords where I used first 3 or even 5, I will go back to less secure of 2.
The main problem is that each security person treats their security as if they are the only one and treat security with the standard error. Solving a social problem with a technical solution. It is very hard to explain people that changing passwords every month will LOWER the security.
It is the nature of people to find the way of least resistance and as long as security people do not understand that, nothing will change.
I sometimes feel that it is not about security, but about reliability. Reliability is moved from the IT department to people who do not understand security, because they 'did something' and now it is not their issue anymore. That is why they also look only to the security of 'their' system and not at security as a whole.
Don't fight for your country, if your country does not fight for you.
Password Composer http://www.xs4all.nl/~jlpoutre/BoT/Javascript/PasswordComposer/ is what I use.
For example http://www.slashdot.org/ and my master password of buba yields a right(md5sum("slashdot.org:buba"),8) yields fc56e979
They have a static web form, a bash script, and a greasemonkey script. I have also written a delphi app that runs in Linux, Windows, Mac that I keep on my memory stick. So all I have to do is remember one master password, for example "buba". And with that master password every site gets a unique password that is hard to crack. I decided about four years back that if anyone ever hacks one password of mine or can fool me into revealing a password to them, that is all they get one password.
The ironic thing is the only site that I use a regular password that I came up with, that is related to me, that can be broken by a dictionary attack, is the one for my slashdot account. Still the same password I came up with in 1999 or 2000. I assume no one else would want to hijack my opinions.
vi +
> ...what can realistically be memorized by the average person ...
And there is the real flaw: not the use of passwords, but the silly notion that average people should memorize them. WRITE THE DAMN THINGS DOWN!
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
This is why we should be having real discussions about standardizing on better authentication methods (OAuth, etc.) and multi-step auth instead passwords. I personally think password + hardware (phone / SD / etc.) + retina scan would be a good base to run an auth server off of. I also think identity should be in the browser (see sig).
Put identity in the browser.
No, the weakest link is the flawed authentication mechanics that requires you to use passwords in the first place. Bad password are just the natural result of that. If you want to fix the problem, you have to fix the way users authenticated themselves, not just chose a better password.
It would help if Slashdot didn't limit the subject line to something ludicrously short. I've often had to result to continuing the subject line in the body, because I couldn't come up with something sufficiently pithy for Slashdot's subject line policies. I have to admit, though, that breaking a word between the subject line and body is a crime against nature.
ok, so that's password no.1 .
Most people need 20, maybe more by the time they have all their online utility bills, social media, work accounts, banking accounts, etc. Some of these have specific formats you have to follow (6-8 characters, 6-12 characters, at least one upper and one lower case letter and a number and a non alphanumeric, etc).
So now try and hold all 20 of these in your head with these different formats. And probably some of these have to be changed every three months or so (e.g. decent work passwords).
This is the big problem: the number of different passwords in varying formats that people have to remember, and change on occasion to fit in with the security systems.
If everybody only had to remember one password, this would not be the security issue that it is.
While scanning 300 responses do I really want to have to work through 300 wordy "sentences"? Pithy is good..
Have you fscked your local propeller head today?
I have a mobile phone (two, actually). I also live in a hole in the ground (not quite literally, but close) that's a cell shadow with intermittent coverage at best, and zero signal a lot of the time. Your authentication scheme won't work there, and will also be spotty in my office, which is smack in the center of a building.
You people are determined to ruin my version of reality.
If libertarians are so opposed to effective government, why don't they all move to Somalia?
> Now get off my lawn.
You aren't old enough to have one.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
Every website has different rules for their passwords. Some sites require at least 6 characters. Some require at MOST 10 characters. Some require special characters; some forbid special characters. Because each site has completely different rules, this leads people to develop lowest-common-denominator passwords that work across sites. If there were standard rules for passwords - at least 8 characters, must contain 1 letter, 1 number, one "special" character, max length 100 characters - then people would be able to create very strong passwords that are easy to remember, and use them across sites if they wanted. Imagine attempting to bruteforce this password:
I wuz bron on the 21st Day of January, 1966
A simple phrase with personal meaning and some misspellings. Create 3 tiers of passwords - one for throwaway sites, one for semi-important stuff (maybe Facebook/Twitter), one for critical stuff (email account, banking). Since no two sites seem to have compatible password rules this can't currently be done. I remember GoDaddy as being unbelievably strict to the point that I need to reset my password every single time I want to log in because I have to create such an impossible password for them that I can never remember it.
rooooar
I often use the same password on sites where I just don't care, and by that I mean I really just don't care.
That is, I don't care if my "account" is "breached". I don't care if someone gets my login from one stupid web site that I don't care about and uses it in another stupid web site I don't care about. Nothing about it will get you into any site where I *do* care.
-fb Everything not expressly forbidden is now mandatory.
Actually, OpenID still solves a big problem - people using one password for all sites so that if you compromise one of them you compromise all of them.
With OpenID you use your password for ONE site, and then you use strong crypto for all the other authentications. Sure, if you crack that one site you still get it all, but that one site is more readily secured, and as soon as you resecure the OpenID site all the others become secure again.
Coming up with one good password isn't nearly as hard as remembering 48 of them.
Most people never ask you any questions. Only the dumb ones ask dumb ones. You forget the sensible but boring ones. You are confounding the left tail of the distribution with the middle.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.