51% of Computer Users Share Passwords

An anonymous reader writes Consumers are inadvertently leaving back doors open to attackers as they share login details and sign up for automatic log on to mobile apps and services, according to new research by Intercede. While 52% of respondents stated that security was a top priority when choosing a mobile device, 51% are putting their personal data at risk by sharing usernames and passwords with friends, family and colleagues. The research revealed that consumers are not only sharing passwords but also potentially putting their personal and sensitive information at risk by leaving themselves logged in to applications on their mobile devices, with over half of those using social media applications and email admitting that they leave themselves logged in on their mobile device.

Logged in to email?

[NoImNotNineVolt]

The research revealed that consumers are not only sharing passwords but also potentially putting their personal and sensitive information at risk by leaving themselves logged in to applications on their mobile devices, with over half of those using social media applications and email admitting that they leave themselves logged in on their mobile device.

Yes, god forbid people "leave themselves logged in" to their email accounts on their mobile device. I guess we're not supposed to use push email but instead enter our email passwords into our phones every few seconds to get timely email alerts?

It's too bad that the cell network itself lacks any meaningful security mechanisms. I mean, if someone gets a hold of your phone, they can just start texting and calling without having to "log in" on the network at all. It's amazing that the world hasn't collapsed as a result.

Re:Logged in to email?

[Jason+Levine]

Our main problem is that our cell phones are our only phones. We don't have a land line. So if we need to call 911, we need to be able to access our phones. More than that, though, we have 2 young kids and if they need to dial 911, they need to be able to pick up our phones and call 911. As it is, teaching them to swipe to open the phone, click on the phone icon, and then dial 911 can be tricky. (Compared with "pick up the land-line phone and press 911".)

If anyone knows of any app that keeps the phone locked out (so you need to enter a password to get into your apps) but which enables easy dialing of 911 (or selected people on your contact list). I'd be more than happy to hear what they are. That would be the perfect balance between securing your phone and keeping it easy for my kids to use to call 911 or relatives who live close by. (Not that those lock-screen passwords are perfectly secure, but they're better than swipe-to-unlock.)

Re:Logged in to email?

[tinytim]

??? Have you tried pressing the "Emergency Call" text on the lock screen?

Re:Logged in to email?

[shadowrat]

If anyone knows of any app that keeps the phone locked out (so you need to enter a password to get into your apps) but which enables easy dialing of 911 (or selected people on your contact list). I'd be more than happy to hear what they are. That would be the perfect balance between securing your phone and keeping it easy for my kids to use to call 911 or relatives who live close by. (Not that those lock-screen passwords are perfectly secure, but they're better than swipe-to-unlock.)

yes. it's called iPhone. there is an option to make an emergency call from the lock screen. I'm pretty sure the same thing exists on most android and windows phones.

Re:Logged in to email?

[jandrese]

It is actually required by law to be there. All phones must be capable of making an emergency call without being unlocked.

Re:Logged in to email?

[nedlohs]

Don't they all do that already - at least the 911 part. Every cell phone I've ever owned of the dumb and smart variety have all allowed calling 911 while locked. I'm pretty sure it's a legal requirement that they call 911 when they are locked and when they have no sim card.

On my samsung you can add numbers to the emergency contact group and they'll be callable from the emergency call button that shows up on the lock screen as well as 911. Given it's a samsung there is a 0% chance that they didn't copy that from elsewhere and hence iphone's must do the same thing (and probably all the other smart phones too).

In fact people keep complaining about it - apparently it's easier to butt dial 911 when the phone is locked then when it isn't :)

Re:Logged in to email?

[ColdWetDog]

I know this is all retro and stuff, but land lines aren't dangerous or particularly expensive. Mine comes with my Internet connection, YMMV.

And, although emergencies are fortunately rather rare, I would prefer to depend on my land line than my AT&T-we-might-complete-this-call-if-we're-having-a-good-day cell phone.

Re:Logged in to email?

No, the "thief" will just remove your SIM card and put it into their phone before calling all sorts of nefarious 1-900 numbers or otherwise charge money onto your phone-place. The GP assertion is correct that "It's too bad that the cell network itself lacks any meaningful security mechanisms."

Re:Logged in to email?

[Jason+Levine]

There isn't any "Emergency Call" text on my lock screen. (Android 4.4.2 on a Verizon Wireless Droid RAZR HD.)

Re:Logged in to email?

[Jason+Levine]

We ditched our landline years ago to save money. It was costing us way too much a month for the landline when we were almost never using it. We first switched our landline number to a dedicated mobile phone since it was cheaper than an actual landline. Then, we moved that to a Google Voice account ($40 one time fee). The first week of our going cell-only, my youngest son had a febrile seizure (one of many he's had) and we called 911 with our cell phones. The 911 call went flawlessly and they arrived just as rapidly as they had when we had a landline.

Re:Logged in to email?

[Jason+Levine]

I've been checking on my phone (Motorola Droid RAZR HD with Android 4.4.2 on Verizon Wireless) and can't find any Emergency Contacts feature. There's an "Owner Info" section where I can put text on the home screen, but that's limited in function. Would be best as a "If found, please call 555-1212" text, not as a "Click this to call 911 or selected contacts."

Re:Logged in to email?

[Jason+Levine]

It would really surprise me if the phone was required by law to be able to make emergency calls while locked since my Android phone doesn't seem to have this feature.

Re:Logged in to email?

[Chris+Mattern]

It would really surprise me if your Android phone *doesn't* have this feature, because it *is* required by law. Mine certainly has it.

Re:Logged in to email?

[Chris+Mattern]

My Android 4.1.2 on a Verizon DROID 4 certainly has it. It's required to be there. Look at the bottom of your lock screen (It *is* a lock screen, right? Requiring a code to unlock the phone? It's not there if your phone's not locked and you can just swipe to select the function you want).

Re:Logged in to email?

[Frobnicator]

It would really surprise me if your Android phone *doesn't* have this feature, because it *is* required by law. Mine certainly has it.

This is one of those funny cases were people accidentally out themselves as not securing their phone.

The phones legally must display it in most countries, but only if the phone is locked or password protected. If there is no password required to get in, just a "swipe to unlock" rather than a security system, the button does not appear.

Lack of emergency call button == unsecured smart phone.

(Or a fairly old phone, or a hacked phone that breaks the law in many nations.)

Re:Logged in to email?

[Jason+Levine]

Ah. I could have sworn that when I set up proper locking mechanisms on the phone that there wasn't any option to call. I just tried it again, though, and there is an "Emergency Call" text. For a test, I tried using my cell phone to call my work number and it said that this number wasn't an emergency number. My next question would be how would I specify certain emergency numbers? (This way, if my child has my phone and needs to call a relative that they know the number of, they can without having to know my unlock code and thus having full access to the phone.)

Re:Logged in to email?

[Jason+Levine]

I just tried setting up an actual lock screen (with a password) and sure enough there is an "Emergency Call" item now. (I could have sworn I had tried this in the past and hadn't seen one, but it's possible I overlooked it somehow.) For a test, I tried using my cell phone to call my work number and it said that this number wasn't an emergency number. My next question would be how would I specify certain allowed emergency numbers? (Beyond 911, obviously.) This way, if my child has my phone and needs to call a relative that they know the number of, they can without having to know my unlock code and thus having full access to the phone.

Re:Logged in to email?

[clonehappy]

Because you haven't been able to set a SIM PIN since, say, SIM cards were invented, right? Just because no one uses the security mechanisms available doesn't automatically make it the cell network's fault when someone rips you off. Set a device PIN and a SIM PIN and you're all set. Takes about 10 seconds.

Re:Logged in to email?

[tlhIngan]

Ah. I could have sworn that when I set up proper locking mechanisms on the phone that there wasn't any option to call. I just tried it again, though, and there is an "Emergency Call" text. For a test, I tried using my cell phone to call my work number and it said that this number wasn't an emergency number. My next question would be how would I specify certain emergency numbers? (This way, if my child has my phone and needs to call a relative that they know the number of, they can without having to know my unlock code and thus having full access to the phone.)

You can't.

The emergency call is for calling emergency numbers. It's a small list - 911, 999, 111, 122, etc. In fact, I think on modern cellphones, you can call ANY emergency number and it'll connect you to emergency services. So in North America, if you dial 999 (Europe emergency) you will connect with 911 automatically - the phone interprets the number as emergency and basically does a emergency dial (it's a special control code so the tower will kick someone off if it needs to in order to connect you).

It's not a huge list of numbers, and it's coded into the software as it has to recognize if you're calling emergency services and to place it as a high-priority call on the network.

And no, it doesn't include your relatives number - that's not the intent. The intent is to be able to make a call to emergency services regardless of lock screen status, service status, etc. (It's how those used cellphone charities work - they collect deactivated cellphones for people so they have a way to get to emergency services).

Re:Logged in to email?

[Chris+Mattern]

You can't.

This isn't necessarily universal, as it's not required like 911 access, but you can certainly do it on my phone. Go into "People", select "In case of emergency" (it's big and bold at top) and you can select contacts from your contact list to be emergency contacts. These can then be called from the lock screen with the "Emergency contacts" button.

Re:Logged in to email?

[Cro+Magnon]

Reputation aside, I seldom have any trouble with non-emergency calls from my AT&T iPhone, and the landline is only useful if you're at home, preferably in the same room as the phone.

I definitely share password with family

[mccalli]

Specifically, with my wife. If I'm ever in the proverbial hit-by-a-bus scenario, there are accounts she will definitely need to know and access.

Whilst technically correct that this increases risk of the password being revealed, it is an absolute necessary of an overall risk reduction strategy for online accounts (cancelling bills etc.).

Re:I definitely share password with family

[Chris+Mattern]

The *right* way to cover the "hit-by-a-bus" scenario is to put all your passwords into an encrypted repository, and only give your wife the password to the repository. Ideally, the repository should then be placed in a safety deposit box that can't be accessed outside of the hit-by-a-bus scenario, but that would admittedly be an extra expense and arguably overkill.

Re:I definitely share password with family

[makq]

I assume your wife is not a bus driver, right? If so, your password repo might give her extra incentive.

Re:I definitely share password with family

[callahan2211]

I used to use the hit-by-a-bus scenario, but now I use the slightly modified but more favorable hit-by-a-beer-truck scenario. ;-)

Re:I definitely share password with family

[i+kan+reed]

It's better than the messy divorce scenario, I guess.

I guess I've found that there aren't any accounts anyone needs access to(by means of password) other than netflix. So... my girlfriend has my netflix password.

Re:I definitely share password with family

[DERoss]

I did the same. My Web user IDs and passwords are in an envelope in my bank's safe deposit box as well as in a strongly encrypted file on my PC. The encryption key exists only in my head and in that envelope.

But for some non-Internet files (e.g., complete PC backups, tax returns from prior years), the files are encrypted via PGP. Decrypting them requires a passphrase (longer than a password, with embedded blanks and punctuation); some require my PGP private key. The envelope in the safe deposit box contains the passphrase on paper and the private key on a floppy, on a CD, and on paper. Otherwise, the passphrase exists only in my head. (My PGP public key is indeed public and is found on a number of key servers around the world.)

When my wife's cousin died, his widow could not access anything on his PC. I hope my wife does not have that problem.

Re:I definitely share password with family

[s.petry]

No and No again.

Even if you trust someone to fix a problem, why would you trust them with your password? Set a temporary password so they can fix something, then change it back when they are done fixing. I have no idea why you would give someone the temptation, especially when there are simple safe alternatives.

No, it's not the same thing as just driving a car or having risks while driving a car.

If you want a "proper" car analogy...

Your friend needs to borrow your car. Would you make your friend a copy of your keys or give them the spares without the expectation that you get the keys back? No! You would give them your keys and expect that both the keys and car are returned later.

Sure, they could go make copies of the keys, just like someone could install a back door. If you "trust" someone you hope not.

Re:I definitely share password with family

[nbauman]

Ideally, the repository should then be placed in a safety deposit box that can't be accessed outside of the hit-by-a-bus scenario, but that would admittedly be an extra expense and arguably overkill.

The problem with a safe deposit box is:

(1) The survivor needs to be authorized to access the safe deposit box after death, and then needs a death certificate. http://www.ehow.com/how_579095... You're letting the bank decide who gets access to your passwords.

(2) Anybody with a judge's order can also access the safe deposit box, even if the owner isn't dead. So a safe deposit box isn't a good place to keep your Swiss bank account passbook, or anything else you don't want the government or the adverse party in a lawsuit to get.

Re:I definitely share password with family

[vux984]

Even if you trust someone to fix a problem, why would you trust them with your password? Set a temporary password so they can fix something, then change it back when they are done fixing.

These days, common as not, you aren't allowed to set it back to what it was before. I think gmail, for example, now enforces password history for example. Pretty infuriating, because I DO generally change passwords before giving someone temporary access.

If you want a "proper" car analogy...

You would talk about those cars with the little number pad above the door handle?

http://support.ford.com/vehicl...

I have no idea why you would give someone the temptation, especially when there are simple safe alternatives.

a) You can't change the password from where you are. Happens all the time. Maybe you are giving the person the password precisely so they can help resolve the problem preventing you from logging in where you are.

Your buddy borrowed your truck, you lent him the keys, and he locked them in the cab... he's 500 miles from anywhere. Do you tell him the keypad code?

Best practices says if you do this, change the code when you get the truck back. No problem.

Maybe you have a whole fleet of trucks, and for simplicity you had the same code on all of them. Now your fucked and have to re-key the whole fleet...

b) Cases where changing the password creates rolling chaos. Think scenarios where the same password is on several devices. For example you want to let a guest onto your home wifi but don't want to give him the password -- changing it while he visits knocks everything else you have off the network. Other scenarios -- backups, where multiple computers backup to a service and all use the same key, or various file sync things, where changing the password will throw errors up all over the place.

Re:I definitely share password with family

[s.petry]

Are you seriously attempting to imply that the rare exception should justify the rule for normal behavior? I really hope not, but that's how I read what you wrote.

Re:I definitely share password with family

[DERoss]

Problem #1 is NOT a problem in California. A safe deposit box at a bank is not sealed when one of the owners dies. Those who are on the signature card to open a safe deposit box retain full access after one of them dies.

In my case, the box is part of a bank account that is owned by a living trust that is part of my wife's and my estate plan. For continuity, our trust requires that there always be two trustees; and our heirs are excluded from being trustees to prevent conflict among them. Nevertheless, our son was on the signature card for the safe deposit box; the bank allows existing signers to add anyone to the card. When he died, the bank required a new signature card without his name on it. We then added our daughter to the card. If either my wife or I die, the trustee-in-waiting named in the trust document becomes the second trustee. She will then be added to the signature card. In the meantime, the bank does not block any access to the box by anyone on the current signature card when one of them dies.

For problem #2, I do not disclose at which bank -- let alone at which bank branch -- our safe deposit box is located. I definitely do not disclose the box number. If a court order was issued to access the box, it would have to be served on me for me to locate the box. At that point, I would have the opportunity to go back to court to challenge the order. Anyway, there is nothing on our box that represents criminal activity. A civil lawsuit that would require the other party to access my box might involve an improper "fishing expedition" since the other party would not have any prior knowledge of the box's contents.

Re:I definitely share password with family

[vux984]

Are you seriously attempting to imply that the rare exception should justify the rule for normal behavior? I really hope not, but that's how I read what you wrote.

Not at all. When you can change to a temporary and back you should. But the exceptions where that isn't simple aren't all that rare. (And in the case of systems that won't let you change back, you often don't find out until after you've gone down the rabbit hole; so its especially annoying.)

Wifi pre-shared keys for example are a prime common-as-dirt scenario, where its a giant PITA to change them for a temporary guest, just to avoid sharing your password.

Re:I definitely share password with family

[s.petry]

I would certainly agree that exceptions are both possible and possible, and would not argue that exceptions don't exist. Very little in the world is purely black or purely white. GP at least implied that the only option was to share, and my point was that there are better alternatives.

With no qualification of your point, like "Hey, what about exceptions?" it seems like you are in agreement with the GP that the only answer is to give away your password.

Re:I definitely share password with family

[vux984]

Not really sure which post is "GP" at this point.

I agree that there are better alternatives to sharing passwords in many cases.

I just think that the scenarios where "sharing" is so far-and-away the easier (perhaps even "better") solution that they shouldn't be classified as a 'rare exception'. Its pretty common.

For example, my wife and I both need the passwords to all of our utility accounts. The teenaged kids have the login to netflix. We all share the login to the HTPC in the living room rather than having separate accounts. These are all cases where I "have" to share passwords.

If I had a trusted guest house-sitting while I was away? Would I change the netflix and wifi and htpc and alarm code just for their visit? No. I could, but I wouldn't bother. Not in a million years. This is a case, where I *could* change the password and change it back... but I wouldn't.

If I had to give my some tech at my cell carrier my password so they could log into my account to look at it with me (something I HAVE had to do in the past) then yes, I do change it, give them a temp, and then change it back.

People need to think about it on a case by case basis. A "sharing passwords is always wrong" mentality is absurd... a "give your password to anyone who needs into your account" mentality is just as absurd.

Each case needs to be evaluated on its own merit... value of what is being protected, level of trust to the individual, level of hassle, etc. Neither scenario is exceptional or rare.

sigh

[retchdog]

the overwhelming amount of real danger is from database compromises, which this has almost (almost!) nothing to do with.

smells like fud to keep people from sharing their paid services with friends and family. fuck that.

Re:I do not

[alphatel]

49percent

That's my password...

Android makes this worse.

[ron_ivi]

Android's especially annoying how a single tablet is linked tightly to a single google account. To have a table that's shared among all people living together, you practically have to set up a shared google acccount.

Re:Android makes this worse.

[cr_nucleus]

Don't know what version you're running but android does support multiple accounts since 4.2.
I've being enjoying it for a while now.

AFAIK it's the only mobile OS doing so.

Re:Android makes this worse.

[jones_supa]

AFAIK it's the only mobile OS doing so.

That seems to be true. Here's additional proof that Windows Phone and iOS do not currently support such feature.

Re:Android makes this worse.

[Nimey]

Only on tablets, though. Phones are still single-user.

Re:Android makes this worse.

[jader3rd]

AFAIK it's the only mobile OS doing so.

Windows RT allows for multiple accounts.

Re:Android makes this worse.

[EmagGeek]

Both of our Android phones both have multi-user capability.

Re:Android makes this worse.

[Nimey]

Huh. Multi-user as in you can switch accounts at the lock screen?

NEWS FLASH!!!

[jddeluxe]

51% of people on the internet are stupid, details at 11....

Re:NEWS FLASH!!!

Or... and this may sound zany but hear me out. Maybe 51% of people did a risk/benefit analysis and decided that giving someone there password was actually beneficial for them.

Re:NEWS FLASH!!!

[gmhowell]

Or... and this may sound zany but hear me out. Maybe 51% of people did a risk/benefit analysis and decided that giving someone there password was actually beneficial for them.

Not possible. Only people who use devices in exactly the same manner as that proscribed by a /. nerd can be beneficial. (No wireless, less space than a Nomad...)

Re:NEWS FLASH!!!

[EmagGeek]

That may be a true statistic, but the subset of 51% of people who are stupid are not necessarily the same as the subset of 51% that share their passwords.

passwords on the device/session level, not app

[tverbeek]

Of course I leave the apps on my phone "logged in"; that's how they're supposed to work. Obviously this only makes sense if there's a password to access my phone (or on my account if the device supports them), but if not, it's the lack of password on my phone that marks me as a security-oblivious idiot, not the fact that I'm using the apps as they were designed to work.

Re:passwords on the device/session level, not app

[Ravaldy]

Phones today are as important as your wallet. Losing it can result in identity theft. It's not a new issue, it's just that it's taken a new form.

As tverbeek stated, putting a password on the phone is the most logical thing to do and probably the only thing one can do.

Sharing passwords is the result of people being miss informed or not understanding what can happen. There's also a laziness component to it. At home it's one thing but at work I explain to users that sharing their password is like trusting the other users with their employment. If one employee wants to sabotage them, they can easily do it. I've seen a employee get fired over something similar.

Not Insecure

[pavon]

The purpose of security is to prevent unauthorized people from accessing the account. There are tons of accounts that are legitimately shared, and there is nothing wrong with sharing passwords in those situations, if the account doesn't have any technical mechanism to allow for multiple users/profiles on a single account. For example bank accounts, utilities, Netflix, Hulu, wireless router administration, all have been shared accounts with my wife (some have since added profiles, but not all).

Furthermore, even with accounts that we keep separate, like email, there are useful reasons to share the password, like when my wife is away from internet at work and wants me to print a boarding pass that was emailed to her. Sure I could snoop through her email, but I don't just like I could snoop through her purse or journal, but I don't.

Re:Not Insecure

I do sometimes wonder about the security extremist point of view.

"I trust you enough to sleep next to you while you have access to many long knives, but I'll be damned if I let you know my Netflix login!" ...
yeah, I think I have it nailed.

Imagine

Let us imagine for a moment, that we do everything exactly the way, security advisors are telling us:
* have a different password for every website and every account we got
* never write down a password
* log out (from every social site) whenever we stop using a mobile or desktop device
* change all of our passwords every 30 days (to unique new and complex ones (at least 11 characters with different rules (letters, cases, numbers, punctuation symbols) for every system)
* never share a password with anyone

Now, for how many services are you able to do that?
How much of your time does it take?
How often do you check your emails or social sites a day?
How often do you require to reset passwords?

But how many accounts do you really have?
How much time do you want spend in password management?

Encouraged by a lot of places.

[timrod]

A lot of the bigger, more frequently-used services actually encourage this. The best example I can think of is Netflix, which allows you to have separate profiles for family members but requires that everyone use the same user/pass to log in. I don't know why they couldn't just have individual passwords for the same account - at least that way I could avoid my mom trying to get everyone in the family to watch Sherlock ("Oh, I didn't see it on your watched list! You should try it!").

Amazon's Kindle app does pretty much the same thing, though it's not directly encouraged - you can log into your Kindle account from several different devices at once, effectively allowing people to share their books with anyone they trust enough. I think this is actually worse than Netflix, because most of the time you're using the Kindle app on a mobile device that can easily be lost or stolen.

The only company I've seen do sharing well is Valve, which has Steam Family Sharing that allows you to "lend" people your account without actually needing to tell them your password.

Re:Encouraged by a lot of places.

[adndgamer]

But really, Sherlock *is* awesome.

Re:90% of people are retarded

[Wycliffe]

I'm also surprised it's not higher but not because people are stupid but because there are a bunch of different use cases.
Even if the bank allows it, what advantage does a husband/wife have to create separate logins for a joint account?
There are plenty of people that share accounts. There might be a sales email address that multiple people in an office take turns checking.
I know quite a few husband/wife pairs that share a single facebook account and I even know a few that share a single email address.
It's not because they're stupid but rather if one or both of them is a light user then it's easier to just have everything in one place.
There are also plenty of not-so-important accounts that people don't really care about and leave the password on a post it note or use 123123 as
the password because there is nothing of importance there and even if someone bothered to hack it, they wouldn't really care.

and...

and 49% of people lie about sharing their passwords

Re:and...

[Nimey]

I share my passwords with nobody but the NSA.

In other words...

[Type44Q]

51% of Computer Users Share Passwords

In other words, "49% of Computer Users Aren't Stupid." (I suspect that's grossly overoptimistic, however.)

Re:In other words...

[Skidborg]

The flaw here is that they don't say which passwords to what, or with whom.

There's no good reason not to share the password to a shared computer, and yet this poll puts anyone who does so in the same box as anyone who graffitis their bank login information on a bridge.

50% are less smart than average

[gweihir]

And the average person is not very smart in the first place. This news item just describes one of the consequences.

Re:50% are less smart than average

[gweihir]

With a good Gaussian distribution (which we have here), it matters little. Some people of course do not have the smarts to deal with things like context or problem parameters.

Elderly family members passwords

[bigmike_f]

Sometimes sharing the passwords of those less technically savvy with those with better skills is necessary and would skew these numbers. Knowing Grandpa's gmail password has helped a lot.

Ok so let's break this down...

[erp_consultant]

"Consumers are inadvertently leaving back doors open to attackers as they share login details and sign up for automatic log on to mobile apps and services" - You mean like automatically logging on to GMail on their phones? Ummm...isn't that the way it's supposed to work? I can't see anyone logging in and out of email every time they want to use it. Totally impractical, especially if you have a long and complex password. Like you would if you were concerned about, um, security.

"51% are putting their personal data at risk by sharing usernames and passwords with friends, family and colleagues." - And how did they arrive at this number, exactly? I call BS on this one, particularly given that Intercede just happens to be a company that sells security software for mobile devices. Coincidence? I think not. I'm not disputing that it's a bad idea to share passwords with friends and colleagues (family I'm ok with). What I am questioning are the motives behind it. Obviously, Intercede is trying to get people to panic and buy their software. Typical security industry scare tactics.

"The research revealed that consumers are not only sharing passwords but also potentially putting their personal and sensitive information at risk by leaving themselves logged in to applications on their mobile devices, with over half of those using social media applications and email admitting that they leave themselves logged in on their mobile device." - The solution is to lock the device. You basically have three choices: use a pattern, a PIN or a password. The pattern could probably be guessed easily enough by someone determined to do so but it's better than nothing. PIN is better, password is best. But it's the age old problem of security vs convenience. I used to put an encrypted passphrase on my phone until it became a complete PITA to use it. So there has to be a balance between safety and convenience. I like what Apple is doing with the fingerprint authentication. It's not perfect but it seems to me that it strikes a nice balance. Simply putting some sort of lock on your device (even a simple swipe pattern) will mitigate a lot of issues. Maybe it should be the factory default for devices?

What percentage of husbands and wives share keys?

[PaulHarper]

This article is hysterical in tone. What percentage of husbands and wives (or other people in relationships) share keys? I mean physical keys to your house and how about actual kitchen knives. I guess it is risky but in the real world people will do it. We do have to trust each other. pavon's (30274) comment above expresses the situation well. On the other hand not putting a PIN or better still a password on your phone, tablet, or laptop is just moronic. And you may as well use full disk encryption while you are at it.

Re: 90% of people are retarded

[frikken+lazerz]

What happens when the inevitable divorce comes along? Flip a coin, your odds of getting in a divorce are the same. Are you make the facebook account part of the divorce court?? I can see it now - "She gets ownership of the pictures, but you get to keep the gaming high scores!" Simply put, it's pretty stupid to share any account, even if you are "forever in love".

meaningless stat...

[Karmashock]

just because family members share passwords doesn't mean its insecure. I know the password to most of my parents email and accounts. But so what... I won't do anything they wouldn't approve of and know them well enough to know what they would and would not approve of... so who cares.

And as to companies... most of them are small and medium sized businesses that have overlapping responsibilities. In those cases, SOME people know some passwords. But rarely does everyone in the office know all the passwords.

Its not unreasonable.

Re:90% of people are retarded

[lolococo]

By "people" do you mean anyone not you? What kind of person are you if you're not "people"?

Re: 90% of people are retarded

[Wycliffe]

If a divorce happens, then having a joint login isn't really a problem as you already
both have access to the money. So you both can log in and see that the other person
already emptied the account. No need to worry about changing the password.

Same with mortage accounts. The fact that the login/password is shared is less
important that the fact that you own a house together. The login/password is
usually only useful for paying the bill and not much else anyways.
It seems pointless to have 2 separate login/passwords and even stupider if
those 2 separate login/passwords can't see each other's payment histories.

Sharing with other people is not the problem

[brentonboy]

People are good at evaluating the risks of sharing personal info with other people.

The real problem is people sharing the same password between multiple sites. People are really bad at evaluating the risks of any given website being hacked and thus making all other sites that use that password hacked as well.

The best thing we can do for security is encourage to write their site-unique passwords on sticky notes and post them clearly and legibly on their monitors. We'd go from millions of people being compromised every day by malicious hackers with a means of really messing you up, to one or two being hacked a day by someone's brother wanting to pull a prank.

Once people make 10 unique passwords, they'll switch to a password manager. But even if they don't, you're safer printing your username and password on a t-shirt than you are re-using the same password on both google.com and adobe.com.

Re:I do not

49percent

That's my password...

That's not your password. I tried logging in. You lied.

problem without an easy solution

[ILongForDarkness]

Passwords/security inherently get in the way of ease of use. Having to enter your password every time is a risk too: easier for people to look over your shoulder and figure out what you are typing, easier to hit max attempts and accidentally lock yourself out etc.

Not an easy thing but it shouldn't just be password but context. We need a way of saying: "my wife can check my email for that important piece of info I need while driving now, but not later". A one time use code. Germany (and probably others) have a similar system for banks. You have your code and confirmation numbers mailed to you. When you start a transaction it asks you for the corresponding code from the list. You could then at least for your bank account only give someone the one code that they are currently being asked for and not have to worry about them running away and doing more transactions later.

of course we share passwords

[Nukenbar]

How else am I supposed to watch HBO?

Re: 90% of people are retarded

[bws111]

What an idoitic statement. First, if something has a 50% chance of happening then it is certainly not 'inevitable'. Second, divorce is not a random event, so comparing it to a coin toss is exceedingly stupid. Passwords aside, we already 'share accounts'. We have joint checking and savings accounts, a joint mortgage, joint ownership of the house, joint ownership of a timeshare, file joint tax returns, etc. What is so different about joint online accounts? Nothing.

Re:90% of people are retarded

[gmhowell]

The rate increases when looking only at the subset of the population who post as AC.

In other news...

[mjmcc]

In other news, 95% of people surveyed are putting their identities at risk by sharing their house and car keys with friends, family and colleagues. "As we lead more and more of our lives in houses and cars, our identities need to be effectively protected – worryingly, it appears that this is not the case at the moment", he continued. "It's not surprising consumers are taking shortcuts such as putting all of their identity cards into a single "wallet" or "purse" that is easily lost, stolen or hacked. It's time for stronger authentication and more sophisticated forms of identity."

The research revealed that consumers are not only sharing keys, but also potentially putting their personal and sensitive information at risk by leaving these "wallets" in easily-visible locations with over half of those who take showers admitting that they leave their wallet on a dresser or table while they do so.

Re:In other news...

[Skidborg]

This is insightful. I wish I had mod points.

Two people have access to my passwords

[EmagGeek]

There are two people who have access to all of my passwords: My wife and my lawyer.

These are the only two people on this planet with whom my communications are protected by legal privilege.

Should the thinkable happen (let's face it, calling untimely death unthinkable is stupid, as it is entirely thinkable), there should be someone left who can access everything to put my affairs in order.

Because password policy is BORKED.

[tekrat]

This is an example of a good password at my company "m7Rx2NqU" -- that's an unrecognizable jumble of characters that only a computer could love, but never a human.

I'd prefer to use "correcthorsebatterystaple" (ala XKCD), but my company's password policies do not let me use a pass phrase, but a jumble of numbers, letters and uppercase.

Re:Because password policy is BORKED.

[Kittenman]

This is an example of a good password at my company "m7Rx2NqU" -- that's an unrecognizable jumble of characters that only a computer could love, but never a human.

I'd prefer to use "correcthorsebatterystaple" (ala XKCD), but my company's password policies do not let me use a pass phrase, but a jumble of numbers, letters and uppercase.

Tut now. I have a couple of dozen passwords, and literally have no idea what they are. But I do know what the password to my Password storage file is. I don't think I've actually known what my bank websites password is for about 5 years. But I know I can use it and change it.

And BTW, my daughter's router password in "CorrectHorseBatteryStaple" in her student flat. I'd wager that's a common one these days, along with MonkeySlut.

I never share mine

[WillAffleckUW]

Which means it's rock solid secure!

1-2-3-4 nobody will ever guess it!

Re:I do not

[flyneye]

I am one of the 51%. I don't see things changing, the computer is a convenience device for most of the world. It needs to be convenient. As per usual, attention must be called to the fact that stolen and misused passwords constitute a crime and examples should be made. I would recommend cutting off the arms of computer criminals at the elbow, so they still have something to scratch their ass with. Enforcement is the answer, failing that, vigilance. Too much money has been spent for personal computers/devices to have every Tom , Dick or Harry trying to make a name for themselves finding and publishing weaknesses. Yes, I am glad bugs are worked out, but, publishing them causes more crime than it prevents and puts black hats on to the right trail. Simply remove the human designation, mistakenly given to the scrubby bastards and open a trophy hunting season.

Re: I do not

Sharing passwords in itself is not so much of an issue. People have trust relations with one another; this is only normal and natural. We should not advise against this.

There are however a few things we can do to make this sharing match our expectations better.

1. Use different passwords for everything. Sharing your netflix account with your friend is a big issue when that same password will let him into your paypal.
2. Use opaque passwords. Passwords should not reveal anything and be truly random. Non-opaque passwords reveal other things and can be used to derive other passwords.
3. Throw away passwords. Don't treat them as valuable property because you managed to memorize it. CHANGE your passwords when a trust relation changes.

I personally recommend Master Password to make this easy; in which case: NEVER share the master password. http://masterpasswordapp.com

Let's share our passwords on /.!

[antdude]

Mine is 1d10t. ;)

Re:I do not

[ko7]

Convenience is a subjective quantity. It is much handier to just leave your keys in your ignition switch than to have to keep track of them or fish around in your pockets every time you want to do something as routine as open your car door or start the engine. (Don't we all just love car-computer analogies?)

Full disclosure has been shown to be the most reliable way to get companies to fix security problems in their software..

Bugs will be found and exploited privately whether public disclosure takes place or not. There is a thriving market for zero-day exploits--exploits that are then used either by governments of criminal organizations to render computing systems to be less reliable and/or secure than their owners would expect them to be.

Some convenience will always have to be sacrificed in the interest of security, whether the system in question is a computer, a car, or a house. The only way to absolutely maximize convenience is to absolutely sacrifice security. (and privacy)

Re:I do not

[flyneye]

Yes, I want to live in a world where I can leave my keys in the car. Amputee ex-car thieves are a good idea.

I'm willing to let competitiveness between companies decide the quality of any product. Amputee criminal hackers are a good idea.

Bugs ARE found and exploited privately with/without disclosure. These zero day groups could easily be providing support for each other in an amputee support group.

Security exists to protect the interests of the customer, who, is always right. No sacrifice except the offending limbs of the guilty is necessary for this scenario.
The only way to maximize security and therefore convenience is to remove the problem from our midst. Let starvation do the rest.

Re:I do not

[flyneye]

That explains those odd posts with my U.I.D.....
  I thought it meant I had blacked out and one of the others took over...