Slashdot Mirror
The Psychological Reasons Behind Risky Password Practices (helpnetsecurity.com)
Orome1 quotes a report from Help Net Security: Despite high-profile, large-scale data breaches dominating the news cycle -- and repeated recommendations from experts to use strong passwords -- consumers have yet to adjust their own behavior when it comes to password reuse. A global Lab42 survey, which polled consumers across the United States, Germany, France, New Zealand, Australia and the United Kingdom, highlights the psychology around why consumers develop poor password habits despite understanding the obvious risk, and suggests that there is a level of cognitive dissonance around our online habits. When it comes to online security, personality type does not inform behavior, but it does reveal how consumers rationalize poor password habits. My personal favorite: password paradox. "The survey revealed that the majority of respondents understand that their digital behavior puts them at risk, but do not make efforts to change it," reports Help Net Security. "Only five percent of respondents didn't know the characteristics of a secure password, with the majority of respondents understanding that passwords should contain uppercase and lowercase letters, numbers and symbols. Furthermore, 91 percent of respondents said that there is inherent risk associated with reusing passwords, yet 61 percent continue to use the same or similar passwords anyway, with more than half (55 percent) doing so while fully understanding the risk." The report also found that when attempting to create secure passwords, "47 percent of respondents included family names or initials," while "42 percent contain significant dates or numbers and 26 percent use the family pet."
That's the reason.
"Only five percent of respondents didn't know the characteristics of a secure password, with the majority of respondents understanding that passwords should contain uppercase and lowercase letters, numbers and symbols."
This would be great advice... for a person in 2002.
#DeleteChrome
... corporations are the ones making the world insecure by forcing things online and to have online accounts to track everything. They create massive attack surface in their mad quest for transparent user/customer data and profit.
The way I see it, password reuse is a matter of cognitive load. Most people are unable or unwilling to attempt to remember the umpteen dozen unique passwords they would need on a daily basis, if they where to attempt to use unique secure passwords on every service/device they use. This results in password reuse, more or less out of sheer laziness. It is probable that among this group, there is a cognitive bias against using password keychain services and tools, because it 'feels' like putting all your eggs in one basket. (somewhat flawed) Logic dictates that if someone breaches the master password to your keychain, and they have all of them, which is no different than using the same password everywhere. (of course, this is not entirely the case, but like I said, cognitive bias)
Now, as for using 'good' passwords, it follows a similar pattern, with most people unwilling to dedicate the time and effort to memorize what amounts to a 'good' password, when they can remember their spouses birthday and their first pet's name just fine.
Of course, we have seen time and time again articles arguing both sides of the court, that long random passwords are either effective or not, and correct horse battery staple passwords are effective or not, so this portion of the discussion is going to be long, stupid and frustrating for evangelists on both sides.
Honestly, I've reached a point where I use 'good' passwords where it matters, (main email, financial items, Amazon etc) and just sort of hope for the best when I re-use the same 'decent' password everywhere else (forums, etc)
I say 'good' because we're at a point there have been enough breaches that we're all probably fucked anyways.
I've decided to Diversify my Holdings. I've divided my cash between my left and right pockets, instead of all in one.
Encrypt all data on their own end? If staff walk away with data or someone enters the network, nothing useful can be fully recovered?
The site works with the username and weak password on creation to ensure better server side protection against plain text walk outs, usable network data loss or buying into cheap "standard" reversible cryto?
Could an extra layer of security be added to data on an network, during storage and real time use be added?
Expecting users to change habits and still enjoy a site is a big ask, what could owners and admins code in to help?
No more walk outs, no more bulk plain text data left on any internal or internet facing server for years?
Domestic spying is now "Benign Information Gathering"
wasn't there just an article on the front page saying that using a variety of different passwords, and changing them often, is a less secure approach to passwords?
Or maybe the complex passwords *ARE* the problem. Who the hell can remember 100 different complex passwords?
Repeat after me: TWO FACTOR AUTHENTICATION!
Use a simple password and an authenticator that produces a one-time password.
Look no further than the simple explanation: Password fatigue.
It's not uncommon in a large employer to have 6-10 passwords to different systems, all with different rules. And they change every 30-60 days.
Naturally, this causes users to write them down, sometimes on stickies under their keyboard (agh), sometimes on the stickies program on their frickin desktop (ARGH).
Rather than lamenting this obvious fact, it's time we change standards to recognize what REALLY happens, instead of what SHOULD happen. (Reference: Speed limits, and the real effects. Yes yes, if everyone followed the law exactly, blah blah blah blah. Only stupid or young engineers insist on following this paradigm, completely ignoring the reality.)
I often come up with nice long passwords that would take decades to crack, but the system wont let me, so I end up with some sort of keyboard pattern that *gasp* shockingly get repeated with shift held down to double the characters and this allows the minimum number and symbol count. If they removed the stupid rules, we could use good passwords.
A good password is hard for a computer to guess and easy for a human to remember and enter. That is the only metric we should be using for passwords. Screw the 100 different sites and work logins that expect me to have a different password for each. I have a couple of sites that I value enough to use secure passwords on, the rest Password1! is good enough.
Work policies that require 8 characters, 1 upper, 1 lower, a number, a symbol and change every 3 months are guaranteed to result in everyone eventually adopting Common1! where Common is any common 6 letter word and the number 1 increments every 3 months.
A password is intended to ALLOW access. If I come up with random "complex" passwords, I will either have to write them down, or use some sort of passwords safe, because they are intrinsically not "mnemonic". For many things I just don't care very mush, and I have to have dozens to hundreds of new passwords a year.
There has to be a compromise between security and functionality, and people are making that compromise.
It's quite simple, remembering passwords is a mental burden that you rarely find anywhere else in life. For our possessions, we have physical keys that provide weak security and we expect law enforcement to ensure a violation of that weak security and our insurance companies to replace our losses. The closest thing in real life is remembering people's names and there is a common set of names people have that are phonetic as well. If you want to solve the password issue, people need a physical object (a key) that will authenticate them. We will all carry a key like this and once again rely on our weak physical security which requires physical proximity to undermine.
Anons need not reply. Questions end with a question mark.
I recently lost an email account I've had since I was twelve apparently due to one of the eBay breeches. Yes, I used the same password for both (never got around to changing them after I made the transition to randomized passwords) so it's my fault, right?
How about great big "fuck you" instead? How about a wall of shame for every website that does not hash passwords, with salt, prior to transmission over the internet? This is kiddy level shit here. The slowest smartphone in the world should be able to do this in its sleep.
And the majority of sites still have incredibly stupid password policies, almost all forcing you to use special characters and numbers instead of long passphrases which, if properly constructed (such as via dicewords), can be considerably more secure than the average "unicorn16!" type password. Some sites even impose a ridiculous maximum length policy, and some sites also forbid certain special characters, probably for some horribly depressing reason like they can't be bothered to make sure the password field can't be used for SQL injection or overflow attacks.
Work passwords aren't much better. The constant changing is completely pointless; everyone either uses a very simple incrementing number system (often tied to the current month) or they use Post-Its. A sane alternative would be to track logins and alert the user and/or security admins of unusual times or locations and to use keyfiles on smartcards or regular USB drives.
I've checked the literature and these ridiculous practices are still being taught to people studying for CompTIA certifications. Can't someone please... I don't know, do something about this? Can't we have some industry leaders say that they're no longer recognizing CompTIA Security+ or Network+ certifications as worth anything? This shit has been going on for far too long, and in an effort to made up for their shitty password infrastructure many places are adopting painfully annoying supplementary security systems.
That's why most people don't care and don't change their behavior. Those of us with technical backgrounds are seeing this problem from a fundamentally different perspective that most people don't share.
Most people just don't care enough about this, that is the sad truth.
Amen. One medical lab I must access patient reports from on a roughly monthly basis has the usual annoying password rules (upper case, lower case, number, punctuation), and forces me to change it every couple of months (no repeats). How the hell do they expect me to remember a seldom used password that changes almost every other time I use it? So it's incremental Keyword.## for me (I'm up to Keyword.32 as of this writing). Seriously, I've been forced to change my password to this site 32 goddamn times. End users will always find an easy hackable way around inconvenient password restrictions.
Because the biggest single problem my customers have is remembering passwords, the first thing I tell them is write them all down in a safe place. Everyone has a good place they can hide a sheet of paper.
I'm fully aware that a significant fraction of the password cheat sheets will end up taped to the monitor, but in my customer demographic the online threat and the physical breakin threat are totally disjoint. Even their laptops seldom leave the house.
> Only five percent of respondents didn't know the characteristics of a secure password, with the majority of respondents understanding that passwords should contain uppercase and lowercase letters, numbers and symbols.
These requirements profoundly _discourage_ secure passwords. The difficulty of remembering them, and typing them well at a hidden password field, strongly encourage storage of passwords locally in cut&paste text windows or in local plaintext password storage. The current champion application for this security failure is AWS, which stores complex randomized alphanumeric strings which _no one_ can remember, forcing their default inclusion in plaintext local user fules or even hardcoded in saved wrapper scripts.
I'm afraid that robust password generation was much better explained and documented in an old XKCD cartoon, https://xkcd.com/936/
Because people remember fidothedog or maybe f1d0th3d0g better than 656&+fDs9()x/\-
As written in the summary:
My personal favorite: password paradox. "The survey revealed that the majority of respondents understand that their digital behavior puts them at risk, but do not make efforts to change it," reports Help Net Security.
But among all the accounts that people have, how many of them are really worth of effort to reduce the hacking risk? I'd think a lot of people reuse the same passwords on many sites, because they do not really care if they are hacked on most of their accounts. Actually, this is kind of hinted at in TFA:
Additionally, consumers prioritize their password strength based on which accounts they believe need to be the most secure. Respondents indicated that they create the strongest passwords for financial (69 percent), followed by retail (43 percent), social media (31 percent) and entertainment (20 percent).
That would seem to indicate that if people reuse many passwords, they still don't use the same one for their bank and for facebook... It is strange the TFA asked people if they thought their accounts had values to hackers, but didn't go as far as asking the surveyed people what value they perceived themselves in their accounts.
Every chip and pin credit card already has a crypto-token in it. The solution is literally in our pockets. It doesn't rely on the cell phone, or the cell phone battery being charged. It requires only a banking account. It's not a government-issued ID, and you're not restricted to one. It's adequately secure for banking, which is a pretty high bar. It can be used as an authenticated ID in every country that requires banks to identify their customers, and with a trivial amount of work, could also hold an anonymized token. And, requiringa PIN, it's quite secure against both physical compromise and keyboard sniffing.
The solution and the problem exists.
Passwords should be long to be secure, and they should *allow* for upper and lower case, symbols, and numbers.
The key is length. A "complex" short password is easy to own and hard to remember. A "simple" long password is easy to remember and nearly impossible to own.
The only drawback is entry with limited input systems.
In the early '90, when you had one password for your email and that was it, password were useful. Now you are supposed to keep more than 30 different, complex passwords. Oh, and you should replace them every 3 months.
But, yeah, people follow risky password practices because of laziness. It's not because passwords are a simple, lazy way to implement authentication that has became unmanegable.
People are bone idle lazy tests,who think they can always pass the buck for their own laziness having consequences..
Simple..
There was some sort of cryptographic way to identify users. Like a certificate or something that was checked by a notary. Ahhh to hard I'll just implement complex passwords, hmmm users find my app to hard to log in I'll just relax this requirement a little.
If servers would just be smart about always requiring a captcha for each additional login attempt, and limit amount of login attempts, email on failed login attempts, have timeouts between login attempts... :)
Well, then passwords don't have to be strong. This doesn't fix password reuse though
Begin article.
Passwords are a chore to remember. People are lazy.
End article.
systemd is Roko's Basilisk.
The reason people re-use passwords is overwhelmingly because so many sites require them. A vanishingly small percentage of the population could realistically expect to remember what may be 100 or more passwords to manage all their online activities. The variations in password acceptance across all those sites is equally irritating ("Do not use special characters" "You must use at least one special character" "Password must be at least 8 characters" "Password must be exactly six characters" etc etc).
There are a number of sites I use infrequently, such as my pensions website, where I have to rely on password reset *every* *goddamn* *time*.
Password Cracking - Computerphile
A password's usefulness is in both its length uniqueness. |\|() @/\/\0V|\|+ 0F $`|'/\/\B0|_$ makes a password more secure, it just makes it frustrating to remember.
If a site puts any form of restriction on passwords, I don't bother using it. You want numbers, uppercase, and symbols? Well my password is now "Qwerty1!", congratulations, it's easier to hack than SlapTheDamselYouHooligan and harder to remember.
There are a number of sites I use infrequently, such as my pensions website, where I have to rely on password reset *every* *goddamn* *time*.
That's fine. Think of it as an ad-hoc form of authentication service. Instead of providing a password to prove who you are, they securely send a token to you via a trusted third party service (your email provider) which you then authorize.
Because the reset goes via that system, it's no less secure relying on it all the time than it is remembering the password. I actually explicitly use that method for some websites. I just generate a random password using:
head -c 10 /dev/random | base64
(The 10 characters ensures == at the end so you always get symbols), then paste it in and reset the password using the same mechanism 6 months later when I want to return.
Some websites have started getting with the program and as well as a full reset offer to send you a 1 time login link.
SJW n. One who posts facts.
I think a typology of accounts is more relevant than this (quite speculative) typology of users.
Weak accounts: Most of my accounts are absolutely worthless to other people. I've only registered them because the stupid site forced me to have an account in order to post or view content. If Slashdot didn't have AC posting I would use a bugmenot clone or register throwaway accounts all the time, while taking great care not to establish identity, i.e. switch and share them, and keeping them as separate from strong accounts as possible. The password for those would be as weak as the site allows. If the site requires a "strong" password I write it on a postit and into an unprotected passwords.txt file.
Weak passwords are unrecoverable because the account was registered to a throwaway email address for spam/tracking protection.
Strong accounts: Anything to do with money, realname, personal data or authorities. Also sites where I want to establish longterm pseudonymous identity. Those would use a separate, secure browser with antitracking, HTTPS only, session cookies only. A strong account needs a strong, ideally random password. Strong passwords are too complex to remember more than one of them, so I need to use a password vault with one master password. Whenever I am away from the password vault, I use the "forgotten password" link.
Most important rule: Never write a strong password down, never give it to anybody. As soon as you entrust a password to another person or worse, to another site, consider it compromised.
I have seen argued by experienced security professionals that any password that can be remembered is probably easy to crack with current CPU based systems.
RogerWilco the Adventurous Janitor
I'm bummed that I have to post AC because I have no idea what my PW on Slashdot is (ironic, right?) because I have a serious question about this and likely no one will see it. My question is, what's my exposure that would drive me to a more secure password? What exactly do I have to lose? I don't do online banking, I talk to my broker on the phone only if I want to make adjustments to my portfolio. So, someone is going to post mean things to my neglected Facebook account? They'll mess with my Yahoo FFL team? Years ago Blizzard got hacked and PWs were taken - Blizzard sent out an email warning users to change their PW, which I ignored. Six months later I felt a yen to play StarCraft II, and found I couldn't get into my account because someone else had taken it and changed the PW. I emailed Blizzard, told them someone else had my account from their PW hack, and within 24 hours they had reassigned it to me with a new PW. Problem solved (oh, and whoever used the account had purchased Diablo III, so I got a free copy of that, plus the insane amount of legendary equipment they had accumulated). Absolutely the worst thing that might happen, and I'm not really sure how it would, is someone would use my credit card to buy stuff (maybe by logging into my Amazon account as me or something, but even then the would need the 3-digit code off the back of the credit card to complete the transaction), and by law (at least in America) my liability is limited to $50, and the one time years ago, long pre-internet, that I had a credit card stolen I didn't even have to pay that. So again I ask, what's my motivation to be all cloak and dagger with my PW?
Obvious observation is obvious. How about an informed presentation/discussion of solutions to this problem? That would make this an interesting submission, which it isn't. Borderline clickbait.
Troglodytes don't realize the implications of credentials being shared across multiple services--especially for sensitive services--and they never will. These are the same folks that don't care. I know lots of troglodytes ... they all believe that they're such a small target that they don't have to worry. They're also the same folks that don't pay attention to world news. TROGLODYTES!
Passwords aren't the problem. We can't fix stupid. PEBKAC. All. The. Time.
Let's look at it this way. As long as there are troglodytes ... we'll all have jobs designing and implementing policies and services which just work in the background. I don't know about you all ... but I don't mind the work.
for low level sites is "deleteC:\*.*"
passwords should contain uppercase and lowercase letters, numbers and symbols
No, far more effective would be minimum password (phrase) length. People thinking 8 characters are fine as long as it is leet-speak is a problem. The way most people use uppercase, numbers, and symbols make the dictionaries a little more tedious, but not *that* much more so.
Sure, the most secure approach is totally random, but if people insist on it being human friendly, number of characters is the key point to emphasize.
XML is like violence. If it doesn't solve the problem, use more.
They look like a great system now, until you lose the physical token. If they ever become popular, then I'm sure there will be techniques to subvert them - MITM, phishing or misdirection - I'm not smart enough to guess. If they every become popular, then I'm sure the 'lost token' problem will frequently be solved by having a password backdoor around the token.
It's like losing your house keys, only worse. Tokens are a good first step, but before they become widespread we need to consider curation, recovery of data if the token is lost, damaged, or corrupted (or just breaks over time), etc. Google-style pre-generated keys are one idea (but again, where are they stored, how vulnerable are they, and how can you ensure they're available when needed.
All of these questions will have reasonable technical answers (blockchain might make an interesting audit/recovery trail, but I don't know enough to do more than wildly speculate) or at least sensible compromises that cover most use cases and scenarios, but it requires a lot of thought, and a standard agreed upon by everyone that is solid, "upgradeable" in the sense that the standard can change in a modular fashion if issues are found (as they usually are eventually with most cryptographic solutions).
This is a precursor to how we would use quantum encryption in anger, as that becomes a token subject to decay if you look at it wrong. . Seriously though, a quantum particle pair is the ultimate token, both in terms of security, but also in terms of fragility. How do you recover data in such a scenario if the token is lost or corrupted, without leaving a backdoor that compromises your security entirely. Multiple valid keys, but curated, managed, maintained, and stored how?
It's not about understanding the risks. It's about considering the dangers to be significant. I reuse passwords all over the place, and most of my passwords are very simple. And I understand that because of my behaviour, it'd be very easy to hack into my slashdot account. There's no paradox there. I don't consider my slashdot account to be vital. If someone wants to hack into my slashdot account, I could care less. I'll get another slashdot account. It was free the first time. It'll be free the second time.
There are very very few passwords that actually protect something special. Even with my bank account, I'm not responsible for losses due to theft. Everything's insured by everybody along the chain, and most things are completely reversible.
Even my business passwords, that protect all of my clients' data, and support my livlihood, are restricted from the office, and the data is backed up in eight ways.
Identity theft would probably be the biggest threat to most morons these days. For me, it'd be a ten-minute inconvenience. It would mean visiting the bank, and saying: "I think someone's stolen my identity". Lori would say: "That sucks, let's freeze the old accounts and create some new accounts for you."
So what passwords protect something vital in your life?
The issue is that GPU scaling has exceeded the functional life of passwords. So we make longer more complex passwords and next year or the next some GPU breakthrough will enable those to be broken in reasonable time. It's just a delaying action against the inevitable death of passwords as a valid authentication option.
Unless there's money involved, I don't bother with a strong password.
Why? Because even if my password protocol and tradecraft are bulletproof, most sites aren't. Sites get
compromised so often that even a good password will fall in a year or two. Or your password _manager_ gets
compromised.
So... why bother? Start with "Password#1!" (which almost all sites will accept as "strong" and
when (not if, when) that compromises, move to "Password#2". And so forth.
Okay.... don't use the word "password". Use "Starbucks#1". Or "Galactica#!".
Other than a very few sites worthy of _trying_ to protect (your bank and maybe your primary email) one password
shared across all sites is more than adequate because compromise is inevitable. Make the cost of
compromise as close to nil as possible; that's the optimal behavior. I mean, who cares if your brownie
recipe gets trashed?
And never, ever store a password that can be turned into money on anything more connected than a
post-it note in your wallet next to your Benjamins.
Where's the study of the psychological reasons security techs think users will listen to their stupid demands. They say things like, "first, pick a hard-to remember password for *each* of your hundred or so websites, and don't write them down." The proper response to that is clear-- "yeah, that'll happen." Security technology that depends on user memory is doomed to fail and stupid on its face.
Go through your text, and everywhere where it says "password" change it to say "passphrase."
The password-setting step, where you have the user initialize their password, should also say "don't re-use the same passphrase that you use somewhere else." Just say it. (If users want to ignore it, fine. You can't help people who don't want to be helped.)
This doesn't fix all the problems, but it fixes the most, in the smallest amount of time/effort. One of your interns can do all this in a single morning.
...
After that, make sure you're hashing, but use something already invented for this job rather than trying to figure it out yourself. (This might not be a job for an intern, though I bet it could, at some places.)
Congratulations, your site is now better than the other 99.9%. We'll revisit and update these decisions in a century or two, when you're considered to be better than only about 90%.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
Not to mention current GPU-based systems. Add 2 characters. Now, how is able to remember a 14 digits random passwords ? No-one. So let's giveup on brute force and just implement attack detection on web interface. The rest is futile.
Keepass protected by a password that is a long (30+ character) meaningful (to the user) SENTENCE.
For more security, add a made up word or two and numbers to the sentence.
If you can remember it then it's insecure.
https://fidoalliance.org
I have a bunch of web sites that I use that have no need for a strong password. I don't have a credit card stored on them. I use disposable e-mail accounts with them. So YES I reuse passwords on them. Big freaking deal.
Now for my financial sites... AWS with two-factor authenticiation... work... etc. Yes, I use good password policy.
But seriously people, you can't generalize password behavior.
Just saying
Just make up a word. Use just the word on its own for stuff you don't care about. Put it into a little poem or sentence for sites you do care about.
Example: "Goosnarp". Even without exotic characters, it's not an easy crack. For your on-line banking, you might use "I am Goosnarp, take me to your liter".
I've calculated my velocity with such exquisite precision that I have no idea where I am.