Slashdot Mirror
The Psychological Reasons Behind Risky Password Practices (helpnetsecurity.com)
Orome1 quotes a report from Help Net Security: Despite high-profile, large-scale data breaches dominating the news cycle -- and repeated recommendations from experts to use strong passwords -- consumers have yet to adjust their own behavior when it comes to password reuse. A global Lab42 survey, which polled consumers across the United States, Germany, France, New Zealand, Australia and the United Kingdom, highlights the psychology around why consumers develop poor password habits despite understanding the obvious risk, and suggests that there is a level of cognitive dissonance around our online habits. When it comes to online security, personality type does not inform behavior, but it does reveal how consumers rationalize poor password habits. My personal favorite: password paradox. "The survey revealed that the majority of respondents understand that their digital behavior puts them at risk, but do not make efforts to change it," reports Help Net Security. "Only five percent of respondents didn't know the characteristics of a secure password, with the majority of respondents understanding that passwords should contain uppercase and lowercase letters, numbers and symbols. Furthermore, 91 percent of respondents said that there is inherent risk associated with reusing passwords, yet 61 percent continue to use the same or similar passwords anyway, with more than half (55 percent) doing so while fully understanding the risk." The report also found that when attempting to create secure passwords, "47 percent of respondents included family names or initials," while "42 percent contain significant dates or numbers and 26 percent use the family pet."
The way I see it, password reuse is a matter of cognitive load. Most people are unable or unwilling to attempt to remember the umpteen dozen unique passwords they would need on a daily basis, if they where to attempt to use unique secure passwords on every service/device they use. This results in password reuse, more or less out of sheer laziness. It is probable that among this group, there is a cognitive bias against using password keychain services and tools, because it 'feels' like putting all your eggs in one basket. (somewhat flawed) Logic dictates that if someone breaches the master password to your keychain, and they have all of them, which is no different than using the same password everywhere. (of course, this is not entirely the case, but like I said, cognitive bias)
Now, as for using 'good' passwords, it follows a similar pattern, with most people unwilling to dedicate the time and effort to memorize what amounts to a 'good' password, when they can remember their spouses birthday and their first pet's name just fine.
Of course, we have seen time and time again articles arguing both sides of the court, that long random passwords are either effective or not, and correct horse battery staple passwords are effective or not, so this portion of the discussion is going to be long, stupid and frustrating for evangelists on both sides.
Honestly, I've reached a point where I use 'good' passwords where it matters, (main email, financial items, Amazon etc) and just sort of hope for the best when I re-use the same 'decent' password everywhere else (forums, etc)
I say 'good' because we're at a point there have been enough breaches that we're all probably fucked anyways.
I've decided to Diversify my Holdings. I've divided my cash between my left and right pockets, instead of all in one.
A good password is hard for a computer to guess and easy for a human to remember and enter. That is the only metric we should be using for passwords. Screw the 100 different sites and work logins that expect me to have a different password for each. I have a couple of sites that I value enough to use secure passwords on, the rest Password1! is good enough.
Work policies that require 8 characters, 1 upper, 1 lower, a number, a symbol and change every 3 months are guaranteed to result in everyone eventually adopting Common1! where Common is any common 6 letter word and the number 1 increments every 3 months.
> Only five percent of respondents didn't know the characteristics of a secure password, with the majority of respondents understanding that passwords should contain uppercase and lowercase letters, numbers and symbols.
These requirements profoundly _discourage_ secure passwords. The difficulty of remembering them, and typing them well at a hidden password field, strongly encourage storage of passwords locally in cut&paste text windows or in local plaintext password storage. The current champion application for this security failure is AWS, which stores complex randomized alphanumeric strings which _no one_ can remember, forcing their default inclusion in plaintext local user fules or even hardcoded in saved wrapper scripts.
I'm afraid that robust password generation was much better explained and documented in an old XKCD cartoon, https://xkcd.com/936/
As written in the summary:
My personal favorite: password paradox. "The survey revealed that the majority of respondents understand that their digital behavior puts them at risk, but do not make efforts to change it," reports Help Net Security.
But among all the accounts that people have, how many of them are really worth of effort to reduce the hacking risk? I'd think a lot of people reuse the same passwords on many sites, because they do not really care if they are hacked on most of their accounts. Actually, this is kind of hinted at in TFA:
Additionally, consumers prioritize their password strength based on which accounts they believe need to be the most secure. Respondents indicated that they create the strongest passwords for financial (69 percent), followed by retail (43 percent), social media (31 percent) and entertainment (20 percent).
That would seem to indicate that if people reuse many passwords, they still don't use the same one for their bank and for facebook... It is strange the TFA asked people if they thought their accounts had values to hackers, but didn't go as far as asking the surveyed people what value they perceived themselves in their accounts.
No, there were no password Ninjas in the deep of night , looking for Post-It Notes under keyboards
Sad thing is, after all this time and warnings about how it is unsafe, a sticky note out of plain sight is probably one of the most secure ways to store passwords. Especially if you trust the people who have access to your equipment, or if you simply lock them up in a drawer.
Nobody actually takes the risk of physically breaking into a place just to steal passwords. Attempting to break into your database is likely much less risky, much easier to do (given a reasonable hacker skill set), and much more rewarding.
All my liberal friends think I'm a conservative, all my conservative friends think I'm a liberal.
In the early '90, when you had one password for your email and that was it, password were useful. Now you are supposed to keep more than 30 different, complex passwords. Oh, and you should replace them every 3 months.
But, yeah, people follow risky password practices because of laziness. It's not because passwords are a simple, lazy way to implement authentication that has became unmanegable.
24 character passwords are pretty impractical in my life, and indeed the life of tens of millions of others. Security engineering is much more successful when it works *with* the grain of human nature, not against it.
Passwords suck. Even with SSO, even with a password manager, even with salting and hashing, passwords suck, and will always suck.
You need an authentication token. *One* authentication token. Microsoft can do it, Google can do it, Facebook can do it (but of course they are not compatible).
Millions of little websites still use passwords.
And then Microsoft makes use of Windows 10 (or compatible Windows Phone devices) mandatory for their SSO. Google randomly decides to just drop the whole SSO business. Facebook suspends your account because some asshole from Brazil has complained about one of your holiday snaps. What now? Will you just rebuild your whole online identity? Or forget about the dozens of sites you were participating in?
There's three possible kinds of security factors. Something you know, something you have and something you are (or, more cynically, something you can forget, something you can lose and something that can be chopped off). They all have their advantages and disadvantages, but saying that one is superior to the others is simply and plainly wrong.
And the key reason, btw, why pages don't do it is simple: When people forget their password, resetting that is easy (plus they get your email address so you can reset it in the first place), but if you lose the token...
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Centralized authentication and entropy sources for encryption keys is certainly the wet dream of all law enforcement and intelligence services of the world, but it makes zero sense from a security perspective. Zero.