Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Psychological Reasons Behind Risky Password Practices (helpnetsecurity.com)

Posted by BeauHD on from the inner-workings-of-the-mind dept.

Orome1 quotes a report from Help Net Security: Despite high-profile, large-scale data breaches dominating the news cycle -- and repeated recommendations from experts to use strong passwords -- consumers have yet to adjust their own behavior when it comes to password reuse. A global Lab42 survey, which polled consumers across the United States, Germany, France, New Zealand, Australia and the United Kingdom, highlights the psychology around why consumers develop poor password habits despite understanding the obvious risk, and suggests that there is a level of cognitive dissonance around our online habits. When it comes to online security, personality type does not inform behavior, but it does reveal how consumers rationalize poor password habits. My personal favorite: password paradox. "The survey revealed that the majority of respondents understand that their digital behavior puts them at risk, but do not make efforts to change it," reports Help Net Security. "Only five percent of respondents didn't know the characteristics of a secure password, with the majority of respondents understanding that passwords should contain uppercase and lowercase letters, numbers and symbols. Furthermore, 91 percent of respondents said that there is inherent risk associated with reusing passwords, yet 61 percent continue to use the same or similar passwords anyway, with more than half (55 percent) doing so while fully understanding the risk." The report also found that when attempting to create secure passwords, "47 percent of respondents included family names or initials," while "42 percent contain significant dates or numbers and 26 percent use the family pet."

7 of 210 comments (clear)

  1. Reality is... by Anonymous Coward · · Score: 2, Interesting

    ... corporations are the ones making the world insecure by forcing things online and to have online accounts to track everything. They create massive attack surface in their mad quest for transparent user/customer data and profit.

    1. Re:Reality is... by pla · · Score: 5, Interesting

      What form of "properly hashed and securely stored" would make a five character numeric-only password even remotely acceptable?

      Mind you, I don't disagree with your premise - The problem here has nothing to do with end-users, and everything to do with expecting them to remember over a hundred distinct "secure" passwords. But that glaring flaw aside (which leads people to use the least secure password a site will let them, and reuse it at every site they can), there *is* still such a thing as a pathetically weak password.

      We've all seen, and can debate the exact accuracy of the relevant XKCD strip, but the general idea holds true - We'd all do a hell of a lot better to use memorable three to five word phrases, than trying to squeeze something we can almost remember into leetspeak with an extra random character or two tacked on at the end.

    2. Re:Reality is... by pscottdv · · Score: 4, Interesting

      But that's the point of the original comment in this thread, isn't it. What makes 1-2-3-4-5 insecure is the fact that the companies storing the hashes can't be trusted to keep them safe but the user gets blamed for having an insecure password.

      --

      this signature has been removed due to a DMCA takedown notice

  2. Password fatigue by Anonymous Coward · · Score: 2, Interesting

    Look no further than the simple explanation: Password fatigue.

    It's not uncommon in a large employer to have 6-10 passwords to different systems, all with different rules. And they change every 30-60 days.

    Naturally, this causes users to write them down, sometimes on stickies under their keyboard (agh), sometimes on the stickies program on their frickin desktop (ARGH).

    Rather than lamenting this obvious fact, it's time we change standards to recognize what REALLY happens, instead of what SHOULD happen. (Reference: Speed limits, and the real effects. Yes yes, if everyone followed the law exactly, blah blah blah blah. Only stupid or young engineers insist on following this paradigm, completely ignoring the reality.)

  3. passwords are a burden by Gravis+Zero · · Score: 3, Interesting

    It's quite simple, remembering passwords is a mental burden that you rarely find anywhere else in life. For our possessions, we have physical keys that provide weak security and we expect law enforcement to ensure a violation of that weak security and our insurance companies to replace our losses. The closest thing in real life is remembering people's names and there is a common set of names people have that are phonetic as well. If you want to solve the password issue, people need a physical object (a key) that will authenticate them. We will all carry a key like this and once again rely on our weak physical security which requires physical proximity to undermine.

    --
    Anons need not reply. Questions end with a question mark.
  4. Not as big an issue as poor password POLICIES by Shane_Optima · · Score: 5, Interesting

    I recently lost an email account I've had since I was twelve apparently due to one of the eBay breeches. Yes, I used the same password for both (never got around to changing them after I made the transition to randomized passwords) so it's my fault, right?

    How about great big "fuck you" instead? How about a wall of shame for every website that does not hash passwords, with salt, prior to transmission over the internet? This is kiddy level shit here. The slowest smartphone in the world should be able to do this in its sleep.

    And the majority of sites still have incredibly stupid password policies, almost all forcing you to use special characters and numbers instead of long passphrases which, if properly constructed (such as via dicewords), can be considerably more secure than the average "unicorn16!" type password. Some sites even impose a ridiculous maximum length policy, and some sites also forbid certain special characters, probably for some horribly depressing reason like they can't be bothered to make sure the password field can't be used for SQL injection or overflow attacks.

    Work passwords aren't much better. The constant changing is completely pointless; everyone either uses a very simple incrementing number system (often tied to the current month) or they use Post-Its. A sane alternative would be to track logins and alert the user and/or security admins of unusual times or locations and to use keyfiles on smartcards or regular USB drives.

    I've checked the literature and these ridiculous practices are still being taught to people studying for CompTIA certifications. Can't someone please... I don't know, do something about this? Can't we have some industry leaders say that they're no longer recognizing CompTIA Security+ or Network+ certifications as worth anything? This shit has been going on for far too long, and in an effort to made up for their shitty password infrastructure many places are adopting painfully annoying supplementary security systems.

  5. Passwords shouldn't have to be good by jopsen · · Score: 1, Interesting

    If servers would just be smart about always requiring a captcha for each additional login attempt, and limit amount of login attempts, email on failed login attempts, have timeouts between login attempts...
    Well, then passwords don't have to be strong. This doesn't fix password reuse though :)