Slashdot Mirror
The Psychological Reasons Behind Risky Password Practices (helpnetsecurity.com)
Orome1 quotes a report from Help Net Security: Despite high-profile, large-scale data breaches dominating the news cycle -- and repeated recommendations from experts to use strong passwords -- consumers have yet to adjust their own behavior when it comes to password reuse. A global Lab42 survey, which polled consumers across the United States, Germany, France, New Zealand, Australia and the United Kingdom, highlights the psychology around why consumers develop poor password habits despite understanding the obvious risk, and suggests that there is a level of cognitive dissonance around our online habits. When it comes to online security, personality type does not inform behavior, but it does reveal how consumers rationalize poor password habits. My personal favorite: password paradox. "The survey revealed that the majority of respondents understand that their digital behavior puts them at risk, but do not make efforts to change it," reports Help Net Security. "Only five percent of respondents didn't know the characteristics of a secure password, with the majority of respondents understanding that passwords should contain uppercase and lowercase letters, numbers and symbols. Furthermore, 91 percent of respondents said that there is inherent risk associated with reusing passwords, yet 61 percent continue to use the same or similar passwords anyway, with more than half (55 percent) doing so while fully understanding the risk." The report also found that when attempting to create secure passwords, "47 percent of respondents included family names or initials," while "42 percent contain significant dates or numbers and 26 percent use the family pet."
That's the reason.
... corporations are the ones making the world insecure by forcing things online and to have online accounts to track everything. They create massive attack surface in their mad quest for transparent user/customer data and profit.
The way I see it, password reuse is a matter of cognitive load. Most people are unable or unwilling to attempt to remember the umpteen dozen unique passwords they would need on a daily basis, if they where to attempt to use unique secure passwords on every service/device they use. This results in password reuse, more or less out of sheer laziness. It is probable that among this group, there is a cognitive bias against using password keychain services and tools, because it 'feels' like putting all your eggs in one basket. (somewhat flawed) Logic dictates that if someone breaches the master password to your keychain, and they have all of them, which is no different than using the same password everywhere. (of course, this is not entirely the case, but like I said, cognitive bias)
Now, as for using 'good' passwords, it follows a similar pattern, with most people unwilling to dedicate the time and effort to memorize what amounts to a 'good' password, when they can remember their spouses birthday and their first pet's name just fine.
Of course, we have seen time and time again articles arguing both sides of the court, that long random passwords are either effective or not, and correct horse battery staple passwords are effective or not, so this portion of the discussion is going to be long, stupid and frustrating for evangelists on both sides.
Honestly, I've reached a point where I use 'good' passwords where it matters, (main email, financial items, Amazon etc) and just sort of hope for the best when I re-use the same 'decent' password everywhere else (forums, etc)
I say 'good' because we're at a point there have been enough breaches that we're all probably fucked anyways.
I've decided to Diversify my Holdings. I've divided my cash between my left and right pockets, instead of all in one.
Encrypt all data on their own end? If staff walk away with data or someone enters the network, nothing useful can be fully recovered?
The site works with the username and weak password on creation to ensure better server side protection against plain text walk outs, usable network data loss or buying into cheap "standard" reversible cryto?
Could an extra layer of security be added to data on an network, during storage and real time use be added?
Expecting users to change habits and still enjoy a site is a big ask, what could owners and admins code in to help?
No more walk outs, no more bulk plain text data left on any internal or internet facing server for years?
Domestic spying is now "Benign Information Gathering"
Or maybe the complex passwords *ARE* the problem. Who the hell can remember 100 different complex passwords?
Repeat after me: TWO FACTOR AUTHENTICATION!
Use a simple password and an authenticator that produces a one-time password.
Look no further than the simple explanation: Password fatigue.
It's not uncommon in a large employer to have 6-10 passwords to different systems, all with different rules. And they change every 30-60 days.
Naturally, this causes users to write them down, sometimes on stickies under their keyboard (agh), sometimes on the stickies program on their frickin desktop (ARGH).
Rather than lamenting this obvious fact, it's time we change standards to recognize what REALLY happens, instead of what SHOULD happen. (Reference: Speed limits, and the real effects. Yes yes, if everyone followed the law exactly, blah blah blah blah. Only stupid or young engineers insist on following this paradigm, completely ignoring the reality.)
I often come up with nice long passwords that would take decades to crack, but the system wont let me, so I end up with some sort of keyboard pattern that *gasp* shockingly get repeated with shift held down to double the characters and this allows the minimum number and symbol count. If they removed the stupid rules, we could use good passwords.
I'm pretty sure that most employees who are forced to pick new passwords once/month just use something like:
This meets all of the upper/lower/digit/symbol requirements, and it never repeats.
I also think the ones that don't use this method just write the password down on a post-it note that they keep in the office.
A good password is hard for a computer to guess and easy for a human to remember and enter. That is the only metric we should be using for passwords. Screw the 100 different sites and work logins that expect me to have a different password for each. I have a couple of sites that I value enough to use secure passwords on, the rest Password1! is good enough.
Work policies that require 8 characters, 1 upper, 1 lower, a number, a symbol and change every 3 months are guaranteed to result in everyone eventually adopting Common1! where Common is any common 6 letter word and the number 1 increments every 3 months.
A password is intended to ALLOW access. If I come up with random "complex" passwords, I will either have to write them down, or use some sort of passwords safe, because they are intrinsically not "mnemonic". For many things I just don't care very mush, and I have to have dozens to hundreds of new passwords a year.
There has to be a compromise between security and functionality, and people are making that compromise.
It's quite simple, remembering passwords is a mental burden that you rarely find anywhere else in life. For our possessions, we have physical keys that provide weak security and we expect law enforcement to ensure a violation of that weak security and our insurance companies to replace our losses. The closest thing in real life is remembering people's names and there is a common set of names people have that are phonetic as well. If you want to solve the password issue, people need a physical object (a key) that will authenticate them. We will all carry a key like this and once again rely on our weak physical security which requires physical proximity to undermine.
Anons need not reply. Questions end with a question mark.
I recently lost an email account I've had since I was twelve apparently due to one of the eBay breeches. Yes, I used the same password for both (never got around to changing them after I made the transition to randomized passwords) so it's my fault, right?
How about great big "fuck you" instead? How about a wall of shame for every website that does not hash passwords, with salt, prior to transmission over the internet? This is kiddy level shit here. The slowest smartphone in the world should be able to do this in its sleep.
And the majority of sites still have incredibly stupid password policies, almost all forcing you to use special characters and numbers instead of long passphrases which, if properly constructed (such as via dicewords), can be considerably more secure than the average "unicorn16!" type password. Some sites even impose a ridiculous maximum length policy, and some sites also forbid certain special characters, probably for some horribly depressing reason like they can't be bothered to make sure the password field can't be used for SQL injection or overflow attacks.
Work passwords aren't much better. The constant changing is completely pointless; everyone either uses a very simple incrementing number system (often tied to the current month) or they use Post-Its. A sane alternative would be to track logins and alert the user and/or security admins of unusual times or locations and to use keyfiles on smartcards or regular USB drives.
I've checked the literature and these ridiculous practices are still being taught to people studying for CompTIA certifications. Can't someone please... I don't know, do something about this? Can't we have some industry leaders say that they're no longer recognizing CompTIA Security+ or Network+ certifications as worth anything? This shit has been going on for far too long, and in an effort to made up for their shitty password infrastructure many places are adopting painfully annoying supplementary security systems.
I'm pretty sure that most employees who are forced to pick new passwords once/month just use something like:
This meets all of the upper/lower/digit/symbol requirements, and it never repeats.
I also think the ones that don't use this method just write the password down on a post-it note that they keep in the office.
I dont think you can really compare choosing a password to protect your own data vs choosing a password to protect things that are not your own. That's why people who pick passwords like in your example, don't care about putting it on a post it note at work.
If someone forgets their password at work they get into trouble for not doing their work. If another employee were to sign into another persons account via their post it note and it became an issue you can be pretty sure that person will be sacked. Many employees share their passwords anyway so if one person is away sick or whatever another person can pick up their work or grab a file inside their account. I'm not saying any of this is right just why people might not care about having secure passwords at work.
Because the biggest single problem my customers have is remembering passwords, the first thing I tell them is write them all down in a safe place. Everyone has a good place they can hide a sheet of paper.
I'm fully aware that a significant fraction of the password cheat sheets will end up taped to the monitor, but in my customer demographic the online threat and the physical breakin threat are totally disjoint. Even their laptops seldom leave the house.
That's too long for some systems used where I work where the length has to be exactly 8 characters and not contain any "special" characters in order to allow the passwords to work also on some oddball systems.
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
> Only five percent of respondents didn't know the characteristics of a secure password, with the majority of respondents understanding that passwords should contain uppercase and lowercase letters, numbers and symbols.
These requirements profoundly _discourage_ secure passwords. The difficulty of remembering them, and typing them well at a hidden password field, strongly encourage storage of passwords locally in cut&paste text windows or in local plaintext password storage. The current champion application for this security failure is AWS, which stores complex randomized alphanumeric strings which _no one_ can remember, forcing their default inclusion in plaintext local user fules or even hardcoded in saved wrapper scripts.
I'm afraid that robust password generation was much better explained and documented in an old XKCD cartoon, https://xkcd.com/936/
Because people remember fidothedog or maybe f1d0th3d0g better than 656&+fDs9()x/\-
As written in the summary:
My personal favorite: password paradox. "The survey revealed that the majority of respondents understand that their digital behavior puts them at risk, but do not make efforts to change it," reports Help Net Security.
But among all the accounts that people have, how many of them are really worth of effort to reduce the hacking risk? I'd think a lot of people reuse the same passwords on many sites, because they do not really care if they are hacked on most of their accounts. Actually, this is kind of hinted at in TFA:
Additionally, consumers prioritize their password strength based on which accounts they believe need to be the most secure. Respondents indicated that they create the strongest passwords for financial (69 percent), followed by retail (43 percent), social media (31 percent) and entertainment (20 percent).
That would seem to indicate that if people reuse many passwords, they still don't use the same one for their bank and for facebook... It is strange the TFA asked people if they thought their accounts had values to hackers, but didn't go as far as asking the surveyed people what value they perceived themselves in their accounts.
Every chip and pin credit card already has a crypto-token in it. The solution is literally in our pockets. It doesn't rely on the cell phone, or the cell phone battery being charged. It requires only a banking account. It's not a government-issued ID, and you're not restricted to one. It's adequately secure for banking, which is a pretty high bar. It can be used as an authenticated ID in every country that requires banks to identify their customers, and with a trivial amount of work, could also hold an anonymized token. And, requiringa PIN, it's quite secure against both physical compromise and keyboard sniffing.
The solution and the problem exists.
Passwords should be long to be secure, and they should *allow* for upper and lower case, symbols, and numbers.
The key is length. A "complex" short password is easy to own and hard to remember. A "simple" long password is easy to remember and nearly impossible to own.
The only drawback is entry with limited input systems.
In the early '90, when you had one password for your email and that was it, password were useful. Now you are supposed to keep more than 30 different, complex passwords. Oh, and you should replace them every 3 months.
But, yeah, people follow risky password practices because of laziness. It's not because passwords are a simple, lazy way to implement authentication that has became unmanegable.
If servers would just be smart about always requiring a captcha for each additional login attempt, and limit amount of login attempts, email on failed login attempts, have timeouts between login attempts... :)
Well, then passwords don't have to be strong. This doesn't fix password reuse though
Begin article.
Passwords are a chore to remember. People are lazy.
End article.
systemd is Roko's Basilisk.
The reason people re-use passwords is overwhelmingly because so many sites require them. A vanishingly small percentage of the population could realistically expect to remember what may be 100 or more passwords to manage all their online activities. The variations in password acceptance across all those sites is equally irritating ("Do not use special characters" "You must use at least one special character" "Password must be at least 8 characters" "Password must be exactly six characters" etc etc).
There are a number of sites I use infrequently, such as my pensions website, where I have to rely on password reset *every* *goddamn* *time*.
Password Cracking - Computerphile
All this password drama is just smoke and mirrors for IT security guys to gain some visibility and prod users' minds to be security-aware. Most of activities about passwords, except using long and random passwords and not reusing them, are pointless:
Enforcing that passwords must contain representatives of certain subsets of all characters set actually makes number of possible combinations lower, thus easier to brute-force, while at the same time it does nothing to prevent dictionary attacks (which is a main rationale for putting in place such stupid requirements), because users will use "leetspeak" or add additional required characters at end or at the beginning of their chosen words. Better let an application generate password for user's eyes only and force user to memorize it (or to write it down, at their own risk).
Oh, and another pet peeve: changing passwords often - it does nothing for password guessing, all passwords with same randomness have same probability of being guessed. Changing passwords are meaningful only if old password is already compromised, but you never know when it exactly happened, so unless you are changing password after each session, it is almost completely useless.
There are a number of sites I use infrequently, such as my pensions website, where I have to rely on password reset *every* *goddamn* *time*.
That's fine. Think of it as an ad-hoc form of authentication service. Instead of providing a password to prove who you are, they securely send a token to you via a trusted third party service (your email provider) which you then authorize.
Because the reset goes via that system, it's no less secure relying on it all the time than it is remembering the password. I actually explicitly use that method for some websites. I just generate a random password using:
head -c 10 /dev/random | base64
(The 10 characters ensures == at the end so you always get symbols), then paste it in and reset the password using the same mechanism 6 months later when I want to return.
Some websites have started getting with the program and as well as a full reset offer to send you a 1 time login link.
SJW n. One who posts facts.
I have seen argued by experienced security professionals that any password that can be remembered is probably easy to crack with current CPU based systems.
RogerWilco the Adventurous Janitor
passwords should contain uppercase and lowercase letters, numbers and symbols
No, far more effective would be minimum password (phrase) length. People thinking 8 characters are fine as long as it is leet-speak is a problem. The way most people use uppercase, numbers, and symbols make the dictionaries a little more tedious, but not *that* much more so.
Sure, the most secure approach is totally random, but if people insist on it being human friendly, number of characters is the key point to emphasize.
XML is like violence. If it doesn't solve the problem, use more.
Yeah... I don't know anyone who writes it down on a post-it next to their computer, but we do have a 90 day policy, and my password strategy is not quite what the GP described, but it's not too far off, either. That's the stupidity of just not allowing us to create a really great pass-phrase that would take years to break. That's all on top of two-factor authentication (RSA SecureID) when not signing in from our internal network.
The stupidity is that on systems that have multiple users, we have a shared account that we use - it's actually assigned to a large number of systems; these are not user's desktops, but graphics productions systems that any number of operators might use. The problem is that the IT department implemented this password policy without asking any departments about the effects, and after 90 days we were blocked from this account because none of the operators had the authority to change it, and if they did they'd lock out everyone else who didn't know it - many offices, or even buildings away. Moreover, none of us get the email from that account - which doesn't even really have email, so nobody got a warning the password was expiring. So we do live TV, and people couldn't log into the systems that generate the on screen graphics. Of course now that login is an exception, but it points out a problem with IT blindly creating a policy without input from the people it's affecting.
The other stupid thing is that our MS Office accounts are tied to our logins, and we can authorize up to 5 boxes. There are at least 100 production boxes, and we can't license them by box. We do a lot of daily production data in spreadsheets because it's easy for the user and easy to use as a data source.
In any event, the more passwords humans are required to remember, and the more complicated they are required to be, the less secure we're going to make things as people do skirt the guidelines to make them as easy to remember as possible - or they write them down, or whatever.
Frankly, I don't see what's wrong with the scheme the GP described (although I would make it more complex). If someone has to brute force decrypt it, it will still take just as long. With the special characters in there, it's highly unlikely someone could guess it. It's true that once they got it once, they'd be able to guess it correctly later on, but the idea is to make it hard to get even once.
Stupid sexy Flanders.
It's not about understanding the risks. It's about considering the dangers to be significant. I reuse passwords all over the place, and most of my passwords are very simple. And I understand that because of my behaviour, it'd be very easy to hack into my slashdot account. There's no paradox there. I don't consider my slashdot account to be vital. If someone wants to hack into my slashdot account, I could care less. I'll get another slashdot account. It was free the first time. It'll be free the second time.
There are very very few passwords that actually protect something special. Even with my bank account, I'm not responsible for losses due to theft. Everything's insured by everybody along the chain, and most things are completely reversible.
Even my business passwords, that protect all of my clients' data, and support my livlihood, are restricted from the office, and the data is backed up in eight ways.
Identity theft would probably be the biggest threat to most morons these days. For me, it'd be a ten-minute inconvenience. It would mean visiting the bank, and saying: "I think someone's stolen my identity". Lori would say: "That sucks, let's freeze the old accounts and create some new accounts for you."
So what passwords protect something vital in your life?
That's too long for some systems used where I work where the length has to be exactly 8 characters and not contain any "special" characters in order to allow the passwords to work also on some oddball systems.
Tell me about it. But sometimes it's simply shockingly bad security choices on the part of the company, as well. For instance: my old bank started requiring a fixed-length, 6-letter password that was case-insensitive and mapped to the corresponding phone digits to consolidate their dial-up and online logins...I have no idea if they still do that, since I abandoned ship shortly thereafter. I simply wasn't comfortable with having my banking access protected by, essentially, a 6-digit number.
To be fair, they did have some sort of device-based recognition checking in place, so if I wanted to log in from anywhere besides my home computer I had to practically scan my birth certificate and send it to them before they'd acknowledge that yes, this person typing in the ridiculous password and trying to access my account is actually me.
"I love animals! Some are cute, others are tasty, what's not to like?" - Betsy Schroeder, Jeopardy contestant
Yup. A password under 8-12 characters in length, consisting of a simple dictionary word (with simple digit substitution of a = 4, e = 3, i = !, random capitalization, etc) can be solved by a GPU in less than a second or two. Combine several non-related words together and you might have a fighting chance. Don't even get me started about how many friends and relatives don't use 2-factor auth.
Yeah, right.
... Better let an application generate password for user's eyes only and force user to memorize it (or to write it down, at their own risk).
Let's see... my work account, two banks, several credit cards, two healthcare accounts (FSA AND HSA) as well as my health insurance, accounts for my kids in school (like paying for school lunches), ISP account, several streaming services, slashdot, reddit, and a number of other forums I participate in (and not me, but most people will have several social media accounts).... you get the idea. I'm supposed to remember all those completely random passwords?
Oh, and another pet peeve: changing passwords often - it does nothing for password guessing, all passwords with same randomness have same probability of being guessed. Changing passwords are meaningful only if old password is already compromised, but you never know when it exactly happened, so unless you are changing password after each session, it is almost completely useless.
Now that I can agree on - our company's policy is just damn annoying and often screws up our production work.
Stupid sexy Flanders.
The issue is that GPU scaling has exceeded the functional life of passwords. So we make longer more complex passwords and next year or the next some GPU breakthrough will enable those to be broken in reasonable time. It's just a delaying action against the inevitable death of passwords as a valid authentication option.
Unless there's money involved, I don't bother with a strong password.
Why? Because even if my password protocol and tradecraft are bulletproof, most sites aren't. Sites get
compromised so often that even a good password will fall in a year or two. Or your password _manager_ gets
compromised.
So... why bother? Start with "Password#1!" (which almost all sites will accept as "strong" and
when (not if, when) that compromises, move to "Password#2". And so forth.
Okay.... don't use the word "password". Use "Starbucks#1". Or "Galactica#!".
Other than a very few sites worthy of _trying_ to protect (your bank and maybe your primary email) one password
shared across all sites is more than adequate because compromise is inevitable. Make the cost of
compromise as close to nil as possible; that's the optimal behavior. I mean, who cares if your brownie
recipe gets trashed?
And never, ever store a password that can be turned into money on anything more connected than a
post-it note in your wallet next to your Benjamins.
Absolutely. And since we're not machines, remembering multiple random passwords is just impossible. Seems like we all understand the situation. Yet, even big companies still enforce password rules of the 90's. What's wrong with them ?
Go through your text, and everywhere where it says "password" change it to say "passphrase."
The password-setting step, where you have the user initialize their password, should also say "don't re-use the same passphrase that you use somewhere else." Just say it. (If users want to ignore it, fine. You can't help people who don't want to be helped.)
This doesn't fix all the problems, but it fixes the most, in the smallest amount of time/effort. One of your interns can do all this in a single morning.
...
After that, make sure you're hashing, but use something already invented for this job rather than trying to figure it out yourself. (This might not be a job for an intern, though I bet it could, at some places.)
Congratulations, your site is now better than the other 99.9%. We'll revisit and update these decisions in a century or two, when you're considered to be better than only about 90%.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
Not to mention current GPU-based systems. Add 2 characters. Now, how is able to remember a 14 digits random passwords ? No-one. So let's giveup on brute force and just implement attack detection on web interface. The rest is futile.
I'm guilty of the increment counter in pwds at work.
As to the SecurID token...
Co-worker has pwd and username on post-it on back of token...
smh
whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
Just make up a word. Use just the word on its own for stuff you don't care about. Put it into a little poem or sentence for sites you do care about.
Example: "Goosnarp". Even without exotic characters, it's not an easy crack. For your on-line banking, you might use "I am Goosnarp, take me to your liter".
I've calculated my velocity with such exquisite precision that I have no idea where I am.