Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Psychological Reasons Behind Risky Password Practices (helpnetsecurity.com)

Posted by BeauHD on from the inner-workings-of-the-mind dept.

Orome1 quotes a report from Help Net Security: Despite high-profile, large-scale data breaches dominating the news cycle -- and repeated recommendations from experts to use strong passwords -- consumers have yet to adjust their own behavior when it comes to password reuse. A global Lab42 survey, which polled consumers across the United States, Germany, France, New Zealand, Australia and the United Kingdom, highlights the psychology around why consumers develop poor password habits despite understanding the obvious risk, and suggests that there is a level of cognitive dissonance around our online habits. When it comes to online security, personality type does not inform behavior, but it does reveal how consumers rationalize poor password habits. My personal favorite: password paradox. "The survey revealed that the majority of respondents understand that their digital behavior puts them at risk, but do not make efforts to change it," reports Help Net Security. "Only five percent of respondents didn't know the characteristics of a secure password, with the majority of respondents understanding that passwords should contain uppercase and lowercase letters, numbers and symbols. Furthermore, 91 percent of respondents said that there is inherent risk associated with reusing passwords, yet 61 percent continue to use the same or similar passwords anyway, with more than half (55 percent) doing so while fully understanding the risk." The report also found that when attempting to create secure passwords, "47 percent of respondents included family names or initials," while "42 percent contain significant dates or numbers and 26 percent use the family pet."

35 of 210 comments (clear)

  1. Passwords exist by Anonymous Coward · · Score: 2, Informative

    That's the reason.

    1. Re:Passwords exist by thsths · · Score: 3, Informative

      Passwords suck. Even with SSO, even with a password manager, even with salting and hashing, passwords suck, and will always suck.

      You need an authentication token. *One* authentication token. Microsoft can do it, Google can do it, Facebook can do it (but of course they are not compatible).

      Millions of little websites still use passwords.

    2. Re:Passwords exist by johannesg · · Score: 4, Insightful

      Passwords suck. Even with SSO, even with a password manager, even with salting and hashing, passwords suck, and will always suck.

      You need an authentication token. *One* authentication token. Microsoft can do it, Google can do it, Facebook can do it (but of course they are not compatible).

      Millions of little websites still use passwords.

      And then Microsoft makes use of Windows 10 (or compatible Windows Phone devices) mandatory for their SSO. Google randomly decides to just drop the whole SSO business. Facebook suspends your account because some asshole from Brazil has complained about one of your holiday snaps. What now? Will you just rebuild your whole online identity? Or forget about the dozens of sites you were participating in?

    3. Re:Passwords exist by Opportunist · · Score: 3, Insightful

      There's three possible kinds of security factors. Something you know, something you have and something you are (or, more cynically, something you can forget, something you can lose and something that can be chopped off). They all have their advantages and disadvantages, but saying that one is superior to the others is simply and plainly wrong.

      And the key reason, btw, why pages don't do it is simple: When people forget their password, resetting that is easy (plus they get your email address so you can reset it in the first place), but if you lose the token...

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    4. Re:Passwords exist by tburkhol · · Score: 3, Informative

      We can download a password manager for free. Authentication token managers are going to cost money, with the price depending on how many authentication tokens you need them to manage.

      You can get a U2F USB token about the size of your house key for $8 that will manage as many separate authentications as you like. For $50, you can get one with NFC that will talk to your phone.

      They look like a great system now, until you lose the physical token. If they ever become popular, then I'm sure there will be techniques to subvert them - MITM, phishing or misdirection - I'm not smart enough to guess. If they every become popular, then I'm sure the 'lost token' problem will frequently be solved by having a password backdoor around the token.

    5. Re:Passwords exist by RandomSurfer314 · · Score: 3, Insightful

      Centralized authentication and entropy sources for encryption keys is certainly the wet dream of all law enforcement and intelligence services of the world, but it makes zero sense from a security perspective. Zero.

  2. Reality is... by Anonymous Coward · · Score: 2, Interesting

    ... corporations are the ones making the world insecure by forcing things online and to have online accounts to track everything. They create massive attack surface in their mad quest for transparent user/customer data and profit.

    1. Re:Reality is... by pla · · Score: 5, Interesting

      What form of "properly hashed and securely stored" would make a five character numeric-only password even remotely acceptable?

      Mind you, I don't disagree with your premise - The problem here has nothing to do with end-users, and everything to do with expecting them to remember over a hundred distinct "secure" passwords. But that glaring flaw aside (which leads people to use the least secure password a site will let them, and reuse it at every site they can), there *is* still such a thing as a pathetically weak password.

      We've all seen, and can debate the exact accuracy of the relevant XKCD strip, but the general idea holds true - We'd all do a hell of a lot better to use memorable three to five word phrases, than trying to squeeze something we can almost remember into leetspeak with an extra random character or two tacked on at the end.

    2. Re:Reality is... by bondsbw · · Score: 4, Insightful

      No, there were no password Ninjas in the deep of night , looking for Post-It Notes under keyboards

      Sad thing is, after all this time and warnings about how it is unsafe, a sticky note out of plain sight is probably one of the most secure ways to store passwords. Especially if you trust the people who have access to your equipment, or if you simply lock them up in a drawer.

      Nobody actually takes the risk of physically breaking into a place just to steal passwords. Attempting to break into your database is likely much less risky, much easier to do (given a reasonable hacker skill set), and much more rewarding.

      --
      All my liberal friends think I'm a conservative, all my conservative friends think I'm a liberal.
    3. Re:Reality is... by Tijaska · · Score: 2

      Great advice. The average native language speaker uses a vocabulary of about 20,000 words. There are 8,000,000,000,000 possible three-word phrases taken from a vocabulary of 20,000 words. If you draw the words from more than language, assuming you know some words from another language, the combinations go through the roof. The old rules on what constitutes a "good" password were devised by robots to torment humans. They lead to unreadable, unrecallable monstrosities. l33tsp34k is easier for computers than humans. Requiring users to change passwords regularly just compounds the problem, and the rule is there only because the servers that validate logins get compromised. If these servers stored only the hashed version of each password then even if they are cracked, the cracker would not be able to use the information thus gained to log in. Don't force users to jump through hoops to compensate for the slack practices of system admins, and then complain that their hoops are set too low.

    4. Re:Reality is... by Spacelord · · Score: 2

      > A system shouldn't allow 1000 login attempts to the same account per second.

      Cracking passwords generally isn't done by attempting to login, but by hacking into the database, obtaining the password hashes and then running a password cracker on them offline (using a dictionary, rainbow tables and whatnot). Cracking passwords like 1-2-3-4 is almost trivial in this case. "Difficult" passwords are a lot harder to crack this way.

      So if you use 1-2-3-4 as a password on several sites, and only one of those sites gets compromised by a hack, your password for all the other sites get exposed.

    5. Re:Reality is... by shilly · · Score: 4, Insightful

      24 character passwords are pretty impractical in my life, and indeed the life of tens of millions of others. Security engineering is much more successful when it works *with* the grain of human nature, not against it.

    6. Re:Reality is... by pscottdv · · Score: 4, Interesting

      But that's the point of the original comment in this thread, isn't it. What makes 1-2-3-4-5 insecure is the fact that the companies storing the hashes can't be trusted to keep them safe but the user gets blamed for having an insecure password.

      --

      this signature has been removed due to a DMCA takedown notice

  3. Cognitive Load by Jarik+C-Bol · · Score: 5, Insightful

    The way I see it, password reuse is a matter of cognitive load. Most people are unable or unwilling to attempt to remember the umpteen dozen unique passwords they would need on a daily basis, if they where to attempt to use unique secure passwords on every service/device they use. This results in password reuse, more or less out of sheer laziness. It is probable that among this group, there is a cognitive bias against using password keychain services and tools, because it 'feels' like putting all your eggs in one basket. (somewhat flawed) Logic dictates that if someone breaches the master password to your keychain, and they have all of them, which is no different than using the same password everywhere. (of course, this is not entirely the case, but like I said, cognitive bias)

    Now, as for using 'good' passwords, it follows a similar pattern, with most people unwilling to dedicate the time and effort to memorize what amounts to a 'good' password, when they can remember their spouses birthday and their first pet's name just fine.
    Of course, we have seen time and time again articles arguing both sides of the court, that long random passwords are either effective or not, and correct horse battery staple passwords are effective or not, so this portion of the discussion is going to be long, stupid and frustrating for evangelists on both sides.

    Honestly, I've reached a point where I use 'good' passwords where it matters, (main email, financial items, Amazon etc) and just sort of hope for the best when I re-use the same 'decent' password everywhere else (forums, etc)

    I say 'good' because we're at a point there have been enough breaches that we're all probably fucked anyways.

    --
    I've decided to Diversify my Holdings. I've divided my cash between my left and right pockets, instead of all in one.
    1. Re:Cognitive Load by Shane_Optima · · Score: 3, Insightful

      Six months? Luxury. The places I've worked at all required monthly or 60 day changes, which means that virtually everyone ends up simply appending a number matching the current month to the end of the password. What they don't bother to do is inform you when your credentials have been used to log in at 3am. Or from someone else's workstation. Or from a Hong Kong IP address.

      Call me cynical, but most user security policies don't make much sense except from a job security standpoint.

    2. Re:Cognitive Load by houghi · · Score: 2

      Most people are unable or unwilling to attempt to remember the umpteen dozen unique passwords they would need on a daily basis

      This makes me mad when IT people are blame shifting as this is like "you are holding your phone wrong" sort of excuse. Security must look at the weakest link and see how they can handle it, not blame the weakest link.

      I am not unwilling, but simply unable to remember all my passwords. I have around 50 sites that I use on a regular places and that includes banks, stores, home, email, fun sites and what not.

      I can not install a password tool. Tried it once, had a HW crash and then I was fucked. Luck would have it that I wanted to use it because of ease and I had not yet transferred all my passwords to it. I will not be using an online system, because I do not trust them. Not that they are not trustworthy, but because they will be broken into at one point or another. Just a matter of time.
      I also do not have the (legal) ability to install them on machines that do not belong to me.

      So what I now have is basically layers of 6 passwords.
      1) Home access. Highest level as this will have access to everything
      2) Email services. These will be used for verification of other things, except what I do at home. I use only 2.
      3) Banks. Separate from Email. Confirmation goes to email.
      4) Stores. Places I buy things from on a regular basis. I have a list of these
      5) All the rest.
      6) Work. These must be changed each month and because of that they are the weakest. Also some systems accept only 8 characters, so I use that for everything.

      I also use separate emails for every store in 2-4. e.g. Slashdot.org@example.com for this site and bank.tld@example.com for my bank. Easy to not only filter out to the correct folder and easy to detect fraude, but also nice to see who is selling your email address and stop doing business with them.

      5 secure passwords and a weak one I can remember. More will not be reasonable. If one of the 1-4 is compromised, it is pretty easy to replace. If it is in 5, I might loose the ability to post cat pictures to Imgur and the like. If 6 is compromised, it is not my problem.

      And passwords are not the only thing anymore. Pin codes are much more important now. They are shorter and they will be linked to my bank and are on my phone. So having something there is much bigger issue. Just watch in the queue at Starbucks and you see people typing their password and you can easily see what it is most of the time.

      --
      Don't fight for your country, if your country does not fight for you.
    3. Re:Cognitive Load by pscottdv · · Score: 2

      Our family would have *loved* to have a password for 60 days. We had to change our passwords every 30 seconds and every password had to be 80 characters long and contain Unicode characters that hadn't yet been assigned!

      --

      this signature has been removed due to a DMCA takedown notice

  4. Complex Passwords by darkain · · Score: 2

    Or maybe the complex passwords *ARE* the problem. Who the hell can remember 100 different complex passwords?

    Repeat after me: TWO FACTOR AUTHENTICATION!

    Use a simple password and an authenticator that produces a one-time password.

    1. Re:Complex Passwords by d0ran$ · · Score: 2

      This works for me:
      1. Don't bother to remember or write down password.
      2. Get the application to send me a password reset.
      3. Change the password to some long random thing.
      4. Login do my stuff
      5. Logout, rinse, repeat.

      Pros:
      Don't need to remember password.
      Password can be long and complex.
      Kind of like 2 factor auth.

      Cons:
      Works only for places that provide password reset (who doesn't?)

    2. Re:Complex Passwords by Zumbs · · Score: 2

      If 2 factor includes a device, then there needs to be some way to authenticate if that device is stolen when you are in a remote location.

      Another horrible version of 2 factor authentication is when the device is a smart phone that you are using to log onto the service in question.

      --
      The truth may be out there, but lies are inside your head
  5. Password fatigue by Anonymous Coward · · Score: 2, Interesting

    Look no further than the simple explanation: Password fatigue.

    It's not uncommon in a large employer to have 6-10 passwords to different systems, all with different rules. And they change every 30-60 days.

    Naturally, this causes users to write them down, sometimes on stickies under their keyboard (agh), sometimes on the stickies program on their frickin desktop (ARGH).

    Rather than lamenting this obvious fact, it's time we change standards to recognize what REALLY happens, instead of what SHOULD happen. (Reference: Speed limits, and the real effects. Yes yes, if everyone followed the law exactly, blah blah blah blah. Only stupid or young engineers insist on following this paradigm, completely ignoring the reality.)

    1. Re:Password fatigue by networkBoy · · Score: 2

      going to do a quick count of how many pwds I deal with at work: ...
      49.
      I have 49 separate pwds I need to know to do my job.
      of those *several* are in a one-note file that is on a secure server so others with the same need to know can remain synchronized.
      Three or four of these also require a SecurID or similar token.
      Only two are committed to memory.

      nb

      --
      whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
  6. Re:The author has a certain level of understanding by Anonymous Coward · · Score: 3, Informative

    I'm pretty sure that most employees who are forced to pick new passwords once/month just use something like:

    Password@7/16
    Password@8/16
    Password@9/16

    This meets all of the upper/lower/digit/symbol requirements, and it never repeats.
    I also think the ones that don't use this method just write the password down on a post-it note that they keep in the office.

  7. A password should NOT contain a mix of characters by FeelGood314 · · Score: 4, Insightful

    A good password is hard for a computer to guess and easy for a human to remember and enter. That is the only metric we should be using for passwords. Screw the 100 different sites and work logins that expect me to have a different password for each. I have a couple of sites that I value enough to use secure passwords on, the rest Password1! is good enough.

    Work policies that require 8 characters, 1 upper, 1 lower, a number, a symbol and change every 3 months are guaranteed to result in everyone eventually adopting Common1! where Common is any common 6 letter word and the number 1 increments every 3 months.

  8. It's very simple by Brett+Buck · · Score: 2

    A password is intended to ALLOW access. If I come up with random "complex" passwords, I will either have to write them down, or use some sort of passwords safe, because they are intrinsically not "mnemonic". For many things I just don't care very mush, and I have to have dozens to hundreds of new passwords a year.

          There has to be a compromise between security and functionality, and people are making that compromise.

  9. passwords are a burden by Gravis+Zero · · Score: 3, Interesting

    It's quite simple, remembering passwords is a mental burden that you rarely find anywhere else in life. For our possessions, we have physical keys that provide weak security and we expect law enforcement to ensure a violation of that weak security and our insurance companies to replace our losses. The closest thing in real life is remembering people's names and there is a common set of names people have that are phonetic as well. If you want to solve the password issue, people need a physical object (a key) that will authenticate them. We will all carry a key like this and once again rely on our weak physical security which requires physical proximity to undermine.

    --
    Anons need not reply. Questions end with a question mark.
  10. Not as big an issue as poor password POLICIES by Shane_Optima · · Score: 5, Interesting

    I recently lost an email account I've had since I was twelve apparently due to one of the eBay breeches. Yes, I used the same password for both (never got around to changing them after I made the transition to randomized passwords) so it's my fault, right?

    How about great big "fuck you" instead? How about a wall of shame for every website that does not hash passwords, with salt, prior to transmission over the internet? This is kiddy level shit here. The slowest smartphone in the world should be able to do this in its sleep.

    And the majority of sites still have incredibly stupid password policies, almost all forcing you to use special characters and numbers instead of long passphrases which, if properly constructed (such as via dicewords), can be considerably more secure than the average "unicorn16!" type password. Some sites even impose a ridiculous maximum length policy, and some sites also forbid certain special characters, probably for some horribly depressing reason like they can't be bothered to make sure the password field can't be used for SQL injection or overflow attacks.

    Work passwords aren't much better. The constant changing is completely pointless; everyone either uses a very simple incrementing number system (often tied to the current month) or they use Post-Its. A sane alternative would be to track logins and alert the user and/or security admins of unusual times or locations and to use keyfiles on smartcards or regular USB drives.

    I've checked the literature and these ridiculous practices are still being taught to people studying for CompTIA certifications. Can't someone please... I don't know, do something about this? Can't we have some industry leaders say that they're no longer recognizing CompTIA Security+ or Network+ certifications as worth anything? This shit has been going on for far too long, and in an effort to made up for their shitty password infrastructure many places are adopting painfully annoying supplementary security systems.

  11. But we do know what secure passwords by Antique+Geekmeister · · Score: 4, Insightful

    > Only five percent of respondents didn't know the characteristics of a secure password, with the majority of respondents understanding that passwords should contain uppercase and lowercase letters, numbers and symbols.

    These requirements profoundly _discourage_ secure passwords. The difficulty of remembering them, and typing them well at a hidden password field, strongly encourage storage of passwords locally in cut&paste text windows or in local plaintext password storage. The current champion application for this security failure is AWS, which stores complex randomized alphanumeric strings which _no one_ can remember, forcing their default inclusion in plaintext local user fules or even hardcoded in saved wrapper scripts.

    I'm afraid that robust password generation was much better explained and documented in an old XKCD cartoon, https://xkcd.com/936/

  12. Is there really a paradox? by Cochonou · · Score: 3, Insightful

    As written in the summary:

    My personal favorite: password paradox. "The survey revealed that the majority of respondents understand that their digital behavior puts them at risk, but do not make efforts to change it," reports Help Net Security.

    But among all the accounts that people have, how many of them are really worth of effort to reduce the hacking risk? I'd think a lot of people reuse the same passwords on many sites, because they do not really care if they are hacked on most of their accounts. Actually, this is kind of hinted at in TFA:

    Additionally, consumers prioritize their password strength based on which accounts they believe need to be the most secure. Respondents indicated that they create the strongest passwords for financial (69 percent), followed by retail (43 percent), social media (31 percent) and entertainment (20 percent).

    That would seem to indicate that if people reuse many passwords, they still don't use the same one for their bank and for facebook... It is strange the TFA asked people if they thought their accounts had values to hackers, but didn't go as far as asking the surveyed people what value they perceived themselves in their accounts.

  13. Re:The reason for risky password practices by Anonymous Coward · · Score: 2, Insightful

    In the early '90, when you had one password for your email and that was it, password were useful. Now you are supposed to keep more than 30 different, complex passwords. Oh, and you should replace them every 3 months.

    But, yeah, people follow risky password practices because of laziness. It's not because passwords are a simple, lazy way to implement authentication that has became unmanegable.

  14. Long story short by wonkey_monkey · · Score: 2, Informative

    Begin article.

    Passwords are a chore to remember. People are lazy.

    End article.

    --
    systemd is Roko's Basilisk.
  15. Re:A password should NOT contain a mix of characte by shilly · · Score: 3, Informative

    There are a number of sites I use infrequently, such as my pensions website, where I have to rely on password reset *every* *goddamn* *time*.

  16. Re:A password should NOT contain a mix of characte by serviscope_minor · · Score: 2

    There are a number of sites I use infrequently, such as my pensions website, where I have to rely on password reset *every* *goddamn* *time*.

    That's fine. Think of it as an ad-hoc form of authentication service. Instead of providing a password to prove who you are, they securely send a token to you via a trusted third party service (your email provider) which you then authorize.

    Because the reset goes via that system, it's no less secure relying on it all the time than it is remembering the password. I actually explicitly use that method for some websites. I just generate a random password using:

    head -c 10 /dev/random | base64

    (The 10 characters ensures == at the end so you always get symbols), then paste it in and reset the password using the same mechanism 6 months later when I want to return.

    Some websites have started getting with the program and as well as a full reset offer to send you a 1 time login link.

    --
    SJW n. One who posts facts.
  17. Re:Bad habits are forced by PingSpike · · Score: 2

    Paypal, the assholes, only allow 20 characters max. Apparently they were running out of bits and have to save money somewhere. Anyway, that's not the aggravating part. The aggravating part is when you enter the password, it just truncates to 20 without telling you. Then you go to log in with the password you just set and find it doesn't work. It doesn't work because you've entered to many characters, but it lets you enter them when setting the password...it just throws the extras away and performs the set! But when you go to log in, it DOESN'T throw the extra away and fails the login.

  18. Passwords are outdated. by dagarath · · Score: 2

    The issue is that GPU scaling has exceeded the functional life of passwords. So we make longer more complex passwords and next year or the next some GPU breakthrough will enable those to be broken in reasonable time. It's just a delaying action against the inevitable death of passwords as a valid authentication option.