Forgot your password?
typodupeerror
Security

Giving Up Passwords For Chocolate 710

Posted by CmdrTaco
from the my-password-is-hershey dept.
RonnyJ writes "The BBC is reporting that, according to a recent survey, more than 70% of people would willingly give up their computer password in exchange for as little as a bar of chocolate. Over a third of the people surveyed even gave out their password without having to be bribed, and most indicated that they were fed up with having to use passwords."
This discussion has been archived. No new comments can be posted.

Giving Up Passwords For Chocolate

Comments Filter:
  • by walter_kovacs (763951) on Tuesday April 20, 2004 @08:19AM (#8915036) Homepage Journal
    Yes, I am that desperate.
  • Passwords and memory (Score:5, Interesting)

    by Space cowboy (13680) * on Tuesday April 20, 2004 @08:19AM (#8915040) Journal
    I use one password for anything I don't really care about (/. login, LWN login, etc.) and different ones for systems I do care about (webservers, mx machines, client machines etc). I couldn't have told them my care-about passwords anyway though - I don't remember them, I just remember how to type them in. If I have to tell someone, I have to go through the process of mentally "typing" the word - complete with shift keys etc...

    It takes less than 5 minutes to remember a new sequence, just by typing it lots of times, and I find that if I *do* forget one from (say) 6 months ago, if I put my fingers through the first 1 or 2 chars, I get the whole sequence back... Holographic memory at its best :-)

    I've found this works much better for me than what I used to do (take 2 words, reverse them, catenate them, and take the central 8 chars) - the recovery of "forgotten" passwords is much easier when I let my fingers "remember" what to do... It also allows me to give clients obviously hard-to-forge passwords and easily use them :-)

    Simon
    • by Domini (103836) <lailoken@gmail.com> on Tuesday April 20, 2004 @08:29AM (#8915124) Journal
      I have to agree to this.

      I have a 6 alpha char, but not-so-secret (public), password I use for all my low-risk passwords. Then I have another simple 8 alpha-num, but secret, password for all my secure sites (like Slashdot).

      For high-security (Banking/root/PGP) I use a 13 character randomly generated passsword or two.

      I would give out my not-so secret one to anyone who dares ask, and my 8 char one for an Aero milk bar... ;)
      • by adamofgreyskull (640712) on Tuesday April 20, 2004 @08:44AM (#8915234)
        I gave my slashdot login/passwd away ages ago, and my karma's only gone up.
      • by Xugumad (39311) on Tuesday April 20, 2004 @09:05AM (#8915402)

        I go a little further than this:

        1. Two seperate "critical" passwords, one for financial (bank, credit card, etc.), one for system access.
        2. One password for anything I need to make reasonably sure no-one gets access to (typically anything that stores my credit card details, even if they aren't viewable).
        3. One password for anything it would be annoying if people access (LiveJournal, online retailers who don't store my credit card, etc.)
        4. One password for sites I don't really care if anyone gets into.
        5. One password for sites I only plan on using once (which you can have for a bar of chocolate)

        Additionally, every 6 months or so I create (using a random password generator) a new password, which becomes my systems password. My systems password becomes my financial password, my financial password becomes my need-to-keep secure, and so on down...

        Works for me...

        • by E_elven (600520)
          I tell my friends to, instead of remembering the word itself, either remember the pattern of finger movements or -this has been popular lately- simply writing the first letter of their name with the keys on the keyboard. For example for 'A', you could have zSe4RfV (on a qwerty.) An additional good trick is to set the computer to be able to switch between two input locales (without the little sign in system tray) -for example, if you switch (alt+lshift) to Dvorak just before typing the password, it's hard to
        • Funny I have 4 passwords

          Low security Internet (slashdot/monster/..etc..)
          one for home (12 random key strokes)
          one for finance (another 12 random key strokes)
          and one for work....my onw for work is "password"

          any one care to guess how much I like my job?
    • by Anonymous Coward on Tuesday April 20, 2004 @08:31AM (#8915135)
      Remembering passwords is easy. I have lots of them.

      The key is to make them memorable, pronouncable non-words. You can do this using passwdgen on linux. Just set it to the number of characters, add the "pronouncable" switch and - optionally - the "non alphaneumeric characters" switch and you'll have something that is very secure yet easy for YOU to recall.

      Further, what a bunch of whiney fucks. "Boo hoo, I have to use passwords. Boo hoo, I have to use a key to open my car door, house, bank deposit box, home safety, glove compartment, trunk. Boo hoo, I have to turn the knobs on doors and open them before walking into a building or home or car."

      Come on people.
      • The key is to make them memorable, pronouncable non-words.

        Reading a lot of science-fiction and fantasy books also helps much - especially when you can read them in some non-Western language. "Rohan" or "Alderan" will be too obvious, but "BalduryiBadubiny" won't be that easy to be crack by brute force - while it's very easy to memorize (and pronounce!) if you can read Stanislaw Lem in Polish.
      • by Safety Cap (253500) on Tuesday April 20, 2004 @09:09AM (#8915454) Homepage Journal
        Boo hoo, I have to use a key to open my car door, house, bank deposit box, home safety, glove compartment, trunk.
        How many people would give up they key to their house for a bar of chocolate?

        As we learned in Econ 101, it probably comes down to value. Most people do not ascribe value to computer security; they see it as "something the IT guys make us do." Example: walk into any small shop and check out their security. It has been my experience that all passwords are taped to the monitor more times than not, or you can just ask the admin for them.

        On the other hand, people ascribe much more value to the security of their home and/or car.

      • Remembering passwords is easy. I have lots of them.

        yes for me too! for example - my name is Rick, so my password is rICK. or RiCk or rick.

        it is very easy to remember, and, when someone asks me for my password, I just tell em what it is! I dont have to put it on a piece of paper or nothing.

      • by AbbyNormal (216235) on Tuesday April 20, 2004 @09:37AM (#8915764) Homepage
        "Boo hoo, I have to use passwords. Boo hoo, I have to use a key..."

        True, but does turning a key force you to remember a complex stored memory? Nope.
    • by mrwonka (131100) on Tuesday April 20, 2004 @08:36AM (#8915163)
      try passwordsafe

      http://sourceforge.net/projects/passwordsafe/

    • by omnirealm (244599) on Tuesday April 20, 2004 @09:21AM (#8915594) Homepage

      I couldn't have told them my care-about passwords anyway though - I don't remember them, I just remember how to type them in.

      I do the same thing. I base my passwords on a pattern of keys on the keyboard. I was haplessly surprised earlier this year while I was on vacation in Europe, when I realized that the keyboard on the hotel terminal had a different key mapping than the one I based my password on! :-( It took me several minutes just to remember what all the keys would have been on a US keyboard and then alter my pattern just to be able to type in my password...

      Yes, I know I probably could have changed the key mapping in the operating system, but it was a Windows machine, and I only know how to use xmodmap.

      • by drudd (43032)
        Same thing happened to me when I got an ergonomic keyboard... the pattern crossed the split in the keys and didn't match up right for my muscle memory.

        Now I use the split as an extra piece of information in the pattern, makes it a nonsense pattern on a normal keyboard.

        Doug
  • by troc (3606) <troc AT mac DOT com> on Tuesday April 20, 2004 @08:19AM (#8915042) Homepage Journal
    And apparently over 30% of those asked would just reveal their passwords without any bribery!

    Troc
    • by bobbis.u (703273) on Tuesday April 20, 2004 @08:31AM (#8915131)
      But what use is a user id and password if you don't know where the computer is that it accesses?

      They should have tried doing the survey by knocking on people's front doors and asking them. I bet significantly less people would tell them then, because they would realise there was a much greater chance that the divulged information could actually be used.

      I am sure that somewhere in my town, there is a computer with the Windows login "Administrator", with password set to "password". Now in order for that information to be useful I still need to find that computer. (The only likely way is brute force scanning, which, by extension could be applied to the password cracking anyway.)

      Clearly, if the attacker was more malicious and started following you, etc they could get this information. However, most people will assume that noone else actually has a major reason to be interested in their PC or indeed downloading their pr0n collection. This is part of the reason why Joe Public does have such strong feelings about spyware as the average slashdotter.

  • Wait a minute (Score:5, Insightful)

    by JohnGrahamCumming (684871) * <slashdot.jgc@org> on Tuesday April 20, 2004 @08:20AM (#8915055) Homepage Journal
    They didn't actually test these passwords they just said "I'll give you a bar of chocolate if you give me your password".

    So people can just make it up.

    Yes Mr "Researcher" if offered chocolate 79% of people can think of a random word.

    Big deal,
    John.
    • Re:Wait a minute (Score:5, Insightful)

      by the_mad_poster (640772) <shattoc@adelphia.com> on Tuesday April 20, 2004 @08:26AM (#8915098) Homepage Journal

      Depends what type of password they're asking for. I can imagine my boss giving up some of his real passwords for a bribe because he thinks "big deal... that one's not protecting anything sensitive anyway". Except, that comes down to him not understanding that whole "weakest link in the defenses" problem. Yea, maybe THAT password isn't, but what does that give a malicious user access to that could be abused elsewhere? What apps level attacks are we now vulnerable to? What databases could be stolen? Could the attacker now impersonate you to get more information from other people?

      Management and business types, and of course home users, don't think security is a big complex model. They think "oh, we have a firewall... we're safe" and that's the end of it.

      • > Management and business types, and of course home users,
        > don't think security is a big complex model. They think
        > "oh, we have a firewall... we're safe" and that's the end of it.

        I am a management type [electric-cloud.com], you insensitive clod :-)

        John.
    • Re:Wait a minute (Score:5, Interesting)

      by Andy_R (114137) on Tuesday April 20, 2004 @09:49AM (#8915925) Homepage Journal
      I'm living proof of this. I was waiting for a train at Liverpoot St Station in London, and took part in the survey once I realised there was a freebie involved. Every single question they asked I made up a false reply to, partly to get the free chocolate but mostly because I hate intrusive market researchers and people trying to profile me.

      Sadly, I doubt they will ever realise how worthless their surveys are, after all the NYT still hasn't got the message after about a billion fake login names.
  • Pork Rinds! (Score:5, Funny)

    by Anonymous Coward on Tuesday April 20, 2004 @08:21AM (#8915059)
    One bag of pork rinds, and I'll give complete superuser access to anybody!
  • by Punk Walrus (582794) on Tuesday April 20, 2004 @08:21AM (#8915060) Journal
    I can't count how many times I have been helping out people with computers and they just blurt out their passwords to me. Even if I don't ask.

    Punk: Okay, you say you can't get the NVidia card to work in Red Hat. Let's go to the NVidia site and download--
    Dude: My root password is money45!
    Punk: [dope smack] NEVER DO THAT AGAIN!

    Even back in the days I did call support for an ISP, sometimes I'd just ask their login name and they'd just blurt out, "My login is sueray22 and my password is newyork!"

    • by fdiskne1 (219834) on Tuesday April 20, 2004 @08:29AM (#8915120)

      Even back in the days I did call support for an ISP, sometimes I'd just ask their login name and they'd just blurt out...

      My ISP always asks me what my password is. I've explained to them many times that it gets people into a bad habit and that I have to repeatedly tell my end users to NEVER give out passwords to anyone, even me. After several times, they finally said, "I'll make a note in your account to not ask for your password."

      Idiots.

    • Even back in the days I did call support for an ISP, sometimes I'd just ask their login name and they'd just blurt out, "My login is sueray22 and my password is newyork!"

      Recently I've been asked by "tech support" for some stupid websites for my username AND password. Does someone here know a site that explains the CONs about this?

      One holds my employee's salaries and such. I'm perfectly happy that the support people can access that if they need to. The system can then log "helpdesk-Tom" accessed XYZ's f
    • In a corporate environment, there's an easy solution. If the user gives out his password, you should probally lock down their account for a few days while you investigate their account. If it's a repeat offender, you should format their drive to be on the safe side. And erase all backups because you never know what an attacker might have put on the system.

      Same goes for people who open virus e-mails. For some reason, after I help people, they tend to stop doing stupid crap like that on my network. I gu

    • by plover (150551) * on Tuesday April 20, 2004 @09:25AM (#8915628) Homepage Journal
      I've found that when I'm helping people over the phone, they'll actually speak them out loud as they type them. I think these are the people whose lips move as they read.

      Me: Now I need you to log in, please, using your account and password.
      They: OK, that's M459465, uhh... k-e-v-i-n-2-1. There. I'm in!
      Me: sigh.

    • by nutshell42 (557890) on Tuesday April 20, 2004 @10:53AM (#8916693) Journal
      A friend of mine switched back to point-to-focus after having used click-to-focus exclusively for a few years.

      First thing he did was accidently posting his root-pw in a irc channel with 2600 users. Damn fine password it was =)

  • by bryanp (160522) on Tuesday April 20, 2004 @08:22AM (#8915068)
    It's YERAWANKER. Now where's my chocolate?

    Oh, wait. You wanted my REAL password? Well, that'll cost you another chocolate bar. Of course I'll give you my real password this time. Would I lie to you?
  • A big problem... (Score:5, Informative)

    by Lord_Frederick (642312) * on Tuesday April 20, 2004 @08:23AM (#8915074)

    ...at many of the places I've worked at is that the users have as many as a dozen passwords to remember for different systems, and each one expires at a different time and has different rules for how long and complex it has to be.

    Most of them keep their passwords written down on a sheet of paper right on their desk.

    • by Evil Schmoo (700378) on Tuesday April 20, 2004 @08:40AM (#8915199) Homepage
      Absolutely. We're a government facility, including a few areas that are nominally very secure, and as such, we have an extremely good IT department, all of whom work tirelessly to prevent nasty people and things from seeing our noodlings.

      The problem is, the vast majority of people who work here are either academic researchers, who are used to open collaborative discussion and find passwords inherently distasteful, or administrative workers, who, while they may be very dedicated civil servants, find the different password systems for email, LAN logon, timesheets, billing, contracts, grants, etc., to be tedious at best and bewildering at worst. Since they are not allowed to have the same universal password, for obvious security reasons, nor is that password allowed to be a recognizable English phrase, they have a great deal of difficulty memorizing each one.

      Add in the fact that each password must be changed every six months at a minumum (monthly for some systems) and that passwords cannot be repeated for five cycles, and that's as many as fifty or so passwords over the course of a year for some administrative officers. That's a lot to ask, even for someone with a technically-oriented mindset.

      Recognizing that writing them in a booklet next to the desk- or lap-top is a problem, many offices have taken to writing them down inside a lockbox.

      Biometrics may help, but if our physical plant is any evidence, we'll be ten or so years behind the curve getting such systems installed.

      • Re:A big problem... (Score:3, Interesting)

        by Anonymous Coward
        Wow, what government do you work for? I'm also working a government job (the reason for anonymity) and not only does our security suck, but our IT department is worse. Their average response time to any problem is measured in weeks. (No, I am not kidding. It took me over a month to get a login after I started working here.)

        And passwords, they have to be changed every month, however I know at least 4 other people's logins (by necessity, because I didn't have an account) and since you can't reuse any of your
      • Re:A big problem... (Score:3, Interesting)

        by whovian (107062)
        the different password systems for email, LAN logon, timesheets, billing, contracts, grants, etc., to be tedious at best and bewildering at worst. Since they are not allowed to have the same universal password, for obvious security reasons, nor is that password allowed to be a recognizable English phrase, they have a great deal of difficulty memorizing each one.

        which is why I think a standalone program that stores all these different passwords would be helpful. A program that uses tough encyrption that d
      • Re:A big problem... (Score:3, Interesting)

        by IncohereD (513627)
        What I've heard is the general advice to people who get keys to secure government areas when they ask how they should secure the key is this - secure it like you do your own house/car/etc (i.e., keep it on your keyring). You obviously have quite a vested interest in not getting your keys stolen, and it doesn't happen very often at all, so that's generally a good solution. Especially if it's unlabeled and combined with say, site access control.

        So I see the password thing as similar. Keep them in your wallet
    • by bwy (726112) on Tuesday April 20, 2004 @08:56AM (#8915330)
      So true, and I've guessed users passwords a few times when needed because I knew the names of their kids, etc. Of course, I can understand how this happens. I'm well aware of how many passwords I have and I've had to implement a similar functioning but more secure solution to the post-it note passwords. I use Spash ID on my Palm device that stores but encrypts my passwords. Folks just have SO many web sites that use different passwords, and to make it worse, most of the sites don't have the same username. Either the site won't let you pick your own username, or mine was already taken, or I created an account but lost a credit card so the username can't be used again, etc. Its a total mess. Makes me wonder how much value some of these web sites add. Maybe it was good enough paying my bills with a check every month and waiting for my paper bank statements to come every month, etc.
    • by hackstraw (262471) *
      Why in the world in 2004 are we still using username/passwords as the primary means of authentication and authorization?

      Usernames and passwords do nothing to authenticate someone. All they mean is that someone knows a username and password. Besides being a lowsy way to authenticate somebody, passwords are a pain in the ass. Everybody has different rules for having a "good password" , they expire at different times, and it seems as though every website now requres a username and password to buy something
  • by dummkopf (538393) on Tuesday April 20, 2004 @08:24AM (#8915081) Homepage
    for most internet users there is no real value attached to their computer accounts. it is not the same as the pin for your ATM card where, if shared, it would mean an empty account. hence it is understandable that they are willing to share this information.

    this, i think, is a big problem and the onyl way to solve it is to re-educate people for them to understand that such a password is important and should not be shared. clearly an alternate solution would be to install fingerprint scanners on all computers (a viable option in the future), but that would not help overcome the erroneous attitute towards computer security. in fact, such scanners would work well as again people are used to the fact that their fingerprint makes them unique and should not be "shared".

    finally, this will be an important concern in the future: already we are able to shop online and the future where all transactions go via the internet is near. one account (a la .NET) will be enough to deal with fueling up a car or buying a bunch of roses. probably then the attitute will change, when some smart scammers burn some people's fingers...
  • Sad but true... (Score:4, Insightful)

    by mitchell_pgh (536538) on Tuesday April 20, 2004 @08:25AM (#8915089)
    Most likely, the people willing to give up their passwords have very little to protect. For many, it wouldn't be life altering if their email was read, their MP3 collection viewed and downloaded and their favorite version of solitaire copied as well. I would argue that the people with valuable data wouldn't give out such information (like many of us in this forum). Also, many people have the luxury that even if the system was maliciously accessed with their user/pass that there would be zero repercussions. They would shrug their shoulders and remember the delicious piece of chocolate they had the day before.
  • by Simon Lyngshede (623138) <simon@spiceweaTOKYOsel.dk minus city> on Tuesday April 20, 2004 @08:26AM (#8915094) Homepage
    Most system administrator would wish that they had a company policy which allowed them to break the fingers of users who share their passwords.

    But if users don't like using password, why force them. I think they would discover very quickly why it's needed. Nothing like a "You suck" email sent from a users account to the boss, to make them realise that may it's not such a bad idea.

    A better solution would of cause be wide spread use of Kerberos, then at least they only need to enter their password once.
    • by Maestro4k (707634)
      • But if users don't like using password, why force them.

      Because of all the extra vulnerabilities it exposes. If a malicious attacker gains access to their account the number of ways they can try to get root privledges grows. There are quite a few root exploits you have to have an account on the system to use. Besides, the passwords are for their protection too, from things such as the E-mail to the user's boss you mention to losing personal information. (I've seen users who stored their credit card

    • by panda (10044)
      Ha! As ignorant as most bosses and users are, I could easily send a "You suck" email from halfway around the world, that would pass for real in any examination that most users would put to it. Only one who would know it's fake is the mail admin., and with some of the admins that I've had to deal with at other sites lately, I'm not sure even the mail admin. would necessarily be able to tell it was forged.

  • by DarrylKegger (766904) on Tuesday April 20, 2004 @08:26AM (#8915095)
    in the growing body of evidence to support my thesis that most people
    really dont give a crap about anything past their next meal.

  • by Lispy (136512) on Tuesday April 20, 2004 @08:28AM (#8915113) Homepage
    And I thought it was because we dont go outside. ;-)
  • by adamofgreyskull (640712) on Tuesday April 20, 2004 @08:32AM (#8915139)
    PC.......$600
    DSL......$20/month
    nmap.....free.

    Being pipped to the post by a reporter with a snickers bar.....Priceless.

    There are some things even money can't buy, for everything else there's Masterfoods, Plc. [masterfoods.com]
  • by WebMasterJoe (253077) <joeNO@SPAMjoestoner.com> on Tuesday April 20, 2004 @08:34AM (#8915155) Homepage Journal
    This study brought to you by Klondike. What would you do for a Klondike bar?
  • by NetDanzr (619387) on Tuesday April 20, 2004 @08:34AM (#8915156)
    My boss has 67 different accounts with various financial Web sites. He's really dilligent, and always creates a different user name and password. Then he puts them all, along with the proper Web site address, into an Excel spreadsheet, prints them out and leaves them next to the computer.

    Kinda useless, if you ask me. I prefer to have 3-5 different passwords and use post-its attached to my monitor.

  • by bryanp (160522) on Tuesday April 20, 2004 @08:37AM (#8915171)
    Occasionally you may HAVE to tell someone your password. Keep that in mind selecting one. Consider this exchange I had with one of my users a while back:

    Bryan: "What's your password on this system?"

    Tammy: "Uh ..." *blush* "Do I have to?"

    Bryan: "No, you can always call the help desk like you're supposed to, but I can't reset your password on this system."

    Tammy: "Um ... it's ... TPBP6969. It's my initials followed by my husband's initials. Please don't tell anyone!"

    Bryan: "Considering your husband and I have the same initials I think I'll keep that one to myself. But in the future you might want to select a less ... personal password."

  • by anti-NAT (709310) on Tuesday April 20, 2004 @08:40AM (#8915202) Homepage

    "Workers are prepared to give away their passwords for a cheap pen, according to a somewhat unscientific - but still illuminating - survey published today."

    Office workers give away passwords for a cheap pen [theregister.co.uk]

  • by MrIrwin (761231) on Tuesday April 20, 2004 @08:42AM (#8915214) Journal
    a) A lead software architect at MS, b) The comptroller at Amex, c) George W.Bush, d) The webmaster of iTunes.com e) CmdrTaco

    Any help will be gratefully recieved and results will be shared with all. Oh boy will they be shared........

  • Password Security (Score:5, Interesting)

    by herwin (169154) <herwin@thewoERDOSrld.com minus math_god> on Tuesday April 20, 2004 @08:48AM (#8915268) Homepage Journal
    This has been a problem for a long time in the military world. Instead of 'password' read 'safe combination'. People who had to manage multiple safes wrote the excess combinations on a sheet that was labelled with the highest classification of any of the safes and was stored in the highest classification safe available. Likewise, I use a password cache on my most secure machine.

    By the way, it _is_ possible to come up with strong memorable passwords. Think of a phrase involving numbers and punctuation. Then translate it into a password by using the initials of the words (alternating capitalization), the numbers, and the punctuation. As an example, consider: "Don't forget 9/11/01!" That becomes dF91101! Research indicates the passwords generated by that algorithm are as strong as the randomly generated passwords some systems force unto users.

    I also use a network password here at school that Windows can't handle. Basically, the network login script parsing on the machines used by students can't handle imbedded punctuation, but my research machine is OK with it, so my network password is only usable from specific machines in secure areas. It's not perfect, but it reduces the exposure.
  • This is news? (Score:5, Insightful)

    by Trolling4Dollars (627073) on Tuesday April 20, 2004 @08:54AM (#8915310) Journal
    While password policies and the security that they provide are pretty much the recommended approach these days, they rely heavily on one resource that many people have a lot of trouble with: long term memory. Sorry, but it's 2004... where is voice print ID or fingerprint ID, or even dna sampling? MacOS was on the right track, but the technology was a little too early. Ahem!!! Time for the OSS/Free community to show the rest of the world where authentication is going. Voice Print ID should be a part of Gnome.
  • Those who would give up security for chocolate deserve neither.

  • A friend of mine is particularly anal when it comes to security. He's a network security geek for a major college in the Boston area, and security is his life. Unfortunately, he'll interact with you when he's just entered Level 1 REM sleep.

    About 7 years ago, he was crashed out on the floor of my apartment after a late night session. Since I was still coherent, I started saying random command prompts and command lines to him. He had just fallen asleep, and was finishing the prompts!

    Me: rm -rf
    Him: star

    Me: apachectl
    Him: restart

    Me: shutdown
    Him: -h now

    And then I upped the stakes.

    Me: username
    Him: blurted out his username

    Me: password
    Him: blurted out his password

    I left him an e-mail from himself that evening, and then went to bed. The next morning, he said "cute trick, but anyone can forge the From: header". I told him to go and double-check the received line, and he'd see that it was sent from localhost on a server that I didn't have an account on.

    He was rather annoyed and amused at the same time...

    Priceless.
  • by 0x0d0a (568518) on Tuesday April 20, 2004 @09:21AM (#8915585) Journal
    The "I hate passwords" attitude is not merely (or even primarily, IMHO) a function of users doing something wrong. It is a function of poorly designed security, or of security designed for a different environment being reused for current systems.

    Passwords came into popularity a long time ago. Things that have changed since the introduction of the password:

    * Many people have accounts on many, many systems (thanks to websites with accounts).

    * Users on such systems may not be primarily benevolent -- on a UNIX box used by a small bunch of researchers in the early 80s, a password may be an acceptable barrier to anyone poking around. A password on eBay, on the other hand, may be of interest to a number of less savory characters.

    * The ability to attack systems has significantly increased. Internet accessability means that remote, hard-to-trace attacks are more common. A brute force attack on a computing system physically isolated in a building may be simply infeasible, and choosing "cheese" as a password may be perfectly acceptable -- such a thing is no longer reasonable.

    * Computing power is much greater now. Attacks on password hashes (including those sent over the network) are much more feasible. The relative strength of passwords to CPUs has decreased logarithmically.

    * Many systems require passwords frequently. If you are a defense contracting employee, you might have only needed your password once when walking in the door in the morning and once after lunch. Now, corporate intranets have passwords, Yahoo has passwords, Slashdot has passwords, eBay has passwords, etc. Many of these require passwords multiple times a day (or, if they have an option to cache a password, do not have sufficient data about the client side to know how long it is safe to continue to cache the data).

    * The demographic of password users has changed. Almost everyone has many passwords now -- not just a couple of engineers or scientists, or the occasional person with an ATM PIN.

    What I Suspect Needs To Be Changed

    A couple of things that probably need to change:

    * It needs to be standard (and have a common interface for doing so) for users to be able to delegate a subset of their authority. Few systems currently have authorization systems smart enough to allow users to delegate chunks of their power to other users for a short term (and audit any moves). This needs to be simple, *easy*, and secure. If Sharon wants to let Bob purchase something online and charge it to her credit card account, she needs a quick and easy way to say "I authorize Bob to spend up to $500 in the next week and charge it to my credit card." That could be via her cell phone or on a computer. Most systems should have at least several forms of authorized actions that can be delegated to other users that require no more than entering a limit on the degree of the actions taken. A list of actions that other users have taken with that authorization should also be easily visible.

    * Where feasible, passwords should be replaced by smartcard/PIN combinations. It's easier to remember a four-digit PIN than a long, secure password, and for anyone that doesn't have physical access to a user's smartcard, the strength of the token on the card is much greater than that of a password. Currently, this is particularly disasterous in the form of credit card information. Currently, many vendors store full credit card information used in purchases in databases. If any such database is compromised, authentication data providing full access to money accounts is granted the compromiser -- this is, frankly, insane. Credit card providers have one effective line of defense against a compromised card -- they do statistical analysis against purchases, which isn't the most reliable method of dealing with such attacks, and requires intense monitoring of anything users do -- producing a strong disincentive to provide users with privacy. (I realize that there are a few attempts at improving t
  • by Fuzzums (250400) on Tuesday April 20, 2004 @09:23AM (#8915612) Homepage
    If it was just documents of my work? who cares? My co-workers NEED to see those documents anyway!

    What does my password protect? Private files? Am I supposed to have private files at work? I guess not. Secrit files then? Ok. possibly.

    To track possible abuse? They're allowed to use my phone too, do I have to password-protect that too?

    But hey, if it's about my admin password..
    That's a different story.
    Then I'd like to have some chocolate too!
  • This is old news... (Score:4, Informative)

    by lewko (195646) on Tuesday April 20, 2004 @09:27AM (#8915649) Homepage
    I suspect this was a journalist looking for a creative spin on an old story. The European Infosecurity 2003 conference came to the same conclusion when it discovered workers were prepared to give away their passwords for a cheap pen [theregister.co.uk].

    It's still interesting to see that in two years of cybercrime and media frenzies that nothing has really changed...

  • by 10Ghz (453478) on Tuesday April 20, 2004 @09:39AM (#8915786)
    Are the people who will not give their password, no matter what. As "the IT-guy" I require access to just about all computers here. And yes, that includes the end-user desktops/laptops. And there are some people here who simply refuse to give me the passwords to their system! Noooo, they have to type the password themselves. And that means I have to drag them from their meetings and such just so they can log in to their machine so I could work on it!

    Hell, I have received maybe 200 passwords while working here, and I don't remember any of them. I don't keep them stored anywhere, and I don't have eidetic memory, so there's no risk. And still I hear the "I use the same password in several places, and I don't want to change all those passwords if I gave you my password!". If you are so careful when it comes to security, you shouldn't use the same password everywhere! And yes, you CAN give your password to the IT-department if they walk up to you and ask you for it. If you don't... well, we can always reset your password!

    Sheesh, some people....
  • by cgrant (167910) on Tuesday April 20, 2004 @09:46AM (#8915888) Homepage
    Ed Skoudis (of http://www.CounterHack.net and other fame) had recently proposed at a SANS conference I went to that everyone should go with passphrases, rather than passwords. I have to agree. Why not remember "MyGoldenRetrieverIsUberCool" rather than "AB12CD!@%asd3asd"?

    Either one requires you to know how to type, and a passphrase will more likely be albe to be typed without being a contortionist.
  • Unfair survey... (Score:5, Insightful)

    by aksansai (56788) <aksansai@gLAPLACEmail.com minus math_god> on Tuesday April 20, 2004 @10:08AM (#8916137)
    The survey is focused on their computer passwords. The responses from the people are typical considering the average person does not know how much is tied to that password. "I don't have anything special in my email that someone can read..." or "What can someone do with my password...?"

    The survey should have also asked the following questions:

    1) Please specify your major credit card number and expiration date.
    2) Please specify your address, bank account number, and SSN (if it applied to citizens of the United States - otherwise insert THEIR form of special identification).

    Would the numbers have coincided as to who revealed that particular bit of information? Absolutely not. The average person would see the risk in giving those pieces of information to a complete stranger.

    If a direct association could be made between their Internet password and their money, those people would have guarded their password under lock and key. Why? Because the loss of money is readily understood, versus having to call an ISP and say "Someone hijacked my account."

    Although people may be tired of using passwords (or PIN numbers), they are still a somewhat effective means of preventing improper access to their assets, be it Internet access, money, or personal information. The quality of the password is directly related to the importance of the stuff being protected.

    The article cites that birthdates, pet names, etc. are common passwords. However, if someone applied the same level of protection on say...

    Instead of asking that 16-digit number (an abstract version of a password), one were to ask "What is your credit card phrase?" Answer: "Buddy."

    Instead of asking that expiration date, one were to ask "What is your age?" Answer: 30. These easy "passwords" would make is easier to make fraudulant charges on someone's account.

    Public awareness of the importance of securing their own personal information is a key issue that needs to be resolved. Using an easy to understand analogy would be a good first step for those who are being surveyed.

  • Password Rules (Score:5, Insightful)

    by Baby Duck (176251) on Tuesday April 20, 2004 @10:11AM (#8916163) Homepage
    My biggest gripe about website password is the lack of consistency in password rules.
    • Some let you use special characters.
    • Some don't.
    • The set of allowed special characters differs for those who do
    • Some are case sensitive
    • Some are smashcase
    • Some allow just numbers
    • Character length range is wildly variable
    • Some make you change your password and won't let you use your last X passwords
    • Some force you to do weird stuff like "at least one uppercase, at least one lowercase, at least one number"

    It irks me, because even if I wanted to use a completly different password for every login, there is no pattern or strategy I can follow to appease all of them.

  • by HarveyBirdman (627248) on Tuesday April 20, 2004 @10:21AM (#8916299) Journal
    If someone offered a candy bar for my password, I'd take the candy bar and give them a fake password. Unless these guys tested each and every one, we have no idea how many people actually give real passwords.

    And "I'm tired of passwords, so I'm going to give it to a stranger" doesn't really parse.

  • SecurID! (Score:4, Insightful)

    by mjh (57755) <mark@NOSPAM.hornclan.com> on Tuesday April 20, 2004 @10:33AM (#8916449) Homepage Journal
    I have a securid card that I use for logging into a number of different things at work. I wish it was used for *EVERYTHING*. I'd never have to remember another password in my life (unless you count my PIN as my password). I'd never have to deal with varying password changing schemes on multiple systems. Which result in having multiplying passwords which I have to remember, which require me to enter them into STRIP [zetetic.net].

    I wish I could use SecurID (or something like it) for everything. It would dramatically simplify my life.

  • How do they know this doesn't just show people are dirty lying bastards. I'd give up a random string of charachters I made up on the spot for a bar of chocolate!
  • by Netsnipe (112692) <(moc.liamg) (ta) (epinsten)> on Tuesday April 20, 2004 @11:33AM (#8917295) Homepage
    and not chocolates when I enter my root password to login on websites such as Slashdot?
  • by illuminatedwax (537131) <stdrange AT alumni DOT uchicago DOT edu> on Tuesday April 20, 2004 @11:58AM (#8917639) Journal
    This is a bit off-topic, but a friend of mine had an account at a bank that would only allow you to access your information if you could answer a particular question. You could set the question and answer to whatever you wanted. His question was:
    "What are you wearing?"

    His response?

    "I don't think that's an appropriate question."

    --Stephen
  • by Lulu of the Lotus-Ea (3441) <mertz@gnosis.cx> on Tuesday April 20, 2004 @12:34PM (#8918144) Homepage
    I'd gladly give up my password to many sites for a bar of chocolate. I'd be getting a great deal. Heck, I'll tell you all now: it's "password"... or sometimes if the sites use a dictionary check, I'll go for "password1".

    A whole lot of the places I visit protect absolutely nothing of significance to me with their password. As in, maybe I can select a color scheme for a site, or similar. And for a lot of those, I know perfectly well I'll never go back to a site; I just have to do a one-time transaction. Exactly how concerned am I supposed to be that "hackers" might change my color scheme on a news website. Actually, a lot are even worse than that--like commercial newspapers (NYT and friends): I can't even change a color scheme, they just insist on me giving them demographic info. But it's a one way thing, you can't see or change it after "registration." Even if crackers -could- change how old the NYT thinks I am, why do I care about that exacty?

    Opinions of security are probably harmed by the overuse of security measures where there is self-evidently no reason to have them. Casual users get in the habit of thinking passwords are just a nuisance... even when the -do- something significant.
  • by maxpublic (450413) on Tuesday April 20, 2004 @03:18PM (#8920433) Homepage
    At my wife's place of work (she's a research scientist for a major university) IT will delete the old passwords, then send out an email informing the employees that their passwords are no longer good and that they need to be changed.

    Of course, to read your email, much less change your password, you need to log in. And you can no longer log in because your password has been deleted. Therefore, no one ever receives the email that their passwords need to be changed, nor could they do anything about it even if informed. Eventually enough people call up IT to ask them what the hell is going on, prompting them to restore the old passwords long enough for everyone to get on, read their mail, and change their password.

    The IT department at her university has pulled this idiocy more than once. In fact, one time they restored the old passwords, everyone dutifully changed them, and then IT deleted the new passwords!

    If ever there was an IT department where it was a requirement to have the word "LOSER" stenciled on one's forehead, this one takes the cake.

    Max

HOST SYSTEM NOT RESPONDING, PROBABLY DOWN. DO YOU WANT TO WAIT? (Y/N)

Working...