Forgot your password?
typodupeerror
Security

Giving Up Passwords For Chocolate 710

Posted by CmdrTaco
from the my-password-is-hershey dept.
RonnyJ writes "The BBC is reporting that, according to a recent survey, more than 70% of people would willingly give up their computer password in exchange for as little as a bar of chocolate. Over a third of the people surveyed even gave out their password without having to be bribed, and most indicated that they were fed up with having to use passwords."
This discussion has been archived. No new comments can be posted.

Giving Up Passwords For Chocolate

Comments Filter:
  • Passwords and memory (Score:5, Interesting)

    by Space cowboy (13680) * on Tuesday April 20, 2004 @08:19AM (#8915040) Journal
    I use one password for anything I don't really care about (/. login, LWN login, etc.) and different ones for systems I do care about (webservers, mx machines, client machines etc). I couldn't have told them my care-about passwords anyway though - I don't remember them, I just remember how to type them in. If I have to tell someone, I have to go through the process of mentally "typing" the word - complete with shift keys etc...

    It takes less than 5 minutes to remember a new sequence, just by typing it lots of times, and I find that if I *do* forget one from (say) 6 months ago, if I put my fingers through the first 1 or 2 chars, I get the whole sequence back... Holographic memory at its best :-)

    I've found this works much better for me than what I used to do (take 2 words, reverse them, catenate them, and take the central 8 chars) - the recovery of "forgotten" passwords is much easier when I let my fingers "remember" what to do... It also allows me to give clients obviously hard-to-forge passwords and easily use them :-)

    Simon
  • by troc (3606) <troc@ m a c . com> on Tuesday April 20, 2004 @08:19AM (#8915042) Homepage Journal
    And apparently over 30% of those asked would just reveal their passwords without any bribery!

    Troc
  • by r6an (710555) on Tuesday April 20, 2004 @08:20AM (#8915056)
    and most indicated that they were fed up with having to use passwords
    Maybe if your admin required something like a 16 character alphanumeric cyber with alt codes, but wow... I thought I was lazy. Maybe it's time for security card (prox)/eye scanner/voice recognition systems (not just one, combination of them)
  • by JoScherl (228091) on Tuesday April 20, 2004 @08:24AM (#8915080) Homepage
    For important things, like Login to a remote system or something I use the first letters of the first sentence that comes to my mind - but in the endI only type the sequences without remebering what it meant - that's quite funny - finding the sentence after some months with only having the letters ;-)
    At unimportant systems I use something like qwerty 'cause it's quite easy to type fast....
  • by fdiskne1 (219834) on Tuesday April 20, 2004 @08:29AM (#8915120)

    Even back in the days I did call support for an ISP, sometimes I'd just ask their login name and they'd just blurt out...

    My ISP always asks me what my password is. I've explained to them many times that it gets people into a bad habit and that I have to repeatedly tell my end users to NEVER give out passwords to anyone, even me. After several times, they finally said, "I'll make a note in your account to not ask for your password."

    Idiots.

  • by Domini (103836) <lailoken@gmail.com> on Tuesday April 20, 2004 @08:29AM (#8915124) Journal
    I have to agree to this.

    I have a 6 alpha char, but not-so-secret (public), password I use for all my low-risk passwords. Then I have another simple 8 alpha-num, but secret, password for all my secure sites (like Slashdot).

    For high-security (Banking/root/PGP) I use a 13 character randomly generated passsword or two.

    I would give out my not-so secret one to anyone who dares ask, and my 8 char one for an Aero milk bar... ;)
  • by bobbis.u (703273) on Tuesday April 20, 2004 @08:31AM (#8915131)
    But what use is a user id and password if you don't know where the computer is that it accesses?

    They should have tried doing the survey by knocking on people's front doors and asking them. I bet significantly less people would tell them then, because they would realise there was a much greater chance that the divulged information could actually be used.

    I am sure that somewhere in my town, there is a computer with the Windows login "Administrator", with password set to "password". Now in order for that information to be useful I still need to find that computer. (The only likely way is brute force scanning, which, by extension could be applied to the password cracking anyway.)

    Clearly, if the attacker was more malicious and started following you, etc they could get this information. However, most people will assume that noone else actually has a major reason to be interested in their PC or indeed downloading their pr0n collection. This is part of the reason why Joe Public does have such strong feelings about spyware as the average slashdotter.

  • by Lumpy (12016) on Tuesday April 20, 2004 @08:36AM (#8915166) Homepage
    you have it easy!

    here they added the restriction that you password can not contain any characters that can be typed at the keyboard... oh and you cant use any of your last 50 passwords.

    Ok, so I'm kind-of joking... but their stupidity at corperate to make passwords insanely complex has weakened computer security as most users now have their password (and the last 20 or so) written down under their desk blotter, in the drawer or even on a post-it on the monitor...

    Oh and corperate's extreme wisdom has the last four of your SSN in your user ID, and they use that same 4 digits to verify who you are to tech support lines...

    so basically they, through extremely stupid decisions have significantly weakened the network and computer security here to the point that it is a gigantic joke.

    yay for MIS directors that have no clue!
  • Re:Username (Score:3, Interesting)

    by W2k (540424) <.moc.liamg. .ta. .suilesnevs.mlehliw.> on Tuesday April 20, 2004 @08:39AM (#8915190) Homepage Journal
    That's assuming you don't use Sneakemail [sneakemail.com] and have thousands of disposable addresses to hand out. Or, assuming you meant the password to the e-mail account itself, you would need the adresses to the mail servers (POP3 or whatever); and of course, the sender's private key (who doesn't sign their mail nowadays?).
  • by anti-NAT (709310) on Tuesday April 20, 2004 @08:40AM (#8915202) Homepage

    "Workers are prepared to give away their passwords for a cheap pen, according to a somewhat unscientific - but still illuminating - survey published today."

    Office workers give away passwords for a cheap pen [theregister.co.uk]

  • by brinkster (523812) on Tuesday April 20, 2004 @08:41AM (#8915213)
    I started in a non IT related position 8 months ago. In that time I have managed to find the admin passwords to two domains, admin access to the company database, local admin access to all the PCs at my site, VNC passwords as well as discovered the company RedHat server runs a vulnerable version of SSH.
    All this by showing half an interest and sounding like you know what you're talking about. But then, maybe the IT department here is useless.
  • by Anonymous Coward on Tuesday April 20, 2004 @08:43AM (#8915224)
    I had a job that required me to handle on occasion things like people's SSN or credit card numbers, what have you. If the transaction was complicated enough and if it was on a day where I found myself doing more than a couple, I found I would remember people's info. Whole credit card numbers, their signiture, SSN, address, the works. People would find it disconcerting, to say the least, that I would just fill redundant paper work out from memory after having returned their id and plastic. On one occasion I had to remind them they were letting me write it all down.
  • Password Security (Score:5, Interesting)

    by herwin (169154) <herwin@thewo r l d.com> on Tuesday April 20, 2004 @08:48AM (#8915268) Homepage Journal
    This has been a problem for a long time in the military world. Instead of 'password' read 'safe combination'. People who had to manage multiple safes wrote the excess combinations on a sheet that was labelled with the highest classification of any of the safes and was stored in the highest classification safe available. Likewise, I use a password cache on my most secure machine.

    By the way, it _is_ possible to come up with strong memorable passwords. Think of a phrase involving numbers and punctuation. Then translate it into a password by using the initials of the words (alternating capitalization), the numbers, and the punctuation. As an example, consider: "Don't forget 9/11/01!" That becomes dF91101! Research indicates the passwords generated by that algorithm are as strong as the randomly generated passwords some systems force unto users.

    I also use a network password here at school that Windows can't handle. Basically, the network login script parsing on the machines used by students can't handle imbedded punctuation, but my research machine is OK with it, so my network password is only usable from specific machines in secure areas. It's not perfect, but it reduces the exposure.
  • by goranb (209371) on Tuesday April 20, 2004 @08:49AM (#8915275)
    I don't remember them, I just remember how to type them in. If I have to tell someone, I have to go through the process of mentally "typing" the word

    Ok, this is not related to the topic, but still...

    Here in Slovenia various stores are switching to a "PIN code" based use of credit cards (instead of my signature on the receipt)...
    I personally think that's great and all, as I've been using my cards and PIN code on ATM machines for quite some time now...

    Of course, I don't "know" my PIN code, I know how to type it...
    Guess what? The keyboards stores are using are "up-side-down" compared to the ones used on ATM machines...
  • by Anonymous Coward on Tuesday April 20, 2004 @08:53AM (#8915301)
    My users do not have any access from outside of the company, so I do not fear hacks from outside. They do not have shell accounts either (only samba and pop3), so hacks from inside are limited, too.
    They can use one another's samba accounts from inside of the company, though, and in fact they do quite a lot. Many accidents (like 'I lost all my mail' or 'where are my internet bookmarks') are clearly a result of that practice and every time I have to solve such an accident I suggest they change their password and keep it secret.

    It never works though... people are lazy and/or dumb.
  • by MightyYar (622222) on Tuesday April 20, 2004 @08:55AM (#8915316)
    Not all of you, I'm sure, but I can't believe how many of you are blaming the user. This is not a social problem, this is a technical problem.

    There are lots of things you can't do with humans because of human nature. Communism is one, speed limits are another, and expecting people to remember the sheer number of passwords they have to today is another. I have to keep them all in my Palm. Most of the people at work keep them on a Post-It. The password-mania of IT at work has become a joke amoung the employees. Get a grip!

    What to do? You're the IT people, you tell me! Fingerprint readers? Retinal scanners? How about you just read the little badge that I wear around my neck all day anyway? The building security guys figured out that passwords don't work for building security, when will you guys learn the same lesson?

  • by Ralph Wiggam (22354) on Tuesday April 20, 2004 @08:56AM (#8915325) Homepage
    Frats have retarded secrets like hand shakes and secret mottos. Some Ivy League frats have a secret president. Everyone tells their girlfriend all the stuff because nobody really cares.

    -B
  • by Xugumad (39311) on Tuesday April 20, 2004 @09:05AM (#8915402)

    I go a little further than this:

    1. Two seperate "critical" passwords, one for financial (bank, credit card, etc.), one for system access.
    2. One password for anything I need to make reasonably sure no-one gets access to (typically anything that stores my credit card details, even if they aren't viewable).
    3. One password for anything it would be annoying if people access (LiveJournal, online retailers who don't store my credit card, etc.)
    4. One password for sites I don't really care if anyone gets into.
    5. One password for sites I only plan on using once (which you can have for a bar of chocolate)

    Additionally, every 6 months or so I create (using a random password generator) a new password, which becomes my systems password. My systems password becomes my financial password, my financial password becomes my need-to-keep secure, and so on down...

    Works for me...

  • by HD Webdev (247266) on Tuesday April 20, 2004 @09:09AM (#8915453) Homepage Journal
    And apparently over 30% of those asked would just reveal their passwords without any bribery!

    Yes, that was interesting, and I'm not surprised. But, this quote from the article (emphasis mine) bothered me.

    The RSA survey found that maintaining online identities is becoming a burden for many people who, on average, use 20 sites that require them to register and then log on afterwards.

    Good Lord! These are 'random' commuters. I find it quite hard to believe that a significant portion of them have have 20 logins let alone an AVERAGE of 20 online logins to keep track of. Especially considering that only one respondent (allegedly) had a total of 40 logins.

    So, it's Lies, Damn Lies, and Statistics. I don't take the article as anything resembling reality.
  • by Cypherus (675743) on Tuesday April 20, 2004 @09:20AM (#8915573)
    I like to use the first letters from a certain phrase and add the year at the end, that way i just remember the phrase and after typing it in several times I can type it really fast. My friends call me wacko that I have 13-15 alpha-numeric passwords. They can hardly remember their AOL password let alone a 13-15 alpha-numeric password. Noobs.
  • by Lord_Slepnir (585350) on Tuesday April 20, 2004 @09:21AM (#8915583) Journal
    In a corporate environment, there's an easy solution. If the user gives out his password, you should probally lock down their account for a few days while you investigate their account. If it's a repeat offender, you should format their drive to be on the safe side. And erase all backups because you never know what an attacker might have put on the system.

    Same goes for people who open virus e-mails. For some reason, after I help people, they tend to stop doing stupid crap like that on my network. I guess they finally realized the error in their ways (And making them re-do 5 months worth of work seems to be a good enough incentive)

  • by omnirealm (244599) on Tuesday April 20, 2004 @09:21AM (#8915594) Homepage

    I couldn't have told them my care-about passwords anyway though - I don't remember them, I just remember how to type them in.

    I do the same thing. I base my passwords on a pattern of keys on the keyboard. I was haplessly surprised earlier this year while I was on vacation in Europe, when I realized that the keyboard on the hotel terminal had a different key mapping than the one I based my password on! :-( It took me several minutes just to remember what all the keys would have been on a US keyboard and then alter my pattern just to be able to type in my password...

    Yes, I know I probably could have changed the key mapping in the operating system, but it was a Windows machine, and I only know how to use xmodmap.

  • by Kyaphas (30519) on Tuesday April 20, 2004 @09:25AM (#8915640)
    Like "Password Manager" :-)

    WARNING WARNING DANGER WILL ROBINSON!!! BLATANT PRODUCT PLUG AHEAD!!! :-)

    I use Password Manager myself, because it's written in Java, and I can put the program along with it's datafile on a USB drive, then use it at work (WinXP), at home on my Linux workstation, or with my Powerbook. Check it out.

    http://www.geocities.com/ramix_info/passwordmana ge r.ht%6dl
  • Frat Secrets (Score:2, Interesting)

    by jardun (666893) on Tuesday April 20, 2004 @09:26AM (#8915643)
    When I was in school, one of the secrets was that the fraternities actually had a nicely put together book of tests for various classes. Foreign language, histories, etc. Pretty much all of the core classes' tests were in that book. One of my friends borrowed it for a laugh from a fraternity friend of his.
  • Re:Wait a minute (Score:5, Interesting)

    by the_mad_poster (640772) <shattoc@adelphia.com> on Tuesday April 20, 2004 @09:37AM (#8915758) Homepage Journal

    There's a difference between having a sysadmin that's insane and having one that understands reasonable protections based on the content being protected and the overall position of the system in question. If a single compromise could result in a $200 million dollar loss of sensitive information, maybe forcing people who access that info to use a 12 character password that's not vulnerable to a dictionary attack isn't such a bad idea, hmm?

    Yet, I see it all the time: some stupid suit thinks they know better and wants to be exempt from the policy. Dysfuntion exists at every level, but when it runs rampant in people with authority, you have a real problem. What amazes me is that the excuse from these boneheads is always the same when something goes wrong: "well, I'm a MANAGER, I handle BUSINESS DECISIONS. You don't expect me to understand your technical mumbo jumbo, do you!?"

    Uh, no dumbass.... I expect you to sit back, STFU, and let me do my job. You HIRED me to do this so you didn't HAVE to understand the technical mumbo jumbo... remember?

    I'm sure not all management is like this, but from my vantage point, most of it is. It's so much easier for them to point fingers after the shit hits the fan than it is to sit down and work with the technical people from the start, I suppose. This whole story is probably a good example of that. I tried to get these bozos to pay for some of our front line people to take classes on preventing social engineering attacks. Something like 90 people would have been enrolled to the tune of $25K. They refused. So, to make my point, I told my buddy to get into the veeps office. Sure as all hell, he did it without raising any eyebrows... they thought it was a "cute trick" and still didn't sign anyone onto the class because they don't think anyone would ever try it with us. I then tried to point out that while WE might not have anything particularly valuable, we do act as interface to a much larger International that DOES have a lot of valuable assets that competitors and crooks would love.. no dice. Idiots, says I. Idiots. They hire people to do things they don't understand, then tell them how to do it anyway. That's like hiring a builder to build your house, then hanging over them all the time and telling them they're doing it wrong.

  • Re:A big problem... (Score:3, Interesting)

    by Anonymous Coward on Tuesday April 20, 2004 @09:41AM (#8915833)
    Wow, what government do you work for? I'm also working a government job (the reason for anonymity) and not only does our security suck, but our IT department is worse. Their average response time to any problem is measured in weeks. (No, I am not kidding. It took me over a month to get a login after I started working here.)

    And passwords, they have to be changed every month, however I know at least 4 other people's logins (by necessity, because I didn't have an account) and since you can't reuse any of your previous 24 passwords, they recommend that you just use your old password and add a counter to the end of it. (ie. password1, password2, password3, etc).
  • Re:A big problem... (Score:3, Interesting)

    by whovian (107062) on Tuesday April 20, 2004 @09:43AM (#8915849)
    the different password systems for email, LAN logon, timesheets, billing, contracts, grants, etc., to be tedious at best and bewildering at worst. Since they are not allowed to have the same universal password, for obvious security reasons, nor is that password allowed to be a recognizable English phrase, they have a great deal of difficulty memorizing each one.

    which is why I think a standalone program that stores all these different passwords would be helpful. A program that uses tough encyrption that does exactly what mozilla|firefox does in that there is a Master Password to unlock all your usernames and passphrases for web forms. The only points of failure I can think of are 1) your box, 2) poor encryption protocol, 3) D'oh! you forgot your master password.
  • by cgrant (167910) on Tuesday April 20, 2004 @09:46AM (#8915888) Homepage
    Ed Skoudis (of http://www.CounterHack.net and other fame) had recently proposed at a SANS conference I went to that everyone should go with passphrases, rather than passwords. I have to agree. Why not remember "MyGoldenRetrieverIsUberCool" rather than "AB12CD!@%asd3asd"?

    Either one requires you to know how to type, and a passphrase will more likely be albe to be typed without being a contortionist.
  • Re:Wait a minute (Score:5, Interesting)

    by Andy_R (114137) on Tuesday April 20, 2004 @09:49AM (#8915925) Homepage Journal
    I'm living proof of this. I was waiting for a train at Liverpoot St Station in London, and took part in the survey once I realised there was a freebie involved. Every single question they asked I made up a false reply to, partly to get the free chocolate but mostly because I hate intrusive market researchers and people trying to profile me.

    Sadly, I doubt they will ever realise how worthless their surveys are, after all the NYT still hasn't got the message after about a billion fake login names.
  • by sindarin2001 (583716) on Tuesday April 20, 2004 @09:52AM (#8915969)
    I do agree that it is hard to remember gobs of passwords, but at the university that I work at most people can't remember their passwords when I switch out their old computer for a new one. It makes my life a real joy because they don't know how the heck to get into their email/other application. Thank goodness for whatever little utility I've got that looks behind the astrisks...makes my life just a little easier. I could get the help desk to reset it, but that means that I have to have the client do it because they require a social security number.
  • by HarveyBirdman (627248) on Tuesday April 20, 2004 @10:21AM (#8916299) Journal
    If someone offered a candy bar for my password, I'd take the candy bar and give them a fake password. Unless these guys tested each and every one, we have no idea how many people actually give real passwords.

    And "I'm tired of passwords, so I'm going to give it to a stranger" doesn't really parse.

  • by drudd (43032) on Tuesday April 20, 2004 @10:22AM (#8916309)
    Same thing happened to me when I got an ergonomic keyboard... the pattern crossed the split in the keys and didn't match up right for my muscle memory.

    Now I use the split as an extra piece of information in the pattern, makes it a nonsense pattern on a normal keyboard.

    Doug
  • by E_elven (600520) on Tuesday April 20, 2004 @11:14AM (#8917008) Journal
    I tell my friends to, instead of remembering the word itself, either remember the pattern of finger movements or -this has been popular lately- simply writing the first letter of their name with the keys on the keyboard. For example for 'A', you could have zSe4RfV (on a qwerty.) An additional good trick is to set the computer to be able to switch between two input locales (without the little sign in system tray) -for example, if you switch (alt+lshift) to Dvorak just before typing the password, it's hard to get right even if someone sees it (I switch to Qwerty myself:)
  • by Tony-A (29931) on Tuesday April 20, 2004 @11:41AM (#8917410)
    When I worked at a Fortune 70, we found that no employee over Sr Manager level could remember a password, even if written down where they could see it.

    That's what they have secretaries for. Seriously, you don't really think that senior management will let IT dictate hoops for them to jump through. With a very few exceptions, senior management does not need high security. I suspect in (almost) all cases, physical security is much more important than computer system security.
  • Re:A big problem... (Score:3, Interesting)

    by IncohereD (513627) <mmacleod&ieee,org> on Tuesday April 20, 2004 @11:50AM (#8917522) Homepage
    What I've heard is the general advice to people who get keys to secure government areas when they ask how they should secure the key is this - secure it like you do your own house/car/etc (i.e., keep it on your keyring). You obviously have quite a vested interest in not getting your keys stolen, and it doesn't happen very often at all, so that's generally a good solution. Especially if it's unlabeled and combined with say, site access control.

    So I see the password thing as similar. Keep them in your wallet. I for one always have my wallet on my person, or right next to my bed. Because I really, really badly don't want it stolen. So it should be safe for passwords.

    Personally I use mnemonic aids to remember apparently random passwords, though. If you can touch type you can always just shift your fingers one space to the left/right/up/down and type a recognizable phrase, combined with use of the shift key, and have a secure password.
  • by rabidcow (209019) on Tuesday April 20, 2004 @12:02PM (#8917679) Homepage
    I know you mean this as a joke, but I want to take a second to remind people why biometric authenticaion is stupid:

    * Your biometrics are not secret
    * Your biometrics are not changeable


    It sounds like biometrics could work well as a replacement for your username rather than your password.

    The only problem I see is that they're a bit more private than a username. This will tend to lull users into considering the secrecy of their passwords less important. "Who cares if they know my password, they can't use it without my fingerprint." And that's true, but then your fingerprints are everywhere.
  • by James_G (71902) <james@globalBALD ... org minus author> on Tuesday April 20, 2004 @02:13PM (#8919545)
    I actually created a secure database which I can access from anywhere on the net to hold my passwords. They're all encrypted for security, and you access the site over SSL. You can download the code for it here [globalmegacorp.org].

    No guarantees as to how secure it is. So far I haven't found any problems with it.
  • by jhoffoss (73895) on Tuesday April 20, 2004 @04:36PM (#8921596) Journal
    I'm sorry, but if you're the person responsible for cleaning up a system after it's been ripped to shreds by an attacker, you're going to do what you can to prevent that from happening in the first place.

    Try this: Pick a *good* password. For example: Take "Oh Captain! My Captain! Our fearful trip is done;" (A line from Whitman's "Oh Captain! My Captain!")

    Now, your password is

    OC!Mc!0ftid;
    (you switch the second "O" and the second "C" to avoid repeating characters) Now, say you have four systems: Unix, Mail, Login, Finance. Add one more character at the front/back/middle/somewhere. So you have one password with one extra character somewhere. For instance:

    OC!Mc!u0ftid;
    OC!Mc!m0ftid;
    OC!Mc!l0f tid;
    OC!Mc!f0ftid;

    Next time you switch passwords, pick a different line or a different poem, and maybe move where you put your extra character. Now I can't walk in to one system if I compromise another one (the point of SEPARATE passwords...) minimizing the impact of an intruder.

While money doesn't buy love, it puts you in a great bargaining position.

Working...