Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
Security IT

Survey Shows How Stupid People Are With Passwords 427 427

wiredmikey writes "Another study was released to today that once again shows how careless people really are online. When it comes to safeguarding personal information online, many people don't seem to care very much, or don't think enough about it. In the survey of more than 2,500 people, some interesting and scary trends were revealed in how users handle their online passwords..."
This discussion has been archived. No new comments can be posted.

Survey Shows How Stupid People Are With Passwords

Comments Filter:
  • by Anonymous Coward on Tuesday October 12, 2010 @02:27PM (#33873978)

    On the Mac and iPhone, we have 1Password. They sync up either locally, or via Dropbox. Makes it super convenient to carry around my keychain.

  • by Tridus (79566) on Tuesday October 12, 2010 @02:53PM (#33874384) Homepage

    Young people feel invincible. This has been true for a long time. Most people don't get cautious until they get torched.

  • Just Microsoft (Score:1, Informative)

    by Anonymous Coward on Tuesday October 12, 2010 @02:54PM (#33874394)

    The way the password systems were designed to were stupid to begin with. Programmers designed password systems for people like themselves. The real issue is, programmers did not forsee the internet and the need for easy authentication at multiple sites with strong keys.

    I still don't know why Microsoft and other OS makers have not bought out roboform to integrate it into their OS and change the culture over time.

    http://www.roboform.com/ [roboform.com]

    Roboform generates unique passwords and makes "click button" authentication easy, and you can back up your encrypted passwords on USB sticks, etc.

    That's just Microsoft. Apple has had such a system for years (Keychain) that generates random passwords and stores them in an encrypted, systemwide database.

  • by betterunixthanunix (980855) on Tuesday October 12, 2010 @03:03PM (#33874508)

    "Utt(001010&i!B" is a fine password that has this date in it.

    Cracklib begs to differ:

    Utt(001010&i!B: it is too simplistic/systematic

  • by egamma (572162) <egamma@[ ]il.com ['gma' in gap]> on Tuesday October 12, 2010 @03:21PM (#33874730)

    I still don't know why Microsoft and other OS makers have not bought out roboform to integrate it into their OS and change the culture over time

    That was the original idea behind "Microsoft Wallet", which turned into "Microsoft Passport", currently known as "Windows Live ID". See also: Windows Cardspace.

  • by Dogtanian (588974) on Tuesday October 12, 2010 @03:38PM (#33874986) Homepage

    More like the (+1 "it's a trap!") mod, you mean.

    Obligatory bash.org quote [bash.org] (^_^)

  • by nine-times (778537) <nine.times@gmail.com> on Tuesday October 12, 2010 @04:02PM (#33875342) Homepage

    Virtually nothing will protect you from people who have access to your desk.

    Security is never about absolutes. Absolutely nothing will protect you 100% of the time from all possible eventualities, yet we still employ security measures. The general purpose to security is to increase the difficulty of an attack, decrease the possibility of meaningful success, and increase the possibility of catching the attacker.

    So for example, simply putting a screensaver password on my computer might improve my security substantially. It gives casual attackers with limited technical knowledge and limited availability to my computer a relatively small window of attack-- they must get access to my computer in the period of time between when I leave my desk and when the screensaver kicks on. They must then install a trojan (or whatever you would suggest) in the short amount of time before I return to my desk and leave the area without being detected. But then there are other issues too-- they have to make sure the trojan won't be detected by my security package; they need to make sure the computer is more or less in the state that I left it, so as not to arouse suspicion; they may need to trigger the screensaver so that I don't come back and think, "why isn't my screensaver active?"

    Yes, if they get access to my CPU while I'm out sick, they could try to get access a few different ways, but that all assumes that there aren't other people around the office, there's no security, and there are no cameras which would catch them in the act. It also assumes the attackers are substantially sophisticated to get past a simple password.

    So there's a lot to consider. However, I can tell you right now that a simple screensaver password would be plenty of protection to keep my wife from reading my email. My wife isn't very technical, and even if you gave her physical access to my CPU and as much time as she wanted, she wouldn't know what to do.

    And that's what I meant by "security depends on context". You have to ask things like:

    • What kind of information am I protecting?
    • What's more dangerous, the prospect of someone else having access to the information, or the prospect of the information being lost to me?
    • How important is security in this case?
    • How important is easy accessibility in this case?
    • Who am I protecting the data from?
    • Who are the people likely to try to bypass this security?
    • Regarding the potential attackers, what kinds of attacks are they likely to try?
    • Regarding the potential attackers, how motivated will they be?

    Without knowing the context of what the information is, who the authorized personnel will be, and who the potential attackers will be, you can't begin to evaluate the effectiveness of a security scheme.

  • by Anonymous Coward on Tuesday October 12, 2010 @04:14PM (#33875508)

    Turns out that a lot of SSH passwords aren't very secure. [dragonresearchgroup.org] Like, who is really surprised by that...

    Found on bruce schneier's blog. [schneier.com]

  • Alternatives (Score:1, Informative)

    by Anonymous Coward on Wednesday October 13, 2010 @12:07AM (#33879366)

    SuperGetPass / SuperChromePass FTW. You pick one password. It gets hashed against the domain name in your browser to generate secure non-reversible passwords for each website. You only have to remember one, and you don't have to keep any dubious encrypted "password vault" on your computers or "in the cloud."
     

There's a whole WORLD in a mud puddle! -- Doug Clifford

Working...