Forgot your password?
typodupeerror
Security IT

Survey Shows How Stupid People Are With Passwords 427

Posted by CmdrTaco
from the your-password-is-trustno1 dept.
wiredmikey writes "Another study was released to today that once again shows how careless people really are online. When it comes to safeguarding personal information online, many people don't seem to care very much, or don't think enough about it. In the survey of more than 2,500 people, some interesting and scary trends were revealed in how users handle their online passwords..."
This discussion has been archived. No new comments can be posted.

Survey Shows How Stupid People Are With Passwords

Comments Filter:
  • by odies (1869886) * on Tuesday October 12, 2010 @02:06PM (#33873572)

    In addition to securing web and database servers and only storing the passwords as hashes with salt added, websites should do more to protect the user passwords. This for example is why Slashdot hides your password as ******** if you accidentally happen to write or paste it to a comment - a practice every website should do.

  • by Superken7 (893292) on Tuesday October 12, 2010 @02:08PM (#33873604) Journal

    was the "with passwords" part actually needed in the title? ;)

    • Re: (Score:3, Funny)

      by Anonymous Coward

      Was a survey actually needed either?

    • Re: (Score:3, Insightful)

      by Rob the Bold (788862)

      was the "with passwords" part actually needed in the title? ;)

      If a majority or a large minority of the users of a system are using it "wrong," then perhaps we ought to consider if our definition of "right" is right. And if we are right about how it should be used, we ought to consider if the system really is that well designed in the first place. If a system is hard to use in the way considered "proper" to the designer, there may be a design flaw . . .

  • by Superken7 (893292) on Tuesday October 12, 2010 @02:12PM (#33873666) Journal

    From TFA:
    " 30 percent logged into a site requiring a password over public WiFi (vs. 21 percent overall)"

    So what? thats what SSL and Certificates are for. Entering your password in a public computer - well, thats another story.

    • Re: (Score:3, Insightful)

      by nine-times (778537)
      There are still a lot of services that use passwords but don't use (or at least don't force you to use) HTTPS.
    • by interkin3tic (1469267) on Tuesday October 12, 2010 @02:36PM (#33874118)

      Also seems like he's making a fuss over nothing when it comes to 41% sharing passwords. Sharing passwords with strangers online is one thing. Sharing a password with your wife, assuming you trust her, not that big of a deal.

      • Re: (Score:3, Insightful)

        by DrgnDancer (137700)

        Especially for say.. our shared bank account. I think my wife might be a bit annoyed if I locked her out of the money she earned half of. "It's all in the name of password security dear, no worries"

        • Re: (Score:3, Insightful)

          by interkin3tic (1469267)

          I think my wife might be a bit annoyed if I locked her out of the money she earned half of.

          Exactly. I'm in far more danger if I don't share my password than if I do.

        • by cdrudge (68377) on Tuesday October 12, 2010 @03:23PM (#33874746) Homepage

          My wife locks me out every time she accesses our bank account. Our credit union has implemented a new "security" feature where the account number and password remembers the cadence that you enter the information. If the cadence doesn't match, it rejects it. I type a lot faster then she does, so my cadence is never even close to what her's is.

        • by Sancho (17056) * on Tuesday October 12, 2010 @03:43PM (#33875052) Homepage

          Came here to say this. The article talks about how stupid these practices are, but there are reasonable reasons for doing most of them.

          Nearly as many people use the same password to log into multiple Web sites, which could expose their information on each of the sites if one of them becomes compromised. (A separate recent study revealed that 75% of people use the same password for Social Networking Sites and their email accounts)

          I reuse passwords because it's simply not possible for me to remember more than about 20 password/username/site tuples. I have a password "scheme" that I use to make memorable passwords, but I have to deal with sites which:
          - Have restrictions on the username that means I can't use my normal one
          - Already has my usual username taken
          - Have restrictions on the characters/length of the password
          etc.

          So I have a few throwaway passwords that I don't care about, and I use those most places where I don't care if the account gets compromised. Why do I care if someone gets access to my deepdiscountdvd account?

          Almost half of all users never use special characters (e.g. ! ? & #) in their passwords, a simple technique that makes it more difficult for criminals to guess passwords.

          Password complexity is complex. What's better, an 6 character password with special characters or a 13 word phrase? Using a special symbol is not a panacea of password security.

          12 percent have shared a password in a text message (vs. 4 percent overall)

          It depends upon how important that password is, but in general, I'm not worried about people sniffing my SMS messages. If I'm going to share a password with someone, I generally consider that password to be useless anyway.

          Passwords are forgotten occasionally, often or always by over half of consumers (51 percent).

          No kidding? I thought it would be higher. I guess the main reason it's not higher is because people re-use passwords.

          I use "access to my e-mail address" as my credential for a lot of sites, when I can't be bothered to remember the password or store it in my keepass database (which, itself, has about 50 passwords in it.)

          86 percent do not check for a secure connection when accessing sensitive information when using unfamiliar computers

          Ever, or sometimes? I mean, some sites don't even use SSL for authentication (*coughcough*)

          14 percent never change their banking password.

          If you use a good password, and you assume that the bank itself hasn't been compromised, why change it?

          Overall, the article seems fairly useless.

          • by ukyoCE (106879)

            I used to use symbols in all of my passwords - or at least try to. A lot of sites block special characters (and spaces) in passwords.

            I even had a site, I'm pretty sure it was a bank, that required the password be exactly 8 characters, and only alphanumeric. I suspect that brings the total number of passwords possible down to "laughably easy to brute force".

  • by blahplusplus (757119) on Tuesday October 12, 2010 @02:12PM (#33873670)

    The way the password systems were designed to were stupid to begin with. Programmers designed password systems for people like themselves. The real issue is, programmers did not forsee the internet and the need for easy authentication at multiple sites with strong keys.

    I still don't know why Microsoft and other OS makers have not bought out roboform to integrate it into their OS and change the culture over time.

    http://www.roboform.com/ [roboform.com]

    Roboform generates unique passwords and makes "click button" authentication easy, and you can back up your encrypted passwords on USB sticks, etc.

    • by h4rr4r (612664)

      It also means roboform has your IP and the password they gave you. Which seems like valuable information.

    • by BarryJacobsen (526926) on Tuesday October 12, 2010 @02:25PM (#33873922) Homepage

      The way the password systems were designed to were stupid to begin with. Programmers designed password systems for people like themselves. The real issue is, programmers did not forsee the internet and the need for easy authentication at multiple sites with strong keys.

      I still don't know why Microsoft and other OS makers have not bought out roboform to integrate it into their OS and change the culture over time.

      http://www.roboform.com/ [roboform.com]

      Roboform generates unique passwords and makes "click button" authentication easy, and you can back up your encrypted passwords on USB sticks, etc.

      Because having unique passwords for every site makes it very different to use another computer at random. Storing on a USB stick is great, except when I want to log in from my iPhone and need to find some way to view that password. Or lose my USB stick and want to check my e-mail while in Russian on business. Simply put, it's terribly inconvenient for the average end user - the only way that they'd be willing to go along with it is if the passwords could be retrieved over the internet with a master password - which would give a single point of failure and be even less secure than the current system.

      • Did you read the article? Roboform is not a cureall but it would help in many instances of password stupidity, i.e. using one password for all sites that you have to *remember*. The reason people use the same password for multiple sites is the cost of remembering them, so if you offload the remembering part to a program like roboform that can automatically generate long random strings as passwords and store them locally in encrypted files, you go a long way to preventing some types of problems.

        • store them locally in encrypted files, you go a long way to preventing some types of problems.

          This is precisely the problem. I don't want my passwords only stored locally. If I wanted my data to be accessible from only one location in the world, I wouldn't have it be on the internet, I'd have it encrypted and stored locally.

      • and want to check my e-mail while in [a?] Russian on business

        That's some business!

        • and want to check my e-mail while in [a?] Russian on business

          That's some business!

          It pays the bills... :P

    • The password systems were stupid to begin with

      FTFY. Passwords are probably the least secure method of authentication; I don't know why we still rely on them, when there are so many better ways to do things.

    • by egamma (572162) <egamma@gm a i l . com> on Tuesday October 12, 2010 @03:21PM (#33874730)

      I still don't know why Microsoft and other OS makers have not bought out roboform to integrate it into their OS and change the culture over time

      That was the original idea behind "Microsoft Wallet", which turned into "Microsoft Passport", currently known as "Windows Live ID". See also: Windows Cardspace.

  • by JoshuaZ (1134087) on Tuesday October 12, 2010 @02:12PM (#33873678) Homepage
    For example, the article asserts that 4 out of 10 people have shared a password in the last year. I've done that. I shared the password to one of my email accounts with my twin who needed access. And after he was done I changed the password. Much of the data here is very hard to actually show is bad without more context for what exactly people were doing. Also, while we're discussing these issues, obligatory xkcd - http://xkcd.com/792/ [xkcd.com].
    • Re: (Score:3, Insightful)

      by master_kaos (1027308)
      exactly. I have "shared" my password to for different accounts. I change my password, give them the new changed password, after they are done with it change it back. And using the same password with multiple sites? So what? For shit I don't care about if my account gets comprimised I used my generic password. For my secure stuff I will use a different passwords.. but sometimes they are the same or close to it.
    • Re: (Score:3, Insightful)

      by mattdm (1931)

      Or "30 percent logged into a site requiring a password over public WiFi" -- which is perfectly fine if the site has the right SSL cert.

      • Re: (Score:3, Insightful)

        by BobMcD (601576)

        Or "30 percent logged into a site requiring a password over public WiFi" -- which is perfectly fine if the site has the right SSL cert.

        This! Further, if the site doesn't have such, do you really even care if it gets hacked?

        In short, your bank isn't going to allow you to be stupid with your password, and nobody reads your MySpace blog anymore anyway.

    • by Kjella (173770) on Tuesday October 12, 2010 @02:36PM (#33874132) Homepage

      Seriously, either you rely on password reuse, you have the world's greatest memory or your vitally dependend on some software to track your passwords and if you lost that, you've lost everything.

      In order of difficulty and importance I remember roughly four passwords:

      1. The full disk encryption, it's for everything I don't trust the intartubes with.
      2. My online bank password, you can pull a lot of BS but don't touch my money.
      3. My webmail password - both as it's personal and as it gives other logins.
      4. My "everything else" password - for most forums and shit.

      That does not count the PIN on my ATM card, my logins at work or any of the other of the many things I ought to remember. That also doesn't count that I regularly have to swap between three different user ids because "Kjella" is often taken. That's enough for one mind, and I've heard I'm fairly good at remembering things. For people that seem to have enough just remembering their PIN I just don't see it happening without help. And given the reliability of HDDs and most people's ability to take backups, I'd suggest a note in your wallet. And maybe a backup of that too, since I know several who have lost their wallet or had it stolen.

  • by suso (153703) * on Tuesday October 12, 2010 @02:13PM (#33873694) Homepage Journal

    Working in an enterprise, one of the biggest excuses I hear from people when I talk to them about password security is they will say "oh my account doesn't do much" or "its not a big deal if someone gets my stuff".

    They have no idea that its not so much about them having their stuff (which incidentally probably indeed doesn't matter much), but just people having access to accounts that they shouldn't. I usually tell them why its important after they give me an excuse like that. But most people just don't seem to care. But of course they care when something happens.

    • by maillemaker (924053) on Tuesday October 12, 2010 @02:30PM (#33874018)

      Users are careless with their workplace computers because it's not their data and they don't care what happens to it.

    • In most places security is on the honor system.

      I became distinctly aware of this in university and assumed it was just academic institutions which tend to be fairly open but then I went to work at a large multinational well known tech company and things were no better.

      Passwords on postits, weak and predictable passwords, hardcoding admin passwords into scripts, unprotected resources, security holes in apps you could drive a car through etc etc etc
      There was vastly more lip service given to security in the mu

  • Easy (Score:5, Funny)

    by zill (1690130) on Tuesday October 12, 2010 @02:15PM (#33873726)
    It's a bad idea to use the same password everywhere, so I just set the password as my username and pick a new username on every website.
  • What, you mean "password" isn't a good enough password? I figured the more obvious it was, the less likely someone would actually try to use it!

    • by Abstrackt (609015) on Tuesday October 12, 2010 @02:34PM (#33874096)
      What I find works best is taking the first letter of every word in an easy to remember phrase. For example, "poor aunt sally slipped while out racing dogs". Er, wait...
      • Re: (Score:3, Insightful)

        by eth1 (94901)

        What I find works best is taking the first letter of every word in an easy to remember phrase. For example, "poor aunt sally slipped while out racing dogs". Er, wait...

        Or just use the whole phrase? Much easier to remember, and suddenly your brute-forcing work goes from around 70^(avg. # chars) to like 600,000^(avg. # words) - and that doesn't count variations for punctuation/capitalization, etc. Little annoys me more than upper limits on password length.

  • by Superken7 (893292) on Tuesday October 12, 2010 @02:18PM (#33873764) Journal

    Also, regarding: "And 30 percent remember their passwords by writing them down and hiding them somewhere like a desk drawer."

    I think writing down your password isn't that bad of a choice (especially for online passwords, not the one that logs you into your computer).
    I'm not the only one who thinks that way: http://www.schneier.com/blog/archives/2005/06/write_down_your.html [schneier.com]

    • by h4rr4r (612664)

      But a desk drawer is a terrible place to keep that paper, in your wallet is a much better place.

    • Yeah, it depends on what you're protecting against. If the purpose of online passwords is primarily to prevent other online users from accessing your account, then writing the password down in a notebook on your desk is safe. Insofar as the purpose is to protect your account from someone who has access to your desk, it's not safe.

      It's important to remember that security depends on context.

    • by Tridus (79566) on Tuesday October 12, 2010 @02:48PM (#33874290) Homepage

      Considering this "article" also rails on people for not using a different password on every website, I don't know what he expects people to do with them.

      When you throw 100 passwords at people and want to enforce "strong" passwords on all of them (which he also complains about), what option do people have but to store them somewhere? Paper is a useful media for this purpose.

      This article is bullshit, really. Some of the things he complains about are the direct cause of other things he complains about. Make up your fucking mind.

      • by medcalf (68293) on Tuesday October 12, 2010 @03:17PM (#33874672) Homepage
        Back in the 1980s, when the Bradley IFV was just coming out, I saw a 60 Minutes piece on the vehicle. It complained that the Bradley had too high of a profile, making it vulnerable. It claimed that the Bradley was too cramped internally. Thus, it was both too big and too small. In a similar vein, it was too well armed and not well armed enough, and too well armored while not being armored enough. The real stupidity that is usually revealed by these "people are stupid" pieces is generally that of the writer of the piece.
  • by dredwolff (978347) on Tuesday October 12, 2010 @02:18PM (#33873766)
    So, what, we're supposed to have a different password with special characters and nothing significant to us (like dates) for each of the 150 online accounts we have? Oh, and if we write down the passwords somewhere so we don't forget them we're dumb too? Whatever! Maybe if we all had photographic memories that would be a realistic options, but there's just no way it's going to happen like that.

    It's just a crappy system, we should be using public key encryption with our private keys stored on a USB key - or some other similar scheme, where we don't have to memorize a million randomized passwords in order to not have our identity stolen.
    • pwdhash FTW (Score:5, Interesting)

      by BlackPignouf (1017012) on Tuesday October 12, 2010 @02:25PM (#33873918)

      One very good solution is to use pwdhash:
      https://www.pwdhash.com/ [pwdhash.com]

      You can install it as a local plugin for Firefox or as bash/ruby scripts on your computer.
      You only need to remember one strong master password, and forget about the rest.

      You get something like this, depending on domains (no phishing!) & the length of your master password:
      +1xhTRy7T for ebay.com
      fRrL2nI7+ for amazon.com
      TYZyfI0u+ for facebook.com
      3yL+WQBF7 for skype.com
      +KwIr4FId for delicious.com

      Enjoy!

      • Re: (Score:3, Insightful)

        by Fumus (1258966)

        Unfortunately, on the rare occasion that the computer breaks and I'd want to log in on ebay from another computer I am kind of screwed since there is no way I can remember a random hashed password.

      • Re: (Score:3, Insightful)

        by arth1 (260657)

        The problem is that many if not most people don't use a single computer.

        Which means they have to deal with the inconvenience of storing the passwords in something like a PDA, as well as the high amount of login failures due to typos you get with long and complex passwords.

        Never mind that trusting Yet Another 3rd party program to handle password generations for you is introducing another possible vector of attack.

      • by 140Mandak262Jamuna (970587) on Tuesday October 12, 2010 @03:46PM (#33875104) Journal
        You forgot to post your usernames. I am not able to use your accounts using just your passwords. Please post the usernames too.
      • Re:pwdhash FTW (Score:4, Interesting)

        by martyros (588782) on Tuesday October 12, 2010 @04:06PM (#33875396)

        The thing I didn't like about this is that you have to be on a computer with pwdhash in order for this to work.

        What I did instead was generate 52 random passwords, and put them in a matrix on a business-card sized piece of paper. Then I invented a simple "hash" to map the website name onto the matrix. Same effect: instant, secure, mostly unique passwords with no memory required.

        Not quite as secure as pwdhash, because (1) there are collisions, so occasionally two sites end up with the same password, and (2) if someone took my little card, it's possible for a clever person to figure out my "hash" algorithm. But it's 95% of the way there, and has the additional property that I don't need to have pwdhash, or even a computer around. I just pull the card out of my wallet.

    • Re: (Score:3, Interesting)

      by h4rr4r (612664)

      So make them longer and less randomized.

      Pick a new sea shanty for each site and replace some of the letters with numbers or symbols. People easily remember songs, so a couple verses should be no big deal.

    • by Cthefuture (665326) on Tuesday October 12, 2010 @02:26PM (#33873948)

      It's just a crappy system, we should be using public key encryption with our private keys stored on a USB key - or some other similar scheme, where we don't have to memorize a million randomized passwords in order to not have our identity stolen.

      You can actually do that now with OpenID and a smartcard (actually, you don't need the smartcard but it's more secure than a USB/flash dongle).

      Problem is most places don't implement OpenID (yet?).

    • "We should be using public key encryption with our private keys stored on a USB key." Yeah, that, or get an American Express card and do business with a firm that does not make you pay for goods or services you don't get. When I lose my AmexCard they overnight me a new one and I'm good to go; what happens when you drop your USB key down the storm drain?
    • For most things, a decent, random password isn't that bad. You can combine a password manager program, like KeePass, with a file sync solution, like Dropbox, and gain several security benefits without sacrificing much (if anything).

      In my case, I've got 50-75 accounts on various websites, each one has a different strong password (i.e. 15 characters of mixed-case alpha, numeric, and special characters), but the only password I absolutely have to know is the passphrase for my KeePass database, which is signifi

    • by gad_zuki! (70830)

      Make a hash or unique identifier in your head. Say your password for amazon is "dogstar" and you use that password everywhere. Well, for amazon it can be "amdogstar" for slashdot "sldogstar" etc. If you feel thats too obvious for an attacker then instead of just appending sl for slashdot, use the keys above sl, so you get "wodogstar." Once you get a system going it'll be easy to do in your head. No need for any third-party utilities, keys, etc.

      I wouldn't do this for banking sites or anything especially sen

    • by houghi (78078)

      Full ack. If so many people have problems with the system, then perhaps it is not the people who are at fault, but the system.

    • Re: (Score:3, Insightful)

      by mdarksbane (587589)

      Or maybe we security experts can stop trying to tell everyone to treat their slashdot account the same as their bank account.

      It's entirely reasonable to have one password that you use for your random forums, your slashdot login, posting on si.com, your fantasy football team, etc. It doesn't even have to be a good password.

      Just make sure that your facebook, you email, and your bank account are all different, secure passwords.

      But to an end user, they all just say "password."

      And really, why do we still care ab

      • Re: (Score:3, Interesting)

        by arth1 (260657)

        But that won't work, because my bill payment login needs five different strange symbols and a capital, but still only requires an 8 character password...

        This is something that irritates me quite a bit -- don't the people who insist on at least one capital letter and at least one numeric know that they reduce the number of possible combinations that way?
        If you insist on at least one capital letter, one lower case letter, one digit and one symbol, you have reduced the number of combinations to 1/360th. Or, t

  • Anyone who has ever worked in any form of tech support can tell you that most people readily volunteer their password to anyone they think they need help from in the tech community, even though we didn't need it or ask for it.

    "Can you show me how to make the font bigger? My password is kitty123."

  • by AthanasiusKircher (1333179) on Tuesday October 12, 2010 @02:20PM (#33873814)

    Younger people are especially likely to take online security risks. Webroot found that among 18 to 29 year-olds...

    The bad practices don't surprise me. But it's disturbing that younger people are more lax about security, even though they are (by and large) more tech-savvy than older folks. I realize this is also the MySpace/Facebook generation that broadcasts personal information all over the internet, but these stats aren't just dumb teenagers.

    If anything, I would hope that people who are more familiar with technology would understand the risks better, but that's not the case here... and that's perhaps a more worrying trend than the overall disregard of safe practices.

    • by Anonymous Coward on Tuesday October 12, 2010 @02:27PM (#33873968)

      perhaps young people do understand online security better. Most of the supposed sins highlighted in the article are junk. Perhaps young people better understand the much more well thought out: http://news.slashdot.org/story/10/03/16/1931214/Users-Rejecting-Security-Advice-Considered-Rational

      • by AthanasiusKircher (1333179) on Tuesday October 12, 2010 @02:49PM (#33874318)

        perhaps young people do understand online security better. . . http://news.slashdot.org/story/10/03/16/1931214/Users-Rejecting-Security-Advice-Considered-Rational [slashdot.org]

        Thanks for the link. The article is interesting. However...

        Most of the supposed sins highlighted in the article are junk.

        That's not what the article from your link says. I quote from it:

        While we argue that it is rational for users to ignore security advice this does not mean that the advice is bad. In fact much, or even most of it is beneficial. It's better for users to have strong passwords than weak ones, to change them often, and to have a different one for each account. That there is benefit is not in question. However, there is also cost, in the form of user effort.

        In other words, the linked article is about why users may be acting in a rational manner (in economic terms) by ignoring security advice, not that the advice is "junk." Getting fire insurance is also a waste of time and money for most people (and perhaps not getting it could be considered a "rational" decision according to some economic logic), but if your house burns down, you might have some real problems.

        The reality is that people who better understand online security find that there are plenty of solutions out there to make their lives as easy (if not easier) than those who engage in bad security practices. Just because you don't reuse passwords doesn't mean you have to have them all memorized, for example. There are effective ways to manage such things without a high user cost in time and effort.

        If people understood online security better, they'd make use of such technological solutions to be both safe and efficient. That's not what TFA says, though.

    • Re: (Score:3, Informative)

      by Tridus (79566)

      Young people feel invincible. This has been true for a long time. Most people don't get cautious until they get torched.

  • FTA: "Smarten up, folks. It's really not so hard to setup some solid password practices. Again, since most of our readers don't really fall in this category, at least try to open the eyes of those around you."

    Are we talking 'A Clockwork Orange' style? [pbs.org]
    Otherwise, I don't think anything can help.
  • Among the findings (Score:4, Insightful)

    by janeuner (815461) on Tuesday October 12, 2010 @02:22PM (#33873866)

    4 in 10 respondents shared passwords with at least one person in the past year.
    > 4 in 10 are married?

      Nearly as many people use the same password to log into multiple Web sites, which could expose their information on each of the sites if one of them becomes compromised. (A separate recent study revealed that 75% of people use the same password for Social Networking Sites and their email accounts)
    > If I have a hotmail account and a twitter account, which I never use, should I create strong, unique passwords for both? Why?

      Almost half of all users never use special characters (e.g. ! ? & #) in their passwords, a simple technique that makes it more difficult for criminals to guess passwords.
    > Examples of weak passwords: Pingeico4 due7Johh Eexee9ot Soobanah6 Ja3sahte

      2 in 10 have used a significant date, such as a birth date, or a pet's name as a password – information that's often publicly visible on social networks.
    > Some people have disposable passwords for useless login credentials. A New York Times account doesn't require a strong password.

    Most of these conclusions are neither scary nor stupid.

  • Two words: (Score:2, Interesting)

    by pigiron (104729)
    retinal scan
  • Password (Score:3, Insightful)

    by kellyb9 (954229) on Tuesday October 12, 2010 @02:26PM (#33873936)
    I've been using a variation of the same password for years. It was secure when I first started using it, its not so secure anymore. Although, if it were any more secure, not even I would know what my password was. Password security is getting nearly impossible considering many sites and resources expect you to update your password every few months.
  • "86 percent do not check for a secure connection when accessing sensitive information when using unfamiliar computers"

    Seriously, now. A website with "security" in the title really ought to at least try to present credible security analysis!

    *facepalm*

  • Yes, we all have a gay old time making fun of those stupid users. But to be fair, we're talking about systems that should have been designed with the expectation that they would be used by stupid people. Yet these systems do not take that in to account. There must be a lot of stupid developers and admins.

    4 in 10 respondents shared passwords with at least one person in the past year

    Sure. I have accounts with information I share with my wife. For example, our joint bank account. [Do not feel free to add

    • by 0123456 (636235)

      One bank account = one set of sign in credentials. So how do we work this situation without sharing passwords?

      We have a joint account and two different logins.

  • Using the same password for most of the sites I visit isn't a security risk because those sites themselves aren't that important. If someone hacks my NY Times login, does it matter? What would they do with my message board accounts anyway? Post spam? Hasn't that already happened to a few people you know already? It's not a big deal.

    Now if you use the same password for your bank, ebay, or paypal, it's a different story. But it's pointless to try to remember dozens of passwords for inconsequential sites.

    T

  • Why are we still choosing and typing in passwords? Replace the password repo with a key repo. The site should generate a large random password for each user. We could do it with the password fields now. Simply automatically generate a big (100 character), secure password when someone applies for an account and get them to cut/paste it into the password field, the browser will automatically cache it. The user never has to see it again. Hell, I bet javascript could even do it automatically.

    keypass safes/passw

    • by Todd Knarr (15451)

      HTTP and the browsers already allow for that. It's just that sites don't want to use the built-in HTTP authentication mechanism, they want to roll their own based on form submissions.

  • So what do people think of Lastpass and the like? It gives a single point of failure and you have to trust them (which I do for everything apart from my bank stuff). It does allow you to use impossible to guess (nor remember!) passwords though with a different one for each account.

  • by gurps_npc (621217) on Tuesday October 12, 2010 @02:36PM (#33874134) Homepage
    The problems with variable password rules makes it harder to create password systems. More importantly, usually we don't really need one. Really, is there any need for a site like moviefone to have a password? I mean really, it's a freaking movie website list. Let them track you with a cookie, not a login and a password. I don't agree to give my credit card number to my grocery store permanently just to get "one click" payout, what possibly reason would I do it for a freakin movie ticket. Honestly, even slashdot could work almost as well without a real password. Just set it up so that it has a username that does not show the last 4 letters, and the only way to change the password is by asking them to send a reset to the email account you signed up in. A 4 letter password plus an email reset would work fine for something as unimportant as tech news site with commenting. I mean really, would it be that horrible if someone stole your slashdot identity? It's not a bank account for god's sake. Or set it up with a camera ID system.
  • Posthumous passwords (Score:5, Interesting)

    by scrib (1277042) on Tuesday October 12, 2010 @02:59PM (#33874462)

    Having passwords accessible in some fashion for family in the event of death is good, but not considered very often.
    Write them down, or put them on a thumb drive in a safe... I knew most of my Dad's passwords when he died quite unexpectedly. It simplified a lot of the financial issues.

    Maybe it is a general security problem, but banks will let you do things online with a password that you'd need certified court documents and a death certificate to do in person: transfer money between accounts, pay utilities from the account. Anything that has online, recurring payments needs to be dealt with (eg NetFlix).

    My plan, as yet unimplemented, is to put all that stuff in an encrypted TrueCrypt file (on a thumb drive or unprotected PC) and give my family the password to that file.

  • by zbobet2012 (1025836) on Tuesday October 12, 2010 @03:48PM (#33875128)
    For example most of the people I know (I fit in the younger generation category) have four to five passwords. They have a common trash password for sites they don't really care about being compromised (say slashdot). Than a different one for ones with personal data, but nothing critical. And than separate ones for email and financial stuff. Yes they share passwords between sites, yes they share passwords with loved ones (duh). But this is all done in a "smart" manner, not a dumb one.
  • by Toe, The (545098) on Tuesday October 12, 2010 @04:17PM (#33875540)

    I have seen websites which:
    - require more than 8 characters
    - require 8 or fewer characters (great security there!)
    - require special characters
    - disallow special characters (!)
    - require mixed case
    - are not case-sensitive
    - require numbers and letters
    - require that password not start with a number
    - other stupid rules I can't remember

    So many of those are so stupid, and the result of horrid programming. I want all my passwords to be a minimum of 9 characters, have plenty of symbols, and (and no sites ever require this) have no dictionary words in them.

    Now it is possible for me to come up with a personal algorithm I can use and remember which would allow me to create a unique password for every site and still not be decipherable by someone who collected three of my passwords. (Sure, if you somehow got a dozen, maybe, just maybe you could figure it out; but that's unlikely since it uses weird associations from my personal past experiences for some of the characters and sometimes even for the number and kind of characters.) But there is no way I can implement a good algorithm given all the variances noted above.

    I can't tell you how many times I've been locked out of accounts for getting my password wrong; only to find out when I'm resetting it that this particular system has some weird (and fundamentally stupid) combination of the above rules.

    And you gotta love the spinoff of that. Typing in numerous variations of what I think is the right password. Seems insecure all by itself.

    And as an aside... Who ever came up with the stupid idea that substituting numbers for letters is somehow secure? Do they honestly think that a hacker could never think of that, even though every idiot with fingers already has tried it? Really? If your company makes "trinkets" you think "tr1nk3ts" is a good password? WTF?

I don't want to achieve immortality through my work. I want to achieve immortality through not dying. -- Woody Allen

Working...