Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
Security Stats

51% of Computer Users Share Passwords 117

Posted by Unknown Lamer
from the rm-rf-/-of-shame dept.
An anonymous reader writes Consumers are inadvertently leaving back doors open to attackers as they share login details and sign up for automatic log on to mobile apps and services, according to new research by Intercede. While 52% of respondents stated that security was a top priority when choosing a mobile device, 51% are putting their personal data at risk by sharing usernames and passwords with friends, family and colleagues. The research revealed that consumers are not only sharing passwords but also potentially putting their personal and sensitive information at risk by leaving themselves logged in to applications on their mobile devices, with over half of those using social media applications and email admitting that they leave themselves logged in on their mobile device.
This discussion has been archived. No new comments can be posted.

51% of Computer Users Share Passwords

Comments Filter:
  • Logged in to email? (Score:5, Informative)

    by NoImNotNineVolt (832851) on Wednesday August 20, 2014 @09:57AM (#47712351) Homepage

    The research revealed that consumers are not only sharing passwords but also potentially putting their personal and sensitive information at risk by leaving themselves logged in to applications on their mobile devices, with over half of those using social media applications and email admitting that they leave themselves logged in on their mobile device.

    Yes, god forbid people "leave themselves logged in" to their email accounts on their mobile device. I guess we're not supposed to use push email but instead enter our email passwords into our phones every few seconds to get timely email alerts?

    It's too bad that the cell network itself lacks any meaningful security mechanisms. I mean, if someone gets a hold of your phone, they can just start texting and calling without having to "log in" on the network at all. It's amazing that the world hasn't collapsed as a result.

    • by tverbeek (457094) on Wednesday August 20, 2014 @10:19AM (#47712501) Homepage

      Of course I leave the apps on my phone "logged in"; that's how they're supposed to work. Obviously this only makes sense if there's a password to access my phone (or on my account if the device supports them), but if not, it's the lack of password on my phone that marks me as a security-oblivious idiot, not the fact that I'm using the apps as they were designed to work.

      • by Ravaldy (2621787)

        Phones today are as important as your wallet. Losing it can result in identity theft. It's not a new issue, it's just that it's taken a new form.

        As tverbeek stated, putting a password on the phone is the most logical thing to do and probably the only thing one can do.

        Sharing passwords is the result of people being miss informed or not understanding what can happen. There's also a laziness component to it. At home it's one thing but at work I explain to users that sharing their password is like trusting the

    • Our main problem is that our cell phones are our only phones. We don't have a land line. So if we need to call 911, we need to be able to access our phones. More than that, though, we have 2 young kids and if they need to dial 911, they need to be able to pick up our phones and call 911. As it is, teaching them to swipe to open the phone, click on the phone icon, and then dial 911 can be tricky. (Compared with "pick up the land-line phone and press 911".)

      If anyone knows of any app that keeps the phone

      • by tinytim (25110)

        ??? Have you tried pressing the "Emergency Call" text on the lock screen?

        • There isn't any "Emergency Call" text on my lock screen. (Android 4.4.2 on a Verizon Wireless Droid RAZR HD.)

          • My Android 4.1.2 on a Verizon DROID 4 certainly has it. It's required to be there. Look at the bottom of your lock screen (It *is* a lock screen, right? Requiring a code to unlock the phone? It's not there if your phone's not locked and you can just swipe to select the function you want).

            • Ah. I could have sworn that when I set up proper locking mechanisms on the phone that there wasn't any option to call. I just tried it again, though, and there is an "Emergency Call" text. For a test, I tried using my cell phone to call my work number and it said that this number wasn't an emergency number. My next question would be how would I specify certain emergency numbers? (This way, if my child has my phone and needs to call a relative that they know the number of, they can without having to kno

              • by tlhIngan (30335) <slashdot@wor[ ]et ['f.n' in gap]> on Wednesday August 20, 2014 @02:43PM (#47714771)

                Ah. I could have sworn that when I set up proper locking mechanisms on the phone that there wasn't any option to call. I just tried it again, though, and there is an "Emergency Call" text. For a test, I tried using my cell phone to call my work number and it said that this number wasn't an emergency number. My next question would be how would I specify certain emergency numbers? (This way, if my child has my phone and needs to call a relative that they know the number of, they can without having to know my unlock code and thus having full access to the phone.)

                You can't.

                The emergency call is for calling emergency numbers. It's a small list - 911, 999, 111, 122, etc. In fact, I think on modern cellphones, you can call ANY emergency number and it'll connect you to emergency services. So in North America, if you dial 999 (Europe emergency) you will connect with 911 automatically - the phone interprets the number as emergency and basically does a emergency dial (it's a special control code so the tower will kick someone off if it needs to in order to connect you).

                It's not a huge list of numbers, and it's coded into the software as it has to recognize if you're calling emergency services and to place it as a high-priority call on the network.

                And no, it doesn't include your relatives number - that's not the intent. The intent is to be able to make a call to emergency services regardless of lock screen status, service status, etc. (It's how those used cellphone charities work - they collect deactivated cellphones for people so they have a way to get to emergency services).

                • You can't.

                  This isn't necessarily universal, as it's not required like 911 access, but you can certainly do it on my phone. Go into "People", select "In case of emergency" (it's big and bold at top) and you can select contacts from your contact list to be emergency contacts. These can then be called from the lock screen with the "Emergency contacts" button.

      • If anyone knows of any app that keeps the phone locked out (so you need to enter a password to get into your apps) but which enables easy dialing of 911 (or selected people on your contact list). I'd be more than happy to hear what they are. That would be the perfect balance between securing your phone and keeping it easy for my kids to use to call 911 or relatives who live close by. (Not that those lock-screen passwords are perfectly secure, but they're better than swipe-to-unlock.)

        yes. it's called iPhone. there is an option to make an emergency call from the lock screen. I'm pretty sure the same thing exists on most android and windows phones.

        • by jandrese (485) <kensama@vt.edu> on Wednesday August 20, 2014 @11:00AM (#47712783) Homepage Journal
          It is actually required by law to be there. All phones must be capable of making an emergency call without being unlocked.
          • It would really surprise me if the phone was required by law to be able to make emergency calls while locked since my Android phone doesn't seem to have this feature.

            • It would really surprise me if your Android phone *doesn't* have this feature, because it *is* required by law. Mine certainly has it.

              • It would really surprise me if your Android phone *doesn't* have this feature, because it *is* required by law. Mine certainly has it.

                This is one of those funny cases were people accidentally out themselves as not securing their phone.

                The phones legally must display it in most countries, but only if the phone is locked or password protected. If there is no password required to get in, just a "swipe to unlock" rather than a security system, the button does not appear.

                Lack of emergency call button == unsecured smart phone.

                (Or a fairly old phone, or a hacked phone that breaks the law in many nations.)

              • I just tried setting up an actual lock screen (with a password) and sure enough there is an "Emergency Call" item now. (I could have sworn I had tried this in the past and hadn't seen one, but it's possible I overlooked it somehow.) For a test, I tried using my cell phone to call my work number and it said that this number wasn't an emergency number. My next question would be how would I specify certain allowed emergency numbers? (Beyond 911, obviously.) This way, if my child has my phone and needs to ca

      • by nedlohs (1335013)

        Don't they all do that already - at least the 911 part. Every cell phone I've ever owned of the dumb and smart variety have all allowed calling 911 while locked. I'm pretty sure it's a legal requirement that they call 911 when they are locked and when they have no sim card.

        On my samsung you can add numbers to the emergency contact group and they'll be callable from the emergency call button that shows up on the lock screen as well as 911. Given it's a samsung there is a 0% chance that they didn't copy that

        • I've been checking on my phone (Motorola Droid RAZR HD with Android 4.4.2 on Verizon Wireless) and can't find any Emergency Contacts feature. There's an "Owner Info" section where I can put text on the home screen, but that's limited in function. Would be best as a "If found, please call 555-1212" text, not as a "Click this to call 911 or selected contacts."

      • I know this is all retro and stuff, but land lines aren't dangerous or particularly expensive. Mine comes with my Internet connection, YMMV.

        And, although emergencies are fortunately rather rare, I would prefer to depend on my land line than my AT&T-we-might-complete-this-call-if-we're-having-a-good-day cell phone.

        • We ditched our landline years ago to save money. It was costing us way too much a month for the landline when we were almost never using it. We first switched our landline number to a dedicated mobile phone since it was cheaper than an actual landline. Then, we moved that to a Google Voice account ($40 one time fee). The first week of our going cell-only, my youngest son had a febrile seizure (one of many he's had) and we called 911 with our cell phones. The 911 call went flawlessly and they arrived ju

        • Reputation aside, I seldom have any trouble with non-emergency calls from my AT&T iPhone, and the landline is only useful if you're at home, preferably in the same room as the phone.

  • by mccalli (323026) on Wednesday August 20, 2014 @09:59AM (#47712363) Homepage
    Specifically, with my wife. If I'm ever in the proverbial hit-by-a-bus scenario, there are accounts she will definitely need to know and access.

    Whilst technically correct that this increases risk of the password being revealed, it is an absolute necessary of an overall risk reduction strategy for online accounts (cancelling bills etc.).

    • The *right* way to cover the "hit-by-a-bus" scenario is to put all your passwords into an encrypted repository, and only give your wife the password to the repository. Ideally, the repository should then be placed in a safety deposit box that can't be accessed outside of the hit-by-a-bus scenario, but that would admittedly be an extra expense and arguably overkill.

      • by makq (3730933) on Wednesday August 20, 2014 @10:15AM (#47712477)
        I assume your wife is not a bus driver, right? If so, your password repo might give her extra incentive.
      • It's better than the messy divorce scenario, I guess.

        I guess I've found that there aren't any accounts anyone needs access to(by means of password) other than netflix. So... my girlfriend has my netflix password.

      • by DERoss (1919496)

        I did the same. My Web user IDs and passwords are in an envelope in my bank's safe deposit box as well as in a strongly encrypted file on my PC. The encryption key exists only in my head and in that envelope.

        But for some non-Internet files (e.g., complete PC backups, tax returns from prior years), the files are encrypted via PGP. Decrypting them requires a passphrase (longer than a password, with embedded blanks and punctuation); some require my PGP private key. The envelope in the safe deposit box cont

      • by nbauman (624611)

        Ideally, the repository should then be placed in a safety deposit box that can't be accessed outside of the hit-by-a-bus scenario, but that would admittedly be an extra expense and arguably overkill.

        The problem with a safe deposit box is:

        (1) The survivor needs to be authorized to access the safe deposit box after death, and then needs a death certificate. http://www.ehow.com/how_579095... [ehow.com] You're letting the bank decide who gets access to your passwords.

        (2) Anybody with a judge's order can also access the safe deposit box, even if the owner isn't dead. So a safe deposit box isn't a good place to keep your Swiss bank account passbook, or anything else you don't want the government or the adverse party in

        • by DERoss (1919496)

          Problem #1 is NOT a problem in California. A safe deposit box at a bank is not sealed when one of the owners dies. Those who are on the signature card to open a safe deposit box retain full access after one of them dies.

          In my case, the box is part of a bank account that is owned by a living trust that is part of my wife's and my estate plan. For continuity, our trust requires that there always be two trustees; and our heirs are excluded from being trustees to prevent conflict among them. Nevertheless, o

    • I used to use the hit-by-a-bus scenario, but now I use the slightly modified but more favorable hit-by-a-beer-truck scenario. ;-)
  • the overwhelming amount of real danger is from database compromises, which this has almost (almost!) nothing to do with.

    smells like fud to keep people from sharing their paid services with friends and family. fuck that.

  • Android's especially annoying how a single tablet is linked tightly to a single google account. To have a table that's shared among all people living together, you practically have to set up a shared google acccount.
  • NEWS FLASH!!! (Score:3, Insightful)

    by jddeluxe (965655) on Wednesday August 20, 2014 @10:16AM (#47712483)
    51% of people on the internet are stupid, details at 11....
    • Re: (Score:2, Insightful)

      by Anonymous Coward

      Or... and this may sound zany but hear me out. Maybe 51% of people did a risk/benefit analysis and decided that giving someone there password was actually beneficial for them.

      • by gmhowell (26755)

        Or... and this may sound zany but hear me out. Maybe 51% of people did a risk/benefit analysis and decided that giving someone there password was actually beneficial for them.

        Not possible. Only people who use devices in exactly the same manner as that proscribed by a /. nerd can be beneficial. (No wireless, less space than a Nomad...)

    • by EmagGeek (574360)

      That may be a true statistic, but the subset of 51% of people who are stupid are not necessarily the same as the subset of 51% that share their passwords.

  • Not Insecure (Score:5, Insightful)

    by pavon (30274) on Wednesday August 20, 2014 @10:19AM (#47712509)

    The purpose of security is to prevent unauthorized people from accessing the account. There are tons of accounts that are legitimately shared, and there is nothing wrong with sharing passwords in those situations, if the account doesn't have any technical mechanism to allow for multiple users/profiles on a single account. For example bank accounts, utilities, Netflix, Hulu, wireless router administration, all have been shared accounts with my wife (some have since added profiles, but not all).

    Furthermore, even with accounts that we keep separate, like email, there are useful reasons to share the password, like when my wife is away from internet at work and wants me to print a boarding pass that was emailed to her. Sure I could snoop through her email, but I don't just like I could snoop through her purse or journal, but I don't.

    • by Anonymous Coward

      I do sometimes wonder about the security extremist point of view.

      "I trust you enough to sleep next to you while you have access to many long knives, but I'll be damned if I let you know my Netflix login!" ...
      yeah, I think I have it nailed.

  • by Anonymous Coward

    Let us imagine for a moment, that we do everything exactly the way, security advisors are telling us:
    * have a different password for every website and every account we got
    * never write down a password
    * log out (from every social site) whenever we stop using a mobile or desktop device
    * change all of our passwords every 30 days (to unique new and complex ones (at least 11 characters with different rules (letters, cases, numbers, punctuation symbols) for every system)
    * never share a password with anyone

    Now, fo

  • by Joe Gillian (3683399) on Wednesday August 20, 2014 @10:22AM (#47712533)

    A lot of the bigger, more frequently-used services actually encourage this. The best example I can think of is Netflix, which allows you to have separate profiles for family members but requires that everyone use the same user/pass to log in. I don't know why they couldn't just have individual passwords for the same account - at least that way I could avoid my mom trying to get everyone in the family to watch Sherlock ("Oh, I didn't see it on your watched list! You should try it!").

    Amazon's Kindle app does pretty much the same thing, though it's not directly encouraged - you can log into your Kindle account from several different devices at once, effectively allowing people to share their books with anyone they trust enough. I think this is actually worse than Netflix, because most of the time you're using the Kindle app on a mobile device that can easily be lost or stolen.

    The only company I've seen do sharing well is Valve, which has Steam Family Sharing that allows you to "lend" people your account without actually needing to tell them your password.

  • and... (Score:2, Insightful)

    by Anonymous Coward

    and 49% of people lie about sharing their passwords

  • 51% of Computer Users Share Passwords

    In other words, "49% of Computer Users Aren't Stupid." (I suspect that's grossly overoptimistic, however.)

    • by Skidborg (1585365)

      The flaw here is that they don't say which passwords to what, or with whom.

      There's no good reason not to share the password to a shared computer, and yet this poll puts anyone who does so in the same box as anyone who graffitis their bank login information on a bridge.

  • And the average person is not very smart in the first place. This news item just describes one of the consequences.

  • by bigmike_f (546576) <bigmike...f@@@gmail...com> on Wednesday August 20, 2014 @11:13AM (#47712883) Homepage Journal
    Sometimes sharing the passwords of those less technically savvy with those with better skills is necessary and would skew these numbers. Knowing Grandpa's gmail password has helped a lot.
  • "Consumers are inadvertently leaving back doors open to attackers as they share login details and sign up for automatic log on to mobile apps and services" - You mean like automatically logging on to GMail on their phones? Ummm...isn't that the way it's supposed to work? I can't see anyone logging in and out of email every time they want to use it. Totally impractical, especially if you have a long and complex password. Like you would if you were concerned about, um, security.

    "51% are putting their personal

  • This article is hysterical in tone. What percentage of husbands and wives (or other people in relationships) share keys? I mean physical keys to your house and how about actual kitchen knives. I guess it is risky but in the real world people will do it. We do have to trust each other. pavon's (30274) comment above expresses the situation well. On the other hand not putting a PIN or better still a password on your phone, tablet, or laptop is just moronic. And you may as well use full disk encryption whi
  • just because family members share passwords doesn't mean its insecure. I know the password to most of my parents email and accounts. But so what... I won't do anything they wouldn't approve of and know them well enough to know what they would and would not approve of... so who cares.

    And as to companies... most of them are small and medium sized businesses that have overlapping responsibilities. In those cases, SOME people know some passwords. But rarely does everyone in the office know all the passwords.

    Its

  • People are good at evaluating the risks of sharing personal info with other people.

    The real problem is people sharing the same password between multiple sites. People are really bad at evaluating the risks of any given website being hacked and thus making all other sites that use that password hacked as well.

    The best thing we can do for security is encourage to write their site-unique passwords on sticky notes and post them clearly and legibly on their monitors. We'd go from millions of people being comprom

  • Passwords/security inherently get in the way of ease of use. Having to enter your password every time is a risk too: easier for people to look over your shoulder and figure out what you are typing, easier to hit max attempts and accidentally lock yourself out etc.

    Not an easy thing but it shouldn't just be password but context. We need a way of saying: "my wife can check my email for that important piece of info I need while driving now, but not later". A one time use code. Germany (and probably others) have

  • How else am I supposed to watch HBO?

  • In other news, 95% of people surveyed are putting their identities at risk by sharing their house and car keys with friends, family and colleagues. "As we lead more and more of our lives in houses and cars, our identities need to be effectively protected – worryingly, it appears that this is not the case at the moment", he continued. "It's not surprising consumers are taking shortcuts such as putting all of their identity cards into a single "wallet" or "purse" that is easily lost, stolen or hacked.

  • There are two people who have access to all of my passwords: My wife and my lawyer.

    These are the only two people on this planet with whom my communications are protected by legal privilege.

    Should the thinkable happen (let's face it, calling untimely death unthinkable is stupid, as it is entirely thinkable), there should be someone left who can access everything to put my affairs in order.

  • This is an example of a good password at my company "m7Rx2NqU" -- that's an unrecognizable jumble of characters that only a computer could love, but never a human.

    I'd prefer to use "correcthorsebatterystaple" (ala XKCD), but my company's password policies do not let me use a pass phrase, but a jumble of numbers, letters and uppercase.

    • by Kittenman (971447)

      This is an example of a good password at my company "m7Rx2NqU" -- that's an unrecognizable jumble of characters that only a computer could love, but never a human.

      I'd prefer to use "correcthorsebatterystaple" (ala XKCD), but my company's password policies do not let me use a pass phrase, but a jumble of numbers, letters and uppercase.

      Tut now. I have a couple of dozen passwords, and literally have no idea what they are. But I do know what the password to my Password storage file is. I don't think I've actually known what my bank websites password is for about 5 years. But I know I can use it and change it.

      And BTW, my daughter's router password in "CorrectHorseBatteryStaple" in her student flat. I'd wager that's a common one these days, along with MonkeySlut.

  • Which means it's rock solid secure!

    1-2-3-4 nobody will ever guess it!

  • Mine is 1d10t. ;)

"No job too big; no fee too big!" -- Dr. Peter Venkman, "Ghost-busters"

Working...