Giving Up Passwords For Chocolate 710
RonnyJ writes "The BBC is reporting that, according to a recent survey, more than 70% of people would willingly give up their computer password in exchange for as little as a bar of chocolate. Over a third of the people surveyed even gave out their password without having to be bribed, and most indicated that they were fed up with having to use passwords."
Passwords and memory (Score:5, Interesting)
It takes less than 5 minutes to remember a new sequence, just by typing it lots of times, and I find that if I *do* forget one from (say) 6 months ago, if I put my fingers through the first 1 or 2 chars, I get the whole sequence back... Holographic memory at its best
I've found this works much better for me than what I used to do (take 2 words, reverse them, catenate them, and take the central 8 chars) - the recovery of "forgotten" passwords is much easier when I let my fingers "remember" what to do... It also allows me to give clients obviously hard-to-forge passwords and easily use them
Simon
Also over 30% will just tell you..... (Score:3, Interesting)
Troc
Wow... I mean... wow... (Score:2, Interesting)
Re:Passwords and memory (Score:2, Interesting)
At unimportant systems I use something like qwerty 'cause it's quite easy to type fast....
Re:This doesn't surprise me at all... (Score:5, Interesting)
Even back in the days I did call support for an ISP, sometimes I'd just ask their login name and they'd just blurt out...
My ISP always asks me what my password is. I've explained to them many times that it gets people into a bad habit and that I have to repeatedly tell my end users to NEVER give out passwords to anyone, even me. After several times, they finally said, "I'll make a note in your account to not ask for your password."
Idiots.
Re:Passwords and memory (Score:5, Interesting)
I have a 6 alpha char, but not-so-secret (public), password I use for all my low-risk passwords. Then I have another simple 8 alpha-num, but secret, password for all my secure sites (like Slashdot).
For high-security (Banking/root/PGP) I use a 13 character randomly generated passsword or two.
I would give out my not-so secret one to anyone who dares ask, and my 8 char one for an Aero milk bar...
Re:Also over 30% will just tell you..... (Score:5, Interesting)
They should have tried doing the survey by knocking on people's front doors and asking them. I bet significantly less people would tell them then, because they would realise there was a much greater chance that the divulged information could actually be used.
I am sure that somewhere in my town, there is a computer with the Windows login "Administrator", with password set to "password". Now in order for that information to be useful I still need to find that computer. (The only likely way is brute force scanning, which, by extension could be applied to the password cracking anyway.)
Clearly, if the attacker was more malicious and started following you, etc they could get this information. However, most people will assume that noone else actually has a major reason to be interested in their PC or indeed downloading their pr0n collection. This is part of the reason why Joe Public does have such strong feelings about spyware as the average slashdotter.
Re:Wow... I mean... wow... (Score:5, Interesting)
here they added the restriction that you password can not contain any characters that can be typed at the keyboard... oh and you cant use any of your last 50 passwords.
Ok, so I'm kind-of joking... but their stupidity at corperate to make passwords insanely complex has weakened computer security as most users now have their password (and the last 20 or so) written down under their desk blotter, in the drawer or even on a post-it on the monitor...
Oh and corperate's extreme wisdom has the last four of your SSN in your user ID, and they use that same 4 digits to verify who you are to tech support lines...
so basically they, through extremely stupid decisions have significantly weakened the network and computer security here to the point that it is a gigantic joke.
yay for MIS directors that have no clue!
Re:Username (Score:3, Interesting)
Price has gone up, it used to be a cheap pen. (Score:3, Interesting)
"Workers are prepared to give away their passwords for a cheap pen, according to a somewhat unscientific - but still illuminating - survey published today."
Office workers give away passwords for a cheap pen [theregister.co.uk]
Re:Passwords and memory (Score:2, Interesting)
All this by showing half an interest and sounding like you know what you're talking about. But then, maybe the IT department here is useless.
Re:This doesn't surprise me at all... (Score:1, Interesting)
Password Security (Score:5, Interesting)
By the way, it _is_ possible to come up with strong memorable passwords. Think of a phrase involving numbers and punctuation. Then translate it into a password by using the initials of the words (alternating capitalization), the numbers, and the punctuation. As an example, consider: "Don't forget 9/11/01!" That becomes dF91101! Research indicates the passwords generated by that algorithm are as strong as the randomly generated passwords some systems force unto users.
I also use a network password here at school that Windows can't handle. Basically, the network login script parsing on the machines used by students can't handle imbedded punctuation, but my research machine is OK with it, so my network password is only usable from specific machines in secure areas. It's not perfect, but it reduces the exposure.
Re:Passwords and memory (Score:2, Interesting)
Ok, this is not related to the topic, but still...
Here in Slovenia various stores are switching to a "PIN code" based use of credit cards (instead of my signature on the receipt)...
I personally think that's great and all, as I've been using my cards and PIN code on ATM machines for quite some time now...
Of course, I don't "know" my PIN code, I know how to type it...
Guess what? The keyboards stores are using are "up-side-down" compared to the ones used on ATM machines...
Re:Break their fingers (Score:2, Interesting)
They can use one another's samba accounts from inside of the company, though, and in fact they do quite a lot. Many accidents (like 'I lost all my mail' or 'where are my internet bookmarks') are clearly a result of that practice and every time I have to solve such an accident I suggest they change their password and keep it secret.
It never works though... people are lazy and/or dumb.
You IT Folks Sure Are Snotty (Score:2, Interesting)
There are lots of things you can't do with humans because of human nature. Communism is one, speed limits are another, and expecting people to remember the sheer number of passwords they have to today is another. I have to keep them all in my Palm. Most of the people at work keep them on a Post-It. The password-mania of IT at work has become a joke amoung the employees. Get a grip!
What to do? You're the IT people, you tell me! Fingerprint readers? Retinal scanners? How about you just read the little badge that I wear around my neck all day anyway? The building security guys figured out that passwords don't work for building security, when will you guys learn the same lesson?
Re:I'd give up mine for sex! (Score:5, Interesting)
-B
Re:Passwords and memory (Score:5, Interesting)
I go a little further than this:
Additionally, every 6 months or so I create (using a random password generator) a new password, which becomes my systems password. My systems password becomes my financial password, my financial password becomes my need-to-keep secure, and so on down...
Works for me...
Re:Also over 30% will just tell you..... (Score:2, Interesting)
Yes, that was interesting, and I'm not surprised. But, this quote from the article (emphasis mine) bothered me.
The RSA survey found that maintaining online identities is becoming a burden for many people who, on average, use 20 sites that require them to register and then log on afterwards.
Good Lord! These are 'random' commuters. I find it quite hard to believe that a significant portion of them have have 20 logins let alone an AVERAGE of 20 online logins to keep track of. Especially considering that only one respondent (allegedly) had a total of 40 logins.
So, it's Lies, Damn Lies, and Statistics. I don't take the article as anything resembling reality.
Re:Passwords and memory (Score:2, Interesting)
Re:This doesn't surprise me at all... (Score:3, Interesting)
Same goes for people who open virus e-mails. For some reason, after I help people, they tend to stop doing stupid crap like that on my network. I guess they finally realized the error in their ways (And making them re-do 5 months worth of work seems to be a good enough incentive)
Re:Passwords and memory (Score:5, Interesting)
I couldn't have told them my care-about passwords anyway though - I don't remember them, I just remember how to type them in.
I do the same thing. I base my passwords on a pattern of keys on the keyboard. I was haplessly surprised earlier this year while I was on vacation in Europe, when I realized that the keyboard on the hotel terminal had a different key mapping than the one I based my password on! :-( It took me several minutes just to remember what all the keys would have been on a US keyboard and then alter my pattern just to be able to type in my password...
Yes, I know I probably could have changed the key mapping in the operating system, but it was a Windows machine, and I only know how to use xmodmap.
Use a password manager (a bit OT) (Score:2, Interesting)
WARNING WARNING DANGER WILL ROBINSON!!! BLATANT PRODUCT PLUG AHEAD!!!
I use Password Manager myself, because it's written in Java, and I can put the program along with it's datafile on a USB drive, then use it at work (WinXP), at home on my Linux workstation, or with my Powerbook. Check it out.
http://www.geocities.com/ramix_info/passwordman
Frat Secrets (Score:2, Interesting)
Re:Wait a minute (Score:5, Interesting)
There's a difference between having a sysadmin that's insane and having one that understands reasonable protections based on the content being protected and the overall position of the system in question. If a single compromise could result in a $200 million dollar loss of sensitive information, maybe forcing people who access that info to use a 12 character password that's not vulnerable to a dictionary attack isn't such a bad idea, hmm?
Yet, I see it all the time: some stupid suit thinks they know better and wants to be exempt from the policy. Dysfuntion exists at every level, but when it runs rampant in people with authority, you have a real problem. What amazes me is that the excuse from these boneheads is always the same when something goes wrong: "well, I'm a MANAGER, I handle BUSINESS DECISIONS. You don't expect me to understand your technical mumbo jumbo, do you!?"
Uh, no dumbass.... I expect you to sit back, STFU, and let me do my job. You HIRED me to do this so you didn't HAVE to understand the technical mumbo jumbo... remember?
I'm sure not all management is like this, but from my vantage point, most of it is. It's so much easier for them to point fingers after the shit hits the fan than it is to sit down and work with the technical people from the start, I suppose. This whole story is probably a good example of that. I tried to get these bozos to pay for some of our front line people to take classes on preventing social engineering attacks. Something like 90 people would have been enrolled to the tune of $25K. They refused. So, to make my point, I told my buddy to get into the veeps office. Sure as all hell, he did it without raising any eyebrows... they thought it was a "cute trick" and still didn't sign anyone onto the class because they don't think anyone would ever try it with us. I then tried to point out that while WE might not have anything particularly valuable, we do act as interface to a much larger International that DOES have a lot of valuable assets that competitors and crooks would love.. no dice. Idiots, says I. Idiots. They hire people to do things they don't understand, then tell them how to do it anyway. That's like hiring a builder to build your house, then hanging over them all the time and telling them they're doing it wrong.
Re:A big problem... (Score:3, Interesting)
And passwords, they have to be changed every month, however I know at least 4 other people's logins (by necessity, because I didn't have an account) and since you can't reuse any of your previous 24 passwords, they recommend that you just use your old password and add a counter to the end of it. (ie. password1, password2, password3, etc).
Re:A big problem... (Score:3, Interesting)
which is why I think a standalone program that stores all these different passwords would be helpful. A program that uses tough encyrption that does exactly what mozilla|firefox does in that there is a Master Password to unlock all your usernames and passphrases for web forms. The only points of failure I can think of are 1) your box, 2) poor encryption protocol, 3) D'oh! you forgot your master password.
What about *passphrases* INSTEAD of passwords (Score:3, Interesting)
Either one requires you to know how to type, and a passphrase will more likely be albe to be typed without being a contortionist.
Re:Wait a minute (Score:5, Interesting)
Sadly, I doubt they will ever realise how worthless their surveys are, after all the NYT still hasn't got the message after about a billion fake login names.
What I hate is password remember options (Score:2, Interesting)
How do we know they got the real passwords? (Score:3, Interesting)
And "I'm tired of passwords, so I'm going to give it to a stranger" doesn't really parse.
Re:Passwords and memory (Score:3, Interesting)
Now I use the split as an extra piece of information in the pattern, makes it a nonsense pattern on a normal keyboard.
Doug
Re:Passwords and memory (Score:3, Interesting)
Re:I'd give up mine for sex! (Score:2, Interesting)
That's what they have secretaries for. Seriously, you don't really think that senior management will let IT dictate hoops for them to jump through. With a very few exceptions, senior management does not need high security. I suspect in (almost) all cases, physical security is much more important than computer system security.
Re:A big problem... (Score:3, Interesting)
So I see the password thing as similar. Keep them in your wallet. I for one always have my wallet on my person, or right next to my bed. Because I really, really badly don't want it stolen. So it should be safe for passwords.
Personally I use mnemonic aids to remember apparently random passwords, though. If you can touch type you can always just shift your fingers one space to the left/right/up/down and type a recognizable phrase, combined with use of the shift key, and have a secure password.
Re:I weep for the future. (Score:3, Interesting)
* Your biometrics are not secret
* Your biometrics are not changeable
It sounds like biometrics could work well as a replacement for your username rather than your password.
The only problem I see is that they're a bit more private than a username. This will tend to lull users into considering the secrecy of their passwords less important. "Who cares if they know my password, they can't use it without my fingerprint." And that's true, but then your fingerprints are everywhere.
Re:Passwords and memory (Score:4, Interesting)
No guarantees as to how secure it is. So far I haven't found any problems with it.
Re:I'm going in the other direction (Score:3, Interesting)
Try this: Pick a *good* password. For example: Take "Oh Captain! My Captain! Our fearful trip is done;" (A line from Whitman's "Oh Captain! My Captain!")
Now, your password is
(you switch the second "O" and the second "C" to avoid repeating characters) Now, say you have four systems: Unix, Mail, Login, Finance. Add one more character at the front/back/middle/somewhere. So you have one password with one extra character somewhere. For instance:OC!Mc!u0ftid;f tid;
OC!Mc!m0ftid;
OC!Mc!l0
OC!Mc!f0ftid;
Next time you switch passwords, pick a different line or a different poem, and maybe move where you put your extra character. Now I can't walk in to one system if I compromise another one (the point of SEPARATE passwords...) minimizing the impact of an intruder.