51% of Computer Users Share Passwords 117
An anonymous reader writes Consumers are inadvertently leaving back doors open to attackers as they share login details and sign up for automatic log on to mobile apps and services, according to new research by Intercede. While 52% of respondents stated that security was a top priority when choosing a mobile device, 51% are putting their personal data at risk by sharing usernames and passwords with friends, family and colleagues. The research revealed that consumers are not only sharing passwords but also potentially putting their personal and sensitive information at risk by leaving themselves logged in to applications on their mobile devices, with over half of those using social media applications and email admitting that they leave themselves logged in on their mobile device.
Re:I do not (Score:4, Informative)
49percent
That's my password...
Re: (Score:1)
49percent
That's my password...
That's not your password. I tried logging in. You lied.
Re: (Score:2)
I am one of the 51%. I don't see things changing, the computer is a convenience device for most of the world. It needs to be convenient. As per usual, attention must be called to the fact that stolen and misused passwords constitute a crime and examples should be made. I would recommend cutting off the arms of computer criminals at the elbow, so they still have something to scratch their ass with. Enforcement is the answer, failing that, vigilance. Too much money has been spent for personal computers/device
Re: I do not (Score:1)
Sharing passwords in itself is not so much of an issue. People have trust relations with one another; this is only normal and natural. We should not advise against this.
There are however a few things we can do to make this sharing match our expectations better.
1. Use different passwords for everything. Sharing your netflix account with your friend is a big issue when that same password will let him into your paypal.
2. Use opaque passwords. Passwords should not reveal anything and be truly random. Non-opaque
Re: (Score:1)
Convenience is a subjective quantity. It is much handier to just leave your keys in your ignition switch than to have to keep track of them or fish around in your pockets every time you want to do something as routine as open your car door or start the engine. (Don't we all just love car-computer analogies?)
Full disclosure has been shown to be the most reliable way to get companies to fix security problems in their software..
Bugs will be found and exploited privately whether public disclosure takes place or
Re: (Score:2)
Yes, I want to live in a world where I can leave my keys in the car. Amputee ex-car thieves are a good idea.
I'm willing to let competitiveness between companies decide the quality of any product. Amputee criminal hackers are a good idea.
Bugs ARE found and exploited privately with/without disclosure. These zero day groups could easily be providing support for each other in an amputee support group.
Security exists to protect the interests of the customer, who, is always right. No sacrifice except the offendin
Re: (Score:2)
That explains those odd posts with my U.I.D.....
I thought it meant I had blacked out and one of the others took over...
Logged in to email? (Score:5, Informative)
The research revealed that consumers are not only sharing passwords but also potentially putting their personal and sensitive information at risk by leaving themselves logged in to applications on their mobile devices, with over half of those using social media applications and email admitting that they leave themselves logged in on their mobile device.
Yes, god forbid people "leave themselves logged in" to their email accounts on their mobile device. I guess we're not supposed to use push email but instead enter our email passwords into our phones every few seconds to get timely email alerts?
It's too bad that the cell network itself lacks any meaningful security mechanisms. I mean, if someone gets a hold of your phone, they can just start texting and calling without having to "log in" on the network at all. It's amazing that the world hasn't collapsed as a result.
Re: (Score:2, Insightful)
No, the "thief" will just remove your SIM card and put it into their phone before calling all sorts of nefarious 1-900 numbers or otherwise charge money onto your phone-place. The GP assertion is correct that "It's too bad that the cell network itself lacks any meaningful security mechanisms."
Re: (Score:2)
Because you haven't been able to set a SIM PIN since, say, SIM cards were invented, right? Just because no one uses the security mechanisms available doesn't automatically make it the cell network's fault when someone rips you off. Set a device PIN and a SIM PIN and you're all set. Takes about 10 seconds.
passwords on the device/session level, not app (Score:5, Insightful)
Of course I leave the apps on my phone "logged in"; that's how they're supposed to work. Obviously this only makes sense if there's a password to access my phone (or on my account if the device supports them), but if not, it's the lack of password on my phone that marks me as a security-oblivious idiot, not the fact that I'm using the apps as they were designed to work.
Re: (Score:2)
Phones today are as important as your wallet. Losing it can result in identity theft. It's not a new issue, it's just that it's taken a new form.
As tverbeek stated, putting a password on the phone is the most logical thing to do and probably the only thing one can do.
Sharing passwords is the result of people being miss informed or not understanding what can happen. There's also a laziness component to it. At home it's one thing but at work I explain to users that sharing their password is like trusting the
Re: (Score:2)
Our main problem is that our cell phones are our only phones. We don't have a land line. So if we need to call 911, we need to be able to access our phones. More than that, though, we have 2 young kids and if they need to dial 911, they need to be able to pick up our phones and call 911. As it is, teaching them to swipe to open the phone, click on the phone icon, and then dial 911 can be tricky. (Compared with "pick up the land-line phone and press 911".)
If anyone knows of any app that keeps the phone
Re: (Score:1)
??? Have you tried pressing the "Emergency Call" text on the lock screen?
Re: (Score:2)
There isn't any "Emergency Call" text on my lock screen. (Android 4.4.2 on a Verizon Wireless Droid RAZR HD.)
Re: (Score:2)
My Android 4.1.2 on a Verizon DROID 4 certainly has it. It's required to be there. Look at the bottom of your lock screen (It *is* a lock screen, right? Requiring a code to unlock the phone? It's not there if your phone's not locked and you can just swipe to select the function you want).
Re: (Score:2)
Ah. I could have sworn that when I set up proper locking mechanisms on the phone that there wasn't any option to call. I just tried it again, though, and there is an "Emergency Call" text. For a test, I tried using my cell phone to call my work number and it said that this number wasn't an emergency number. My next question would be how would I specify certain emergency numbers? (This way, if my child has my phone and needs to call a relative that they know the number of, they can without having to kno
Re:Logged in to email? (Score:4, Informative)
You can't.
The emergency call is for calling emergency numbers. It's a small list - 911, 999, 111, 122, etc. In fact, I think on modern cellphones, you can call ANY emergency number and it'll connect you to emergency services. So in North America, if you dial 999 (Europe emergency) you will connect with 911 automatically - the phone interprets the number as emergency and basically does a emergency dial (it's a special control code so the tower will kick someone off if it needs to in order to connect you).
It's not a huge list of numbers, and it's coded into the software as it has to recognize if you're calling emergency services and to place it as a high-priority call on the network.
And no, it doesn't include your relatives number - that's not the intent. The intent is to be able to make a call to emergency services regardless of lock screen status, service status, etc. (It's how those used cellphone charities work - they collect deactivated cellphones for people so they have a way to get to emergency services).
Re: (Score:2)
This isn't necessarily universal, as it's not required like 911 access, but you can certainly do it on my phone. Go into "People", select "In case of emergency" (it's big and bold at top) and you can select contacts from your contact list to be emergency contacts. These can then be called from the lock screen with the "Emergency contacts" button.
Re: (Score:2)
If anyone knows of any app that keeps the phone locked out (so you need to enter a password to get into your apps) but which enables easy dialing of 911 (or selected people on your contact list). I'd be more than happy to hear what they are. That would be the perfect balance between securing your phone and keeping it easy for my kids to use to call 911 or relatives who live close by. (Not that those lock-screen passwords are perfectly secure, but they're better than swipe-to-unlock.)
yes. it's called iPhone. there is an option to make an emergency call from the lock screen. I'm pretty sure the same thing exists on most android and windows phones.
Re:Logged in to email? (Score:4, Informative)
Re: (Score:2)
It would really surprise me if the phone was required by law to be able to make emergency calls while locked since my Android phone doesn't seem to have this feature.
Re: (Score:3)
It would really surprise me if your Android phone *doesn't* have this feature, because it *is* required by law. Mine certainly has it.
Re: (Score:3)
It would really surprise me if your Android phone *doesn't* have this feature, because it *is* required by law. Mine certainly has it.
This is one of those funny cases were people accidentally out themselves as not securing their phone.
The phones legally must display it in most countries, but only if the phone is locked or password protected. If there is no password required to get in, just a "swipe to unlock" rather than a security system, the button does not appear.
Lack of emergency call button == unsecured smart phone.
(Or a fairly old phone, or a hacked phone that breaks the law in many nations.)
Re: (Score:2)
I just tried setting up an actual lock screen (with a password) and sure enough there is an "Emergency Call" item now. (I could have sworn I had tried this in the past and hadn't seen one, but it's possible I overlooked it somehow.) For a test, I tried using my cell phone to call my work number and it said that this number wasn't an emergency number. My next question would be how would I specify certain allowed emergency numbers? (Beyond 911, obviously.) This way, if my child has my phone and needs to ca
Re: (Score:2)
Don't they all do that already - at least the 911 part. Every cell phone I've ever owned of the dumb and smart variety have all allowed calling 911 while locked. I'm pretty sure it's a legal requirement that they call 911 when they are locked and when they have no sim card.
On my samsung you can add numbers to the emergency contact group and they'll be callable from the emergency call button that shows up on the lock screen as well as 911. Given it's a samsung there is a 0% chance that they didn't copy that
Re: (Score:2)
I've been checking on my phone (Motorola Droid RAZR HD with Android 4.4.2 on Verizon Wireless) and can't find any Emergency Contacts feature. There's an "Owner Info" section where I can put text on the home screen, but that's limited in function. Would be best as a "If found, please call 555-1212" text, not as a "Click this to call 911 or selected contacts."
Re: (Score:2)
I know this is all retro and stuff, but land lines aren't dangerous or particularly expensive. Mine comes with my Internet connection, YMMV.
And, although emergencies are fortunately rather rare, I would prefer to depend on my land line than my AT&T-we-might-complete-this-call-if-we're-having-a-good-day cell phone.
Re: (Score:2)
We ditched our landline years ago to save money. It was costing us way too much a month for the landline when we were almost never using it. We first switched our landline number to a dedicated mobile phone since it was cheaper than an actual landline. Then, we moved that to a Google Voice account ($40 one time fee). The first week of our going cell-only, my youngest son had a febrile seizure (one of many he's had) and we called 911 with our cell phones. The 911 call went flawlessly and they arrived ju
Re: (Score:2)
Reputation aside, I seldom have any trouble with non-emergency calls from my AT&T iPhone, and the landline is only useful if you're at home, preferably in the same room as the phone.
I definitely share password with family (Score:5, Insightful)
Whilst technically correct that this increases risk of the password being revealed, it is an absolute necessary of an overall risk reduction strategy for online accounts (cancelling bills etc.).
Re: (Score:3)
The *right* way to cover the "hit-by-a-bus" scenario is to put all your passwords into an encrypted repository, and only give your wife the password to the repository. Ideally, the repository should then be placed in a safety deposit box that can't be accessed outside of the hit-by-a-bus scenario, but that would admittedly be an extra expense and arguably overkill.
Re:I definitely share password with family (Score:5, Funny)
Re: (Score:2)
It's better than the messy divorce scenario, I guess.
I guess I've found that there aren't any accounts anyone needs access to(by means of password) other than netflix. So... my girlfriend has my netflix password.
Re: (Score:2)
I did the same. My Web user IDs and passwords are in an envelope in my bank's safe deposit box as well as in a strongly encrypted file on my PC. The encryption key exists only in my head and in that envelope.
But for some non-Internet files (e.g., complete PC backups, tax returns from prior years), the files are encrypted via PGP. Decrypting them requires a passphrase (longer than a password, with embedded blanks and punctuation); some require my PGP private key. The envelope in the safe deposit box cont
Re: (Score:3)
Ideally, the repository should then be placed in a safety deposit box that can't be accessed outside of the hit-by-a-bus scenario, but that would admittedly be an extra expense and arguably overkill.
The problem with a safe deposit box is:
(1) The survivor needs to be authorized to access the safe deposit box after death, and then needs a death certificate. http://www.ehow.com/how_579095... [ehow.com] You're letting the bank decide who gets access to your passwords.
(2) Anybody with a judge's order can also access the safe deposit box, even if the owner isn't dead. So a safe deposit box isn't a good place to keep your Swiss bank account passbook, or anything else you don't want the government or the adverse party in
Re: (Score:2)
Problem #1 is NOT a problem in California. A safe deposit box at a bank is not sealed when one of the owners dies. Those who are on the signature card to open a safe deposit box retain full access after one of them dies.
In my case, the box is part of a bank account that is owned by a living trust that is part of my wife's and my estate plan. For continuity, our trust requires that there always be two trustees; and our heirs are excluded from being trustees to prevent conflict among them. Nevertheless, o
Re: (Score:1)
Re: (Score:2)
No and No again.
Even if you trust someone to fix a problem, why would you trust them with your password? Set a temporary password so they can fix something, then change it back when they are done fixing. I have no idea why you would give someone the temptation, especially when there are simple safe alternatives.
No, it's not the same thing as just driving a car or having risks while driving a car.
If you want a "proper" car analogy...
Your friend needs to borrow your car. Would you make your friend a copy o
Re: (Score:2)
Even if you trust someone to fix a problem, why would you trust them with your password? Set a temporary password so they can fix something, then change it back when they are done fixing.
These days, common as not, you aren't allowed to set it back to what it was before. I think gmail, for example, now enforces password history for example. Pretty infuriating, because I DO generally change passwords before giving someone temporary access.
If you want a "proper" car analogy...
You would talk about those cars wi
Re: (Score:2)
Re: (Score:2)
Are you seriously attempting to imply that the rare exception should justify the rule for normal behavior? I really hope not, but that's how I read what you wrote.
Not at all. When you can change to a temporary and back you should. But the exceptions where that isn't simple aren't all that rare. (And in the case of systems that won't let you change back, you often don't find out until after you've gone down the rabbit hole; so its especially annoying.)
Wifi pre-shared keys for example are a prime common-as-di
Re: (Score:2)
I would certainly agree that exceptions are both possible and possible, and would not argue that exceptions don't exist. Very little in the world is purely black or purely white. GP at least implied that the only option was to share, and my point was that there are better alternatives.
With no qualification of your point, like "Hey, what about exceptions?" it seems like you are in agreement with the GP that the only answer is to give away your password.
Re: (Score:2)
Not really sure which post is "GP" at this point.
I agree that there are better alternatives to sharing passwords in many cases.
I just think that the scenarios where "sharing" is so far-and-away the easier (perhaps even "better") solution that they shouldn't be classified as a 'rare exception'. Its pretty common.
For example, my wife and I both need the passwords to all of our utility accounts. The teenaged kids have the login to netflix. We all share the login to the HTPC in the living room rather than havin
sigh (Score:2)
the overwhelming amount of real danger is from database compromises, which this has almost (almost!) nothing to do with.
smells like fud to keep people from sharing their paid services with friends and family. fuck that.
Android makes this worse. (Score:2)
Re:Android makes this worse. (Score:4, Informative)
Don't know what version you're running but android does support multiple accounts since 4.2 [androidpolice.com].
I've being enjoying it for a while now.
AFAIK it's the only mobile OS doing so.
Re: (Score:2)
AFAIK it's the only mobile OS doing so.
That seems to be true. Here's additional proof that Windows Phone [windowsphone.com] and iOS [zdnet.com] do not currently support such feature.
Re: (Score:2)
Only on tablets, though. Phones are still single-user.
Re: (Score:1)
Both of our Android phones both have multi-user capability.
Re: (Score:2)
Huh. Multi-user as in you can switch accounts at the lock screen?
Re: (Score:2)
AFAIK it's the only mobile OS doing so.
Windows RT allows for multiple accounts.
Re: (Score:3)
I'm also surprised it's not higher but not because people are stupid but because there are a bunch of different use cases.
Even if the bank allows it, what advantage does a husband/wife have to create separate logins for a joint account?
There are plenty of people that share accounts. There might be a sales email address that multiple people in an office take turns checking.
I know quite a few husband/wife pairs that share a single facebook account and I even know a few that share a single email address.
It's
Re: 90% of people are retarded (Score:1)
Re: (Score:3)
If a divorce happens, then having a joint login isn't really a problem as you already
both have access to the money. So you both can log in and see that the other person
already emptied the account. No need to worry about changing the password.
Same with mortage accounts. The fact that the login/password is shared is less
important that the fact that you own a house together. The login/password is
usually only useful for paying the bill and not much else anyways.
It seems pointless to have 2 separate login/pa
Re: 90% of people are retarded (Score:4, Insightful)
What an idoitic statement. First, if something has a 50% chance of happening then it is certainly not 'inevitable'. Second, divorce is not a random event, so comparing it to a coin toss is exceedingly stupid. Passwords aside, we already 'share accounts'. We have joint checking and savings accounts, a joint mortgage, joint ownership of the house, joint ownership of a timeshare, file joint tax returns, etc. What is so different about joint online accounts? Nothing.
Re: (Score:1)
Re: (Score:2)
The rate increases when looking only at the subset of the population who post as AC.
NEWS FLASH!!! (Score:3, Insightful)
Re: (Score:2, Insightful)
Or... and this may sound zany but hear me out. Maybe 51% of people did a risk/benefit analysis and decided that giving someone there password was actually beneficial for them.
Re: (Score:3)
Or... and this may sound zany but hear me out. Maybe 51% of people did a risk/benefit analysis and decided that giving someone there password was actually beneficial for them.
Not possible. Only people who use devices in exactly the same manner as that proscribed by a /. nerd can be beneficial. (No wireless, less space than a Nomad...)
Re: (Score:1)
That may be a true statistic, but the subset of 51% of people who are stupid are not necessarily the same as the subset of 51% that share their passwords.
Not Insecure (Score:5, Insightful)
The purpose of security is to prevent unauthorized people from accessing the account. There are tons of accounts that are legitimately shared, and there is nothing wrong with sharing passwords in those situations, if the account doesn't have any technical mechanism to allow for multiple users/profiles on a single account. For example bank accounts, utilities, Netflix, Hulu, wireless router administration, all have been shared accounts with my wife (some have since added profiles, but not all).
Furthermore, even with accounts that we keep separate, like email, there are useful reasons to share the password, like when my wife is away from internet at work and wants me to print a boarding pass that was emailed to her. Sure I could snoop through her email, but I don't just like I could snoop through her purse or journal, but I don't.
Re: (Score:1)
I do sometimes wonder about the security extremist point of view.
"I trust you enough to sleep next to you while you have access to many long knives, but I'll be damned if I let you know my Netflix login!" ...
yeah, I think I have it nailed.
Imagine (Score:1)
Let us imagine for a moment, that we do everything exactly the way, security advisors are telling us:
* have a different password for every website and every account we got
* never write down a password
* log out (from every social site) whenever we stop using a mobile or desktop device
* change all of our passwords every 30 days (to unique new and complex ones (at least 11 characters with different rules (letters, cases, numbers, punctuation symbols) for every system)
* never share a password with anyone
Now, fo
Encouraged by a lot of places. (Score:4, Interesting)
A lot of the bigger, more frequently-used services actually encourage this. The best example I can think of is Netflix, which allows you to have separate profiles for family members but requires that everyone use the same user/pass to log in. I don't know why they couldn't just have individual passwords for the same account - at least that way I could avoid my mom trying to get everyone in the family to watch Sherlock ("Oh, I didn't see it on your watched list! You should try it!").
Amazon's Kindle app does pretty much the same thing, though it's not directly encouraged - you can log into your Kindle account from several different devices at once, effectively allowing people to share their books with anyone they trust enough. I think this is actually worse than Netflix, because most of the time you're using the Kindle app on a mobile device that can easily be lost or stolen.
The only company I've seen do sharing well is Valve, which has Steam Family Sharing that allows you to "lend" people your account without actually needing to tell them your password.
Re: (Score:1)
and... (Score:2, Insightful)
and 49% of people lie about sharing their passwords
Re: (Score:2)
I share my passwords with nobody but the NSA.
In other words... (Score:2)
51% of Computer Users Share Passwords
In other words, "49% of Computer Users Aren't Stupid." (I suspect that's grossly overoptimistic, however.)
Re: (Score:2)
The flaw here is that they don't say which passwords to what, or with whom.
There's no good reason not to share the password to a shared computer, and yet this poll puts anyone who does so in the same box as anyone who graffitis their bank login information on a bridge.
50% are less smart than average (Score:2)
And the average person is not very smart in the first place. This news item just describes one of the consequences.
Re: (Score:2)
With a good Gaussian distribution (which we have here), it matters little. Some people of course do not have the smarts to deal with things like context or problem parameters.
Elderly family members passwords (Score:3, Insightful)
Ok so let's break this down... (Score:2)
"Consumers are inadvertently leaving back doors open to attackers as they share login details and sign up for automatic log on to mobile apps and services" - You mean like automatically logging on to GMail on their phones? Ummm...isn't that the way it's supposed to work? I can't see anyone logging in and out of email every time they want to use it. Totally impractical, especially if you have a long and complex password. Like you would if you were concerned about, um, security.
"51% are putting their personal
What percentage of husbands and wives share keys? (Score:1)
meaningless stat... (Score:2)
just because family members share passwords doesn't mean its insecure. I know the password to most of my parents email and accounts. But so what... I won't do anything they wouldn't approve of and know them well enough to know what they would and would not approve of... so who cares.
And as to companies... most of them are small and medium sized businesses that have overlapping responsibilities. In those cases, SOME people know some passwords. But rarely does everyone in the office know all the passwords.
Its
Sharing with other people is not the problem (Score:2)
People are good at evaluating the risks of sharing personal info with other people.
The real problem is people sharing the same password between multiple sites. People are really bad at evaluating the risks of any given website being hacked and thus making all other sites that use that password hacked as well.
The best thing we can do for security is encourage to write their site-unique passwords on sticky notes and post them clearly and legibly on their monitors. We'd go from millions of people being comprom
problem without an easy solution (Score:2)
Passwords/security inherently get in the way of ease of use. Having to enter your password every time is a risk too: easier for people to look over your shoulder and figure out what you are typing, easier to hit max attempts and accidentally lock yourself out etc.
Not an easy thing but it shouldn't just be password but context. We need a way of saying: "my wife can check my email for that important piece of info I need while driving now, but not later". A one time use code. Germany (and probably others) have
of course we share passwords (Score:2)
How else am I supposed to watch HBO?
In other news... (Score:1)
In other news, 95% of people surveyed are putting their identities at risk by sharing their house and car keys with friends, family and colleagues. "As we lead more and more of our lives in houses and cars, our identities need to be effectively protected – worryingly, it appears that this is not the case at the moment", he continued. "It's not surprising consumers are taking shortcuts such as putting all of their identity cards into a single "wallet" or "purse" that is easily lost, stolen or hacked.
Re: (Score:2)
Two people have access to my passwords (Score:1)
There are two people who have access to all of my passwords: My wife and my lawyer.
These are the only two people on this planet with whom my communications are protected by legal privilege.
Should the thinkable happen (let's face it, calling untimely death unthinkable is stupid, as it is entirely thinkable), there should be someone left who can access everything to put my affairs in order.
Because password policy is BORKED. (Score:2)
This is an example of a good password at my company "m7Rx2NqU" -- that's an unrecognizable jumble of characters that only a computer could love, but never a human.
I'd prefer to use "correcthorsebatterystaple" (ala XKCD), but my company's password policies do not let me use a pass phrase, but a jumble of numbers, letters and uppercase.
Re: (Score:2)
This is an example of a good password at my company "m7Rx2NqU" -- that's an unrecognizable jumble of characters that only a computer could love, but never a human.
I'd prefer to use "correcthorsebatterystaple" (ala XKCD), but my company's password policies do not let me use a pass phrase, but a jumble of numbers, letters and uppercase.
Tut now. I have a couple of dozen passwords, and literally have no idea what they are. But I do know what the password to my Password storage file is. I don't think I've actually known what my bank websites password is for about 5 years. But I know I can use it and change it.
And BTW, my daughter's router password in "CorrectHorseBatteryStaple" in her student flat. I'd wager that's a common one these days, along with MonkeySlut.
I never share mine (Score:1)
Which means it's rock solid secure!
1-2-3-4 nobody will ever guess it!
Let's share our passwords on /.! (Score:2)
Mine is 1d10t. ;)