Passwords Aren't Just a Problem For Adults (cnet.com) 76
Though you might assume children are the most tech-savvy generation out there, it turns out there's an area where they're just as behind as adults: passwords. From a report: National Institute of Standards and Technology released research on Wednesday showing that even though kids are taught best practices for creating passwords, they're not following them. NIST surveyed more than 1,500 children, ages 8 to 18, and found that, for example, 87% of high schoolers use the same password for everything. Depending on age group (45% of high schoolers versus 23% of elementary school kids), many share passwords with friends. Researchers suggested that those surveyed don't see password sharing as risky behavior, but rather a matter of building friendships and trust. "The end goal of this research is to better support children and provide recommendations that can be used to provide guidance to them, parents and educators," NIST researcher Yee-Yin Choong said in a statement.
Context (Score:4, Insightful)
What is the context of "sharing passwords"? Is that sharing your personal account for school used to submit homework, or is it just sharing your Netflix password? It sounds like a generic question where either context could apply, one being significantly more dangerous than the other.
Re:Context (Score:5, Insightful)
Well if 87% of them are using the same password for everything, it doesn't really matter, does it?
Re: (Score:2)
" Is that sharing your personal account for school used to submit homework, or is it just sharing your Netflix password?"
There isn't a difference. As the article says, "87% of high schoolers use the same password for everything."
Re: (Score:2)
Re: (Score:2)
Furthermore, even the best student is going to have a bad, become rebellious or reluctant if they are not succeeding as expected, or otherwise become a control issue. In the old days this was breaking a pencil
Passwords..... (Score:2)
https://www.youtube.com/watch?... [youtube.com]
Ya, no. (Score:5, Insightful)
Though you might assume children are the most tech-savvy generation out there, ...
I don't assume that -- at all. Proficiency with *using* things like Instagram, TikTok and/or texting doesn't make one "tech-savvy" ...
Re: (Score:3)
Yeah, people think that because a child/teen is fearless (they don't no any better, so why be afraid) means they literally aren't afraid to try stuff and see what works. This means they break shit as well and if they are actually nerdy, it stays broken.
Since most people will never be tech-savy, regardless of the ability to use specific programs, I would definitely have to agree that kids are no better off with tech then adults, they just don't know better.
Re: (Score:2)
Yeah, people think that because a child/teen is fearless (they don't no any better, so why be afraid) means they literally aren't afraid to try stuff and see what works. This means they break shit as well and if they are actually nerdy, it stays broken.
And... they tend to experiment with and/or break things they didn't pay for themselves, probably their parents did.
Simple solution (Score:2)
1. Use pass phrases, not some random characters that make it looks like you are swearing.
2. Use a password manager.
This way you memorize ONE pass phrase to get into your pass phrase, and literally copy/paste usernames and passwords when needed.
This isn't fucking rocket science.
Re: (Score:2)
Re: (Score:2)
> And if that one entry point for your password manager should ever get compromised, you are effed.
It is stored encrypted, right?
And you are NOT storing it in the cloud, right?
You have backups, right?
Re: (Score:2)
As I said, the vector to compromise it is different. That doesn't mean it isn't there. Your best bet is to invent a mnemonic that you can use to generate a different pass phrase for each individual place that a password is needed,
Ultimately having a single passphrase that unlocks your password manager makes you similarly vulnerable as having the same password everywhere.
Re: (Score:2)
> Ultimately having a single passphrase that unlocks your password manager makes you similarly vulnerable as having the same password everywhere.
No it doesn't. You generate random passwords.
That way you have both:
* convenience to access your passwords
* security with strong passwords
Re: (Score:2)
The problem, as I said, is that you are still using a single password to access your other passwords.
That means there is a *SINGLE* compromise vector to get at all of your passwords, and if a compromise should occur, the effect is exactly the same as if you had been using the same password everywhere
Whether you have this single password stored in any kind of encrypted format or not is entirely irrelevant. The fact that a single password on a password manager might theoretically be harder to compromis
Re: (Score:2)
No simple solution (was Re:Simple solution) (Score:5, Insightful)
Simple solution. 1. Use pass phrases, not some random characters that make it looks like you are swearing. 2. Use a password manager.
That's not simple at all. Let me walk you through:
1. Install an app and open it. It asks to sign up with a username and password.
2. Click to open your home screen, click to open LastPass
3. Click Security
4. Click GeneratePassword
5. Click the Copy button
6. Swipe up to switch back to the app.
7. Click in the password field and click Paste, and you're into the app
8. Swipe up to switch back to LastPass
9. Click Add > Password > AddNewPassword
10. Type in a name, folder. Leave URL blank because what even is it?
11. Click on Password and click paste. (and hope that you didn't lose your clipboard between step 5 and 11 else you're screwed)
12. Click Save
13. Swipe back up to switch to the app
Now, EVERY SINGLE TIME you want to use the app and it asks for a password,
14. Go to your homescreen and launch LastPass. Do the facial recognition.
15. type the name of the app into the search screen and hope you remembered it.
16. Click the copy button
17. Swipe up to go back to the app, click in the password field, and click Paste.
If LastPass manages to associate the password with the app, then steps 14..17 are much easier -- you can just click the "use lastpass" button when you're filling out the form. But I've never managed to learn how that association is made. I'm assuming it's between the URL and the publisher-domain-metadata of the app?
Compare this to the actual simple solution:
1. When signing up, click in the password field and type the same password you use for everything, from muscle memory
2. When logging in, click in the password field and type the same password you use for everything, from muscle memory
You might object that it's so difficult because I, like most people, interact with the internet primarily through phone and apps rather than desktop. Sure, but that's not going to change, and it's not simple to change.
Don't get me wrong. I fully understand that a password manager is best practice, and I use one for everything. But you don't get to claim that it's "simpler". It's actually vastly more complicated.
I'm sure that if I used Apple's keychain then there'd be a slicker UX. But I'm not prepared to bind myself to the Apple ecosystem.
Re: (Score:2)
Simple solution. 1. Use pass phrases, not some random characters that make it looks like you are swearing. 2. Use a password manager.
That's not simple at all. Let me walk you through:
I dearly hope that you are trying to Poe us.
Re: (Score:2)
Does LastPass not auto-fill passwords in apps?
I have been using Roboform for many years and it can auto-fill passwords in apps on Android and Windows (not sure about iOS).
I don't seem to have the problems that you describe.
Re: (Score:2)
Does LastPass not auto-fill passwords in apps? I have been using Roboform for many years and it can auto-fill passwords in apps on Android and Windows (not sure about iOS).
Like I said, "If LastPass manages to associate the password with the app, then steps 14..17 are much easier -- you can just click the "use lastpass" button when you're filling out the form. But I've never managed to learn how that association is made. I'm assuming it's between the URL and the publisher-domain-metadata of the app?"
Re: (Score:2)
> It's actually vastly more complicated.
Not nearly as complicated as trying to recover your accounts WHEN you get hacked because you were dumb enough to use the same stupid password on ALL your sites.
What's that Benjamin Franklin quote?
"Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety."
Let's update it for 2000:
"Those who would give up Security, to have a little temporary Convenience, deserve neither Security nor Convenience."
Re: (Score:1)
Re: (Score:2)
Bosco (Score:2)
George thought it secure, but Kramer was close to guessing it?
Passwords are a problem. (Score:2)
While a lot of people who read too much Science Fiction often get scared when they hear about bio-metrics, and then they point to stories where someone spending money and time in order to find a way to cheat the systems. In short biometrics are still superior to passwords, because you can hack a password without a targeted attack, while if you want to cheat someone bio-metrics, it will often mean you will have to know who you are trying to attack.
Alternatively Multi-factor authentication is good too, as i
Re: Passwords are a problem. (Score:2)
If I have 2FA then why do I need a password at all? Enter user name, click logon, MFA system generates a one user code to log me in. Now Im in my system with no password. Today it usually goes enter user name, enter password, click login, prove your human by solving this puzzle, now do 2FA to prove its really you, then you get emails and text messages saying a login occurred. Irritating!
Re: (Score:2)
"If I have 2FA then why do I need a password at all? Enter user name, click logon, MFA system generates a one user code to log me in. Now Im in my system with no password."
Well, for one thing, that's not "2FA". You don't have two factors. It's still single-factor authentication, you're just using a different factor. The whole point behind 2FA is an attacker has to replicate two ways to authenticate, greatly increasing the difficulty of his task.
Re: (Score:2)
Well technically its not 2FA if you don't use 2 methods of authentication. But I agree in principal with what you are saying, its just a hassle, also usually all the factors are on your phone, so if you someone has access to your phone they can check your email, read your text as well so I don't quite get it. Also if you loose your phone/computer how do you access anything, if everything has 2FA.
Re: (Score:2)
Prove my human? Which of my many humans should I prove?
Re: (Score:2)
Re: (Score:2)
Often biometrics do not fully scan your entire fingerprint, or face or eyeball, but picks up a set of data points. If you were to change which datapoints involved then you can in essence reset your password.
Re: (Score:2)
...In short biometrics are still superior to passwords, because you can hack a password without a targeted attack, while if you want to cheat someone bio-metrics, it will often mean you will have to know who you are trying to attack.
Biometrics are vastly worse than passwords. Because if your password is compromised, you can change it. If your fingerprints are forged, you can't delete your fingers and get new ones.
Re: (Score:2)
In addition, you can be compelled by the government to provide biometric access to a device, but you cannot be compelled to reveal a password (Fifth Amendment).
Unfortunately, that may be changing. There was a recent case where the court ruled a password could be compelled.
Re: (Score:2)
The protections are there for when society isn't functioning well.
Re: (Score:2)
I absolutely believe in the 4th and 5th Amendments, but I'm never going to need to invoke them.
Until you get arrested.
Remember the Richilieu Doctrine.
Re: (Score:2)
Re: (Score:2)
I my opinion bio-metrics are much worse than passwords, well for anything that needs to validate remotely. The main reason is you CANNOT change them, you would be effectively forced to share your password for everything.
There is 2 ways I can think this can work:
1. server checks the full bio metric, well then when you log on to the server you have to send that bio-metric, they now have it and can send it to log into any other account you have, yes bio-metrics can check for minor changes but that could be sim
Re: (Score:2)
While a lot of people who read too much Science Fiction often get scared when they hear about bio-metrics, and then they point to stories where someone spending money and time in order to find a way to cheat the systems. In short biometrics are still superior to passwords,
Easy for you to say. I don't have any thumbs now that hackers wanted to get into my Facebook.
half right (Score:2)
passwords are a problem, and so are auth tickets that make it as if I typed in password. We need something better.
No Great Solutions (Score:2)
The proliferation of password-based logins in our lives is extreme, and will be even worse for kids. There are literally hundreds of websites and systems that I use that utilize passwords (many must be changed on a regular basis). No human alive could remember a unique and secure password for each. And I've only been accumulating login accounts for the last 20 years.
A partial solution is a password manager, but that isn't perfect. You are either tied to a service (you are screwed if it shuts down or is com
Re: (Score:2)
In my case, my password database is on dropbox and onedrive and synced to a few devices. I still have that master password, but I'm unlikely to forget that and my family can access it in case.
But still the problem of entering the password can sometimes be obnoxious, in a scenario where copy/paste isn't really available due to various reasons (e.g. a streaming service that forces you to log in using a crappy remote interface).
Researchers shocked to discover kids are people (Score:2)
Better headline: "Researchers shocked to discover kids are people too"
Children simply need the wisdom of experience. (Score:2)
Yeah, but what are they protecting? (Score:4, Insightful)
Yeah, I'm a network administrator; I have 50+ passwords in my head, and a reasonable percentage of them are 30+ characters long, but I use one rather weak password for 90% of the things I use a password for, i.e., everything that fundamentally doesn't matter.
Every website you ever look at these days, makes you create an account. Most of these, you're never going to use again, and you're also never going to give them any information that you really need to protect. There is NO POINT in using secure passwords for that stuff. "Oh, noes, if the bad guys get into my account on this site, they could, umm, edit that comment I left that one time." I think I'll live through that.
So the question is, how many teenagers have any accounts that *are* worth protecting with a unique and secure password? They don't have bank accounts. They don't have work accounts. They don't have medical accounts, or insurance, or any of that. They don't *care* about their school accounts. What super-important thing are they inadequately protecting? Random idle chit-chat?
Re: (Score:2)
Agreed. Advice to "use a different password for everything" is idiotic. Kids and adults would do better if given more realistic advice.
IMO most people need about 3-5 passwords.
1) primary email
2) cell phone
3) bank account
4) things that sort of matter (credit card account, utilities)
5) things that don't matter at all (most shopping sites, throwaway email, and others)
In the end, I think the only credentials that truly matter are 1-3. In this era of forced 2-factor authentication using SMS, I'm not sure anyt
Re: (Score:2)
My kid's school wanted them written down for every (Score:2)
My kid's kid's school wanted each kid's password written down where others could see it, plus they had a master list of all the kids' passwords.
On the form I wrote "dad is a security professional. I make a living telling people not to write down passwords. She knows her password."
Of course mom went ahead and added the password to the form, because she doesn't like to say no.
She's seven years old now. I teach her that *I* really don't want to know her passwords. I can get in to her phone and computer, I tell
Re: (Score:2)
Re: (Score:2)
I think you've identified the main issue there - the security of the email account. I'd much prefer such links have a 10-minute expiration.
They need to be cryptographically secure, so that someone can't look at their link and guess yours. Most of the time the vendors TRY to do that, but fail. Such as trying to secure it with an md5 hash. Those, and password resets, should be secured with a MAC, probably a SHA-256 based HMAC (not a sha256 hash).
If the crypto is right, it's as secure as your email. The crypto
Passwords are terrible security (Score:2)
Too weak means they are easy to crack through primitive means. Too complex means people write them on sticky notes so whatâ(TM)s the point? My company uses smart card ID badges. Stick it in the slot on the computer = login. Pull the card out = log off. When youâ(TM)re logged in, you can access whatever apps emails etc without entering passwords. Thatâ(TM)s the type of thing that will work for most. Why donâ(TM)t we use it?
Oldy-But-Goody: Evolution of Passwords (Score:3)
http://wiki.c2.com/?EvolutionO... [c2.com]
(I tried to paste it here, but the Lameness Filter balked)
The problem is that the password file itself is too easy to get to. If it were in a special locked box* with throttling and an API that did only one thing well (passwords), then it would be very rare for hackers to be able to try a billion combinations against it.
The password file doesn't belong on regular servers. With hardware-enforced retry throttling in place, the escalation of password complexity would end. It's the Vulcan thing to do.
* Probably a mirrored pair of boxes to have a spare.
Outdated thinking... (Score:3)
"Though you might assume children are the most tech-savvy generation out there"
This no longer holds true for most people. People under 50 had to deal with technology at least from the moment their professional lives started, and people 40 and under grew up with it. That thinking held for the mid 80s through mid 2000s, where a lot of the adults got technology sprung upon them and had children that acclimated.
If anything, technology has become simpler to use. Like always parents may not keep up with popular platforms as fads move interest around, but it's not because those platforms are difficult, it's just because adults have less interest.
Re: (Score:2)
"Though you might assume children are the most tech-savvy generation out there"
This no longer holds true for most people. People under 50 had to deal with technology at least from the moment their professional lives started, and people 40 and under grew up with it. That thinking held for the mid 80s through mid 2000s, where a lot of the adults got technology sprung upon them and had children that acclimated.
If anything, technology has become simpler to use. Like always parents may not keep up with popular platforms as fads move interest around, but it's not because those platforms are difficult, it's just because adults have less interest.
This.
Cars are a good example, my parents generation learned to drive with manual transmissions, no ABS, chokes, unreliable engines... My generation still had manual transmissions, no ABS although chokes were largely a thing of the past and engines were a bit more reliable. Current generations barely know what a car is doing as everything is hidden from them behind computer controls, automatic transmissions, squishy suspension and if anything goes wrong they just ring roadside assistance. They don't know
Re: (Score:2)
Obligatory Car analogy probably works very well here.
I wager that someone born around 1880 probably never got comfy with cars. Meanwhile someone born in 1910 was probably very comfortable with the ins and outs of cars and cars were probably perceived at the time as a young mans realm and wouldn't be surprised if young people being better with cars was still trotted out in the 40s despite probably not being the case anymore.
And like you say, progressing to today where thanks to advancements that have mitigat
Problem is the NIST. (Score:2)
Their standards for password is 8 characters for a human, 6-64 for a machine generated one.
From my experience, the best password is:
Three words with a symbol besides space separating them, with some rule for capitalized letter (such as first, last, every first, every last)
Example:
Forget(Paris(John
This is far easier to remember, practically impossible for a machine to guess, and your estranged wife will not automatically be able to guess.
Random letters is guaranteed to be forgotten unless it is used a lot.
Unfused skulls (Score:2)
Re: (Score:2)
I don't assume that children are tech savvy. I figure they are juvenile and uneducated. Also, kids are dumb.
More precisely, they think they're smarter and/or more experienced than (currently) they are -- or they simply want something and actual knowledge gets in the way.
For example... I'm a systems programmer and systems administrator with 30+ years experience working on everything from PCs to Cray supercomputers at NASA Langley, the NYT and various defense contractors and I've had numerous arguments with my 14yo niece about how things like WiFi, networking and the Internet work and she thinks I'm wrong -- whi
Re: (Score:2)
Substitute middle/higher management for kids throughout and your point still stands.
Sad but true.
You can only remember so many passwords (Score:1)
But use a password manager! they say.
Yeah. Ok. Except now if the company that has all your passwords stored on their servers goes belly up or gets dosd then you're hosed.
A part of the solution is to have less valuable shit hidden behind your passwords. Then who the fuck cares if it gets hacked or cracked or stolen off your sticky note under your keyboard.
2fa has its place but again makes for something more fragile than a password if you're relying on 3rd party infrastructure to make it work.
Re: (Score:2)
"Except now if the company that has all your passwords stored on their servers goes belly up or gets dosd then you're hosed."
There's this exciting new concept that helps you deal with this called "backups". If you're not keeping a copy of your password manager's data file someplace completely independent of its primary location, you're being criminally negligent. If your password manager doesn't allow to easily make and access copies of its data file, you're using the wrong password manager.
Re: You can only remember so many passwords (Score:2)
I can do that. I can try to find one that works across machines and lets me use it on public terminals and doesn't do stupid shit like pass clear text or low security encrypted passwords around the cloud and everything else.
Or I can refrain from giving my credit card and identifying information out to every facespace wannabe out there and keep posting under a pseudonym instead of my real name and just use a few passwords I can keep between my ears.
Re: (Score:2)
I would recommend against having a third party run your password manager program; just have them store the data file. I like Password Gorilla; runs on Linux, Windows, and MacOS. Android as well, but you'll have to sideload it. You could keep it on a USB key for running on a public terminal.
Well Most Web Sites and Techs Don't Follow NIST (Score:2)
So how are people supposed to learn how to do it themselves. Average folks won't be reading NIST tech bulletins.
We keep seeing applications, web sites, and computer "professionals" telling us to create goofy passwords that NIST nixed years ago. Capital, lower case, symbol, number, fuckoff. I put "professional" in quotes since actual professionals would know that phrases are better and easier to remember, so you don't have to write them down, and people won't be tempted to share as much because they will ha
Protip. (Score:2)
Pick a "default" password, something fairly complex involving letters, numbers, symbols etc. Use this as-is on sites you don't give a holy shit about and could not care less about if hacked but which you will always remember. Of course, if it's a _really_ dumb site just use e.g. abc123 or something, who gives a shit.
For sites more important where you will want to be able to login from memory, use the default password you chose but prefix/mod with something unique about the site. Could be e.g. first few lett
I just use ... (Score:3)
My dog is named %8Nk=14hD
Too many passwords. (Score:2)
You can't expect somebody to remember 200+ passwords for 200+ different sites. Either people must use a password manager to remember their passwords, and the issues of synchronising between machines (Chrome seems to do a good job here), or find a way to generate a strong password for each site which doesn't require remembering 200+ passwords, yet is repeatable, and not easily guessable even to someone who knows the method.
My password manager (Score:2)
$ echo PinkFluffyBunnyAmazon | sha256sum | cut -c1-64 | xxd -r -p | base64 | cut -c1-16
Then just pick a suitable passphrase for the PinkFluffyBunny part, and use the website name as the Amazon part, and you're done. Look Mummy, no storage required.
So easy even a child can use it! (Score:2)
We can eliminate all passwords (Score:2)
If we let go of this nonsense of having personal property then we don't need accounts or passwords to protect it. We've already taught children that there is no personal privacy, not much further to go before we reach utopia.
Re: (Score:2)
I like your enthusiasm for communism but you're forgetting the down-side: If no-one owns it, no-one cares for it. Plus, there's no-one to nag the government "I don't have enough USP/profit/slaves/fascism" while pretending "you can be rich like me". That sounds like a good thing but the wealthy, lacking guns and soldiers, are more sensitive to civil disobedience and ensure the unwashed masses have just-enough (YMMV, see: boiling a frog) breathing room.
The strangest problem with 'no property' is reproduct
Re: (Score:2)
If no-one owns it, no-one cares for it.
Make a law. Let's say an offence, such as not filling a car back up with fuel after you've used it, is treason.
Plus, there's no-one to nag the government "I don't have enough USP/profit/slaves/fascism" while pretending "you can be rich like me".
That's why most failed communist states have a special leader class that does own things and gets to make decisions. The best of the best would be the leaders. Of course this ground was already covered in Plato's Ship of State.
Lenin had a dim view of an electorate with Bourgeoisie fantasies. But of course that's exactly how it played out.
Does that 'personal' mean it's no longer her vagina
That's the most logical next step. No personal property, no i
This again (Score:3)
The "password woes" issue keeps getting trotted out from time to time, but we are still using passwords for one simple reason: Nothing better has been thought up to replace it.
Biometrics- this comes with a host of it's own problems when it comes to reliability/security and with ever increasing privacy concerns people are becoming more squeamish in using it.
Dongles - people are only willing to use these for high security applications, and of course there is the issue of loss/theft
Voice recognition? - big security hole right there.
We are going to continue to use oasswords, and this is not going to change any time in the foreseeable future.
Re: (Score:1)
"Nothing better has been thought up to replace it."
Wrong.
Passwords are still in use because only worst thing to passwords is no passwords at all.
On the other hand, passwords + 2FA exists and is far better, should be mandatory for any serious thing. (Whatever the second factor. OTP standar for instance offers plenty nifty solutions).
LOL ! assume children are the most tech-savy (Score:1)
Working in IT for more than 20 years, having kids, I can tell you one thing : newer generations have mostly NO IDEA what tech is about.
Bring them tik tok and emojis, fast reward for clicking on a bright color, THEY will assume they know.
But they know even less than John Snow.