Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Survey Shows How Stupid People Are With Passwords

CmdrTaco posted more than 3 years ago | from the your-password-is-trustno1 dept.

Security 427

wiredmikey writes "Another study was released to today that once again shows how careless people really are online. When it comes to safeguarding personal information online, many people don't seem to care very much, or don't think enough about it. In the survey of more than 2,500 people, some interesting and scary trends were revealed in how users handle their online passwords..."

cancel ×

427 comments

Sorry! There are no comments related to the filter you selected.

Websites are responsible too (3, Funny)

odies (1869886) | more than 3 years ago | (#33873572)

In addition to securing web and database servers and only storing the passwords as hashes with salt added, websites should do more to protect the user passwords. This for example is why Slashdot hides your password as ******** if you accidentally happen to write or paste it to a comment - a practice every website should do.

Re:Websites are responsible too (1)

jeffmeden (135043) | more than 3 years ago | (#33873610)

Where is the (-1 "it's a trap!") mod when you need it...

Re:Websites are responsible too (0)

Anonymous Coward | more than 3 years ago | (#33874058)

More like the (+1 "it's a trap!") mod, you mean.

Re:Websites are responsible too (1)

Kvasio (127200) | more than 3 years ago | (#33874306)

rate parent "-1, hunter2"

Re:Websites are responsible too (2, Funny)

Anonymous Coward | more than 3 years ago | (#33873688)

********

Holy crap, it actually worked.

Re:Websites are responsible too (0)

Anonymous Coward | more than 3 years ago | (#33873712)

Really? hmm.. guylover85

Re:Websites are responsible too (1)

0100010001010011 (652467) | more than 3 years ago | (#33873772)

Yep. All I saw was.

Really? hmm.. **********

Re:Websites are responsible too (0, Redundant)

Timmmm (636430) | more than 3 years ago | (#33873920)

-10, really really unoriginal.

Re:Websites are responsible too (1)

WrongSizeGlass (838941) | more than 3 years ago | (#33873940)

My password is: 'slashtard'

It doesn't seem to hide it the 'preview' mode. I guess the only way to find out is to trust 'submit'.

Re:Websites are responsible too (1)

WrongSizeGlass (838941) | more than 3 years ago | (#33873972)

Hey! It doesn't work!

I guess I don't need to change it because everyone will think I did ... I mean, how stupid could I be?

Re:Websites are responsible too (4, Funny)

Abstrackt (609015) | more than 3 years ago | (#33874056)

My password is ********, you insensitive clod!

Re:Websites are responsible too (1, Funny)

Anonymous Coward | more than 3 years ago | (#33874072)

You're right! Every time I type in hunter2 it shows up as *******.

Re:Websites are responsible too (5, Funny)

VGPowerlord (621254) | more than 3 years ago | (#33874216)

You're right! Every time I type in ******* it shows up as *******.

Well, DUH.

I have auto-login turned on and now I can't remember what I set my ******** to. I think I made it something easy for me to remember, though.

Re:Websites are responsible too (1)

tgatliff (311583) | more than 3 years ago | (#33874154)

In my opinion, the real issue is the current technology on passwords. Everything should be implemented with smart card command / challenge implementation. Passwords are by the very nature insecure

Re:Websites are responsible too (1)

mcgrew (92797) | more than 3 years ago | (#33874222)

Well, the strength of your password depends on what you're guarding. My house doesn't need a bank vault door, and I don't keep any sensitive information in my home computers. That said, I di use strong passwords for them; stronger than my work password, which is stronger than my yahoo email password.

And if I'm in my living room by myself, there's little need for the password to display "************". Of course, in the case of slashdot, if I'm in the library that "************" is pretty handy.

Re:Websites are responsible too (1)

rockNme2349 (1414329) | more than 3 years ago | (#33874282)

you can go hunter2 my hunter2-ing hunter2

Survey Shows How Stupid People Are (5, Funny)

Superken7 (893292) | more than 3 years ago | (#33873604)

was the "with passwords" part actually needed in the title? ;)

Re:Survey Shows How Stupid People Are (3, Funny)

Anonymous Coward | more than 3 years ago | (#33873654)

Was a survey actually needed either?

Re:Survey Shows How Stupid People Are (1)

sortadan (786274) | more than 3 years ago | (#33873744)

I like how they list both that "2 in 10 have used a significant date..." and later list it again as "20 percent have used a significant date in a password." (it's for the stupid people who can't work out what 20% of 10 is I guess).

Re:Survey Shows How Stupid People Are (1)

h4rr4r (612664) | more than 3 years ago | (#33873826)

In a password could be ok though, as a password not.

"10-10-10" is a bad password

"Utt(001010&i!B" is a fine password that has this date in it.

What about logging in over public WiFi? (4, Insightful)

Superken7 (893292) | more than 3 years ago | (#33873666)

From TFA:
" 30 percent logged into a site requiring a password over public WiFi (vs. 21 percent overall)"

So what? thats what SSL and Certificates are for. Entering your password in a public computer - well, thats another story.

Re:What about logging in over public WiFi? (2, Insightful)

nine-times (778537) | more than 3 years ago | (#33873864)

There are still a lot of services that use passwords but don't use (or at least don't force you to use) HTTPS.

Re:What about logging in over public WiFi? (3, Insightful)

janeuner (815461) | more than 3 years ago | (#33873988)

Which has nothing to do with "How Stupid People Are With Passwords"

Re:What about logging in over public WiFi? (4, Insightful)

interkin3tic (1469267) | more than 3 years ago | (#33874118)

Also seems like he's making a fuss over nothing when it comes to 41% sharing passwords. Sharing passwords with strangers online is one thing. Sharing a password with your wife, assuming you trust her, not that big of a deal.

Re:What about logging in over public WiFi? (2, Insightful)

DrgnDancer (137700) | more than 3 years ago | (#33874240)

Especially for say.. our shared bank account. I think my wife might be a bit annoyed if I locked her out of the money she earned half of. "It's all in the name of password security dear, no worries"

Re:What about logging in over public WiFi? (2, Insightful)

interkin3tic (1469267) | more than 3 years ago | (#33874254)

I think my wife might be a bit annoyed if I locked her out of the money she earned half of.

Exactly. I'm in far more danger if I don't share my password than if I do.

Myth of stupid people... (2, Insightful)

blahplusplus (757119) | more than 3 years ago | (#33873670)

The way the password systems were designed to were stupid to begin with. Programmers designed password systems for people like themselves. The real issue is, programmers did not forsee the internet and the need for easy authentication at multiple sites with strong keys.

I still don't know why Microsoft and other OS makers have not bought out roboform to integrate it into their OS and change the culture over time.

http://www.roboform.com/ [roboform.com]

Roboform generates unique passwords and makes "click button" authentication easy, and you can back up your encrypted passwords on USB sticks, etc.

Re:Myth of stupid people... (1)

h4rr4r (612664) | more than 3 years ago | (#33873868)

It also means roboform has your IP and the password they gave you. Which seems like valuable information.

Re:Myth of stupid people... (3, Interesting)

BarryJacobsen (526926) | more than 3 years ago | (#33873922)

The way the password systems were designed to were stupid to begin with. Programmers designed password systems for people like themselves. The real issue is, programmers did not forsee the internet and the need for easy authentication at multiple sites with strong keys.

I still don't know why Microsoft and other OS makers have not bought out roboform to integrate it into their OS and change the culture over time.

http://www.roboform.com/ [roboform.com]

Roboform generates unique passwords and makes "click button" authentication easy, and you can back up your encrypted passwords on USB sticks, etc.

Because having unique passwords for every site makes it very different to use another computer at random. Storing on a USB stick is great, except when I want to log in from my iPhone and need to find some way to view that password. Or lose my USB stick and want to check my e-mail while in Russian on business. Simply put, it's terribly inconvenient for the average end user - the only way that they'd be willing to go along with it is if the passwords could be retrieved over the internet with a master password - which would give a single point of failure and be even less secure than the current system.

Re:Myth of stupid people... (1, Informative)

Anonymous Coward | more than 3 years ago | (#33873978)

On the Mac and iPhone, we have 1Password. They sync up either locally, or via Dropbox. Makes it super convenient to carry around my keychain.

Re:Myth of stupid people... (1)

blahplusplus (757119) | more than 3 years ago | (#33874066)

Did you read the article? Roboform is not a cureall but it would help in many instances of password stupidity, i.e. using one password for all sites that you have to *remember*. The reason people use the same password for multiple sites is the cost of remembering them, so if you offload the remembering part to a program like roboform that can automatically generate long random strings as passwords and store them locally in encrypted files, you go a long way to preventing some types of problems.

Re:Myth of stupid people... (1)

BarryJacobsen (526926) | more than 3 years ago | (#33874170)

store them locally in encrypted files, you go a long way to preventing some types of problems.

This is precisely the problem. I don't want my passwords only stored locally. If I wanted my data to be accessible from only one location in the world, I wouldn't have it be on the internet, I'd have it encrypted and stored locally.

Re:Myth of stupid people... (4, Funny)

thePowerOfGrayskull (905905) | more than 3 years ago | (#33874142)

and want to check my e-mail while in [a?] Russian on business

That's some business!

Re:Myth of stupid people... (1)

BarryJacobsen (526926) | more than 3 years ago | (#33874204)

and want to check my e-mail while in [a?] Russian on business

That's some business!

It pays the bills... :P

Re:Myth of stupid people... (1)

betterunixthanunix (980855) | more than 3 years ago | (#33874238)

The password systems were stupid to begin with

FTFY. Passwords are probably the least secure method of authentication; I don't know why we still rely on them, when there are so many better ways to do things.

I'm not convinced this is as bad as described. (4, Insightful)

JoshuaZ (1134087) | more than 3 years ago | (#33873678)

For example, the article asserts that 4 out of 10 people have shared a password in the last year. I've done that. I shared the password to one of my email accounts with my twin who needed access. And after he was done I changed the password. Much of the data here is very hard to actually show is bad without more context for what exactly people were doing. Also, while we're discussing these issues, obligatory xkcd - http://xkcd.com/792/ [xkcd.com] .

Re:I'm not convinced this is as bad as described. (3, Insightful)

master_kaos (1027308) | more than 3 years ago | (#33873768)

exactly. I have "shared" my password to for different accounts. I change my password, give them the new changed password, after they are done with it change it back. And using the same password with multiple sites? So what? For shit I don't care about if my account gets comprimised I used my generic password. For my secure stuff I will use a different passwords.. but sometimes they are the same or close to it.

Re:I'm not convinced this is as bad as described. (2, Insightful)

mattdm (1931) | more than 3 years ago | (#33873806)

Or "30 percent logged into a site requiring a password over public WiFi" -- which is perfectly fine if the site has the right SSL cert.

Re:I'm not convinced this is as bad as described. (0)

Anonymous Coward | more than 3 years ago | (#33873840)

Not only that but the numbers are actually much better than I would have expected. Not not at all. It seems MOST people are actually doing the right thing which is a big deal considering that most people have not been online all that long.

Re:I'm not convinced this is as bad as described. (0)

Anonymous Coward | more than 3 years ago | (#33873952)

Agreed. And I use the same password at multiple sites - for example Slashdot and Ars Technica. I don't use that password for email, bank sites, etc., where it matters if someone got my info. But if someone got my Slashdot password, what are they going to do? Wreck my karma with trolls?

Re:I'm not convinced this is as bad as described. (4, Interesting)

Kjella (173770) | more than 3 years ago | (#33874132)

Seriously, either you rely on password reuse, you have the world's greatest memory or your vitally dependend on some software to track your passwords and if you lost that, you've lost everything.

In order of difficulty and importance I remember roughly four passwords:

1. The full disk encryption, it's for everything I don't trust the intartubes with.
2. My online bank password, you can pull a lot of BS but don't touch my money.
3. My webmail password - both as it's personal and as it gives other logins.
4. My "everything else" password - for most forums and shit.

That does not count the PIN on my ATM card, my logins at work or any of the other of the many things I ought to remember. That also doesn't count that I regularly have to swap between three different user ids because "Kjella" is often taken. That's enough for one mind, and I've heard I'm fairly good at remembering things. For people that seem to have enough just remembering their PIN I just don't see it happening without help. And given the reliability of HDDs and most people's ability to take backups, I'd suggest a note in your wallet. And maybe a backup of that too, since I know several who have lost their wallet or had it stolen.

Working in an enterprise (3, Interesting)

suso (153703) | more than 3 years ago | (#33873694)

Working in an enterprise, one of the biggest excuses I hear from people when I talk to them about password security is they will say "oh my account doesn't do much" or "its not a big deal if someone gets my stuff".

They have no idea that its not so much about them having their stuff (which incidentally probably indeed doesn't matter much), but just people having access to accounts that they shouldn't. I usually tell them why its important after they give me an excuse like that. But most people just don't seem to care. But of course they care when something happens.

Simple: It's not their problem. (4, Insightful)

maillemaker (924053) | more than 3 years ago | (#33874018)

Users are careless with their workplace computers because it's not their data and they don't care what happens to it.

Re:Working in an enterprise (1)

HungryHobo (1314109) | more than 3 years ago | (#33874036)

In most places security is on the honor system.

I became distinctly aware of this in university and assumed it was just academic institutions which tend to be fairly open but then I went to work at a large multinational well known tech company and things were no better.

Passwords on postits, weak and predictable passwords, hardcoding admin passwords into scripts, unprotected resources, security holes in apps you could drive a car through etc etc etc
There was vastly more lip service given to security in the multinational but if anything the uni systems were more secure.

Hell even game theory comes into it a little.
I knew security was shocking in my entire department but if you made a big deal about it the main outcome would be to create a load of work for your teammates and piss them all off with no reward and it would be like patching holes in a sieve anyway.

Uhm... (0, Redundant)

ihatejobs (1765190) | more than 3 years ago | (#33873706)

People are stupid. News at 11.

LastPass (0)

Anonymous Coward | more than 3 years ago | (#33873708)

Best password solution available.

hunter2 (0, Redundant)

hansamurai (907719) | more than 3 years ago | (#33873714)

What? ******* isn't good enough for you? I love how the new Slashdot converts your password into asterisks! So convenient!

Re:hunter2 (1)

The MAZZTer (911996) | more than 3 years ago | (#33873804)

Really? I'll try it.

hunter2.

You sure? I don't see asterisks...

Re:hunter2 (0)

Anonymous Coward | more than 3 years ago | (#33873836)

It's cool, I see them.

They are so hott I printed them out and put them in my butt.

Re:hunter2 (0)

Anonymous Coward | more than 3 years ago | (#33874184)

parishilton "Thats Hawwwt" /parishilton

Re:hunter2 (1)

mcmonkey (96054) | more than 3 years ago | (#33874090)

No, it works!

What everyone else sees is:

Really? I'll try it.

*******.

You sure? I don't see asterisks...

Re:hunter2 (1)

Anne Thwacks (531696) | more than 3 years ago | (#33873984)

I hate how my mobile phone converts the password to ******, cos when you have to press a key multiple times for a letter within a fixed time, its hard to get it right if you cant see what you are doing - eespecially if the phone is so **** you are not sure how long it takes to respond to a key press, and you are interrupted while entering it.

With Skype you cant tell whether it failed to recognise your password, or just crashed. I cant see what concealing passwords is the solution to on a phone, apart from an effective way of annoying users. Yuo can easily hide the phone or not enter the password while its visible.

Easy (5, Funny)

zill (1690130) | more than 3 years ago | (#33873726)

It's a bad idea to use the same password everywhere, so I just set the password as my username and pick a new username on every website.

Re:Easy (0)

Anonymous Coward | more than 3 years ago | (#33874246)

I remember back when Easynews used let you pick your own username and had no check that your password was different or even a good password. Fire up a proxied brute force tester and you'd get a list of valid u:p like "cathrine:cathrine" "daniel:daniel" etc. as people really are that careless. Good times, but no wonder they came to an end.

Re:Easy (5, Funny)

zill (1690130) | more than 3 years ago | (#33874248)

Hahahaha disregard that, I suck cocks.

But I thought... (1)

jbarr (2233) | more than 3 years ago | (#33873742)

What, you mean "password" isn't a good enough password? I figured the more obvious it was, the less likely someone would actually try to use it!

Re:But I thought... (5, Funny)

Abstrackt (609015) | more than 3 years ago | (#33874096)

What I find works best is taking the first letter of every word in an easy to remember phrase. For example, "poor aunt sally slipped while out racing dogs". Er, wait...

30% remember their passwords by writing them down (4, Insightful)

Superken7 (893292) | more than 3 years ago | (#33873764)

Also, regarding: "And 30 percent remember their passwords by writing them down and hiding them somewhere like a desk drawer."

I think writing down your password isn't that bad of a choice (especially for online passwords, not the one that logs you into your computer).
I'm not the only one who thinks that way: http://www.schneier.com/blog/archives/2005/06/write_down_your.html [schneier.com]

Re:30% remember their passwords by writing them do (1)

h4rr4r (612664) | more than 3 years ago | (#33873900)

But a desk drawer is a terrible place to keep that paper, in your wallet is a much better place.

Re:30% remember their passwords by writing them do (4, Insightful)

nine-times (778537) | more than 3 years ago | (#33873916)

Yeah, it depends on what you're protecting against. If the purpose of online passwords is primarily to prevent other online users from accessing your account, then writing the password down in a notebook on your desk is safe. Insofar as the purpose is to protect your account from someone who has access to your desk, it's not safe.

It's important to remember that security depends on context.

Re:30% remember their passwords by writing them do (3, Insightful)

Tridus (79566) | more than 3 years ago | (#33874290)

Considering this "article" also rails on people for not using a different password on every website, I don't know what he expects people to do with them.

When you throw 100 passwords at people and want to enforce "strong" passwords on all of them (which he also complains about), what option do people have but to store them somewhere? Paper is a useful media for this purpose.

This article is bullshit, really. Some of the things he complains about are the direct cause of other things he complains about. Make up your fucking mind.

Password authentication is dumb (5, Insightful)

dredwolff (978347) | more than 3 years ago | (#33873766)

So, what, we're supposed to have a different password with special characters and nothing significant to us (like dates) for each of the 150 online accounts we have? Oh, and if we write down the passwords somewhere so we don't forget them we're dumb too? Whatever! Maybe if we all had photographic memories that would be a realistic options, but there's just no way it's going to happen like that.

It's just a crappy system, we should be using public key encryption with our private keys stored on a USB key - or some other similar scheme, where we don't have to memorize a million randomized passwords in order to not have our identity stolen.

pwdhash FTW (5, Interesting)

BlackPignouf (1017012) | more than 3 years ago | (#33873918)

One very good solution is to use pwdhash:
https://www.pwdhash.com/ [pwdhash.com]

You can install it as a local plugin for Firefox or as bash/ruby scripts on your computer.
You only need to remember one strong master password, and forget about the rest.

You get something like this, depending on domains (no phishing!) & the length of your master password:
+1xhTRy7T for ebay.com
fRrL2nI7+ for amazon.com
TYZyfI0u+ for facebook.com
3yL+WQBF7 for skype.com
+KwIr4FId for delicious.com

Enjoy!

Re:pwdhash FTW (2, Insightful)

Fumus (1258966) | more than 3 years ago | (#33874294)

Unfortunately, on the rare occasion that the computer breaks and I'd want to log in on ebay from another computer I am kind of screwed since there is no way I can remember a random hashed password.

Re:Password authentication is dumb (2, Interesting)

h4rr4r (612664) | more than 3 years ago | (#33873926)

So make them longer and less randomized.

Pick a new sea shanty for each site and replace some of the letters with numbers or symbols. People easily remember songs, so a couple verses should be no big deal.

Re:Password authentication is dumb (0)

Anonymous Coward | more than 3 years ago | (#33873934)

COMPUTER CHIPS in our EYES that TRANSMIT KEY SIGNALS!!!

Re:Password authentication is dumb (3, Interesting)

Cthefuture (665326) | more than 3 years ago | (#33873948)

It's just a crappy system, we should be using public key encryption with our private keys stored on a USB key - or some other similar scheme, where we don't have to memorize a million randomized passwords in order to not have our identity stolen.

You can actually do that now with OpenID and a smartcard (actually, you don't need the smartcard but it's more secure than a USB/flash dongle).

Problem is most places don't implement OpenID (yet?).

Re:Password authentication is dumb (2)

Tom_Yardley (587588) | more than 3 years ago | (#33874040)

"We should be using public key encryption with our private keys stored on a USB key." Yeah, that, or get an American Express card and do business with a firm that does not make you pay for goods or services you don't get. When I lose my AmexCard they overnight me a new one and I'm good to go; what happens when you drop your USB key down the storm drain?

Re:Password authentication is dumb (1)

bitslinger_42 (598584) | more than 3 years ago | (#33874052)

For most things, a decent, random password isn't that bad. You can combine a password manager program, like KeePass, with a file sync solution, like Dropbox, and gain several security benefits without sacrificing much (if anything).

In my case, I've got 50-75 accounts on various websites, each one has a different strong password (i.e. 15 characters of mixed-case alpha, numeric, and special characters), but the only password I absolutely have to know is the passphrase for my KeePass database, which is significantly stronger. KeePass handles filling in the login credentials, I don't have to even try typing the passwords, it clears the clipboard when it's done, so it's fairly tough for malware to grab them out of memory, and Dropbox ensures that I've got a cached copy on nearly every device I use, including my phone.

Compare that with the problems of PKI: if I lose my USB, I've lost access to site accessed with those keys; certificates are only really useful if you've done some form of vetting to confirm that I am who I said I am, which means either costly, time-consuming processes for registering or the use of large, "trusted" 3rd parties, which have been subject to a variety of attacks over the years (think: virus writers getting a legitimate certificate from a major vendor with a hostname in the microsoft.com domain).

Why go through the expense, complexity, and risks posed by all keys on a single USB drive when there are perfectly useful password-based solutions already available that don't involve me trusting parties I don't know?

Re:Password authentication is dumb (1)

gad_zuki! (70830) | more than 3 years ago | (#33874220)

Make a hash or unique identifier in your head. Say your password for amazon is "dogstar" and you use that password everywhere. Well, for amazon it can be "amdogstar" for slashdot "sldogstar" etc. If you feel thats too obvious for an attacker then instead of just appending sl for slashdot, use the keys above sl, so you get "wodogstar." Once you get a system going it'll be easy to do in your head. No need for any third-party utilities, keys, etc.

I wouldn't do this for banking sites or anything especially sensitive. I have memorized a unique password for my bank and for paypal on top of my day to day scheme.

I also use a junk gmail address for registering for forums and such. It saves me spam and also doesn't let an attacker know my real address, so they have a hard time correlating the two.

Re:Password authentication is dumb (1)

houghi (78078) | more than 3 years ago | (#33874264)

Full ack. If so many people have problems with the system, then perhaps it is not the people who are at fault, but the system.

Re:Password authentication is dumb (1)

Lumpy (12016) | more than 3 years ago | (#33874288)

Out of 150 online accounts only 5 of mine matter. So those 5 have their own secure passwords. All the rest have a really easy to remember password that honestly has not changed for 10 years now. It's 12 characters in length and very easy for me to remember and type.

it's utterly foolish to do fort knox level passwords on your icanhazcheezburger.com account.

Re:Password authentication is dumb (0)

Anonymous Coward | more than 3 years ago | (#33874296)

So, what, we're supposed to have a different password with special characters and nothing significant to us (like dates) for each of the 150 online accounts we have? Oh, and if we write down the passwords somewhere so we don't forget them we're dumb too? Whatever! Maybe if we all had photographic memories that would be a realistic options, but there's just no way it's going to happen like that.

It's just a crappy system, we should be using public key encryption with our private keys stored on a USB key - or some other similar scheme, where we don't have to memorize a million randomized passwords in order to not have our identity stolen.

Exactly! I like where you went with this!

Share? More like volunteer. (1)

boristdog (133725) | more than 3 years ago | (#33873810)

Anyone who has ever worked in any form of tech support can tell you that most people readily volunteer their password to anyone they think they need help from in the tech community, even though we didn't need it or ask for it.

"Can you show me how to make the font bigger? My password is kitty123."

The really distressing thing... (2, Interesting)

AthanasiusKircher (1333179) | more than 3 years ago | (#33873814)

Younger people are especially likely to take online security risks. Webroot found that among 18 to 29 year-olds...

The bad practices don't surprise me. But it's disturbing that younger people are more lax about security, even though they are (by and large) more tech-savvy than older folks. I realize this is also the MySpace/Facebook generation that broadcasts personal information all over the internet, but these stats aren't just dumb teenagers.

If anything, I would hope that people who are more familiar with technology would understand the risks better, but that's not the case here... and that's perhaps a more worrying trend than the overall disregard of safe practices.

Re:The really distressing thing... (4, Interesting)

Anonymous Coward | more than 3 years ago | (#33873968)

perhaps young people do understand online security better. Most of the supposed sins highlighted in the article are junk. Perhaps young people better understand the much more well thought out: http://news.slashdot.org/story/10/03/16/1931214/Users-Rejecting-Security-Advice-Considered-Rational

Re:The really distressing thing... (3, Insightful)

AthanasiusKircher (1333179) | more than 3 years ago | (#33874318)

perhaps young people do understand online security better. . . http://news.slashdot.org/story/10/03/16/1931214/Users-Rejecting-Security-Advice-Considered-Rational [slashdot.org]

Thanks for the link. The article is interesting. However...

Most of the supposed sins highlighted in the article are junk.

That's not what the article from your link says. I quote from it:

While we argue that it is rational for users to ignore security advice this does not mean that the advice is bad. In fact much, or even most of it is beneficial. It's better for users to have strong passwords than weak ones, to change them often, and to have a different one for each account. That there is benefit is not in question. However, there is also cost, in the form of user effort.

In other words, the linked article is about why users may be acting in a rational manner (in economic terms) by ignoring security advice, not that the advice is "junk." Getting fire insurance is also a waste of time and money for most people (and perhaps not getting it could be considered a "rational" decision according to some economic logic), but if your house burns down, you might have some real problems.

The reality is that people who better understand online security find that there are plenty of solutions out there to make their lives as easy (if not easier) than those who engage in bad security practices. Just because you don't reuse passwords doesn't mean you have to have them all memorized, for example. There are effective ways to manage such things without a high user cost in time and effort.

If people understood online security better, they'd make use of such technological solutions to be both safe and efficient. That's not what TFA says, though.

Re:The really distressing thing... (0)

Anonymous Coward | more than 3 years ago | (#33874242)

Actually studies have shown they aren't more tech savvy. They just waste more of their time with electronic devices. Ask them how it works and they have no answer or interest in learning it. Just using it. AKA a borg drone.

Re:The really distressing thing... (1)

deapbluesea (1842210) | more than 3 years ago | (#33874256)

they are (by and large) more tech-savvy than older folks

No, they are not. Younger generations by and large use technology to a greater extent than older folks. They also generally have no clue how any of it works.

I teach introductory computer science at the college level. You would be amazed at how little current college freshmen know about their computers. To them, it should just work (no, that's not a Mac plug). They want facebook, email, etc and they just want to use it as a tool. Much like electricity, the food supply, bulk distribution, etc, few people know how it works, they just know how to use it when needed.

I was cured all right... (1)

digitaldc (879047) | more than 3 years ago | (#33873838)

FTA: "Smarten up, folks. It's really not so hard to setup some solid password practices. Again, since most of our readers don't really fall in this category, at least try to open the eyes of those around you."

Are we talking 'A Clockwork Orange' style? [pbs.org]
Otherwise, I don't think anything can help.

Among the findings (3, Insightful)

janeuner (815461) | more than 3 years ago | (#33873866)

4 in 10 respondents shared passwords with at least one person in the past year.
> 4 in 10 are married?

  Nearly as many people use the same password to log into multiple Web sites, which could expose their information on each of the sites if one of them becomes compromised. (A separate recent study revealed that 75% of people use the same password for Social Networking Sites and their email accounts)
> If I have a hotmail account and a twitter account, which I never use, should I create strong, unique passwords for both? Why?

  Almost half of all users never use special characters (e.g. ! ? & #) in their passwords, a simple technique that makes it more difficult for criminals to guess passwords.
> Examples of weak passwords: Pingeico4 due7Johh Eexee9ot Soobanah6 Ja3sahte

  2 in 10 have used a significant date, such as a birth date, or a pet's name as a password – information that's often publicly visible on social networks.
> Some people have disposable passwords for useless login credentials. A New York Times account doesn't require a strong password.

Most of these conclusions are neither scary nor stupid.

Two words: (2, Interesting)

pigiron (104729) | more than 3 years ago | (#33873888)

retinal scan

Re:Two words: (1)

wiredog (43288) | more than 3 years ago | (#33874342)

And what do you do when someone steals your eye?

Webmasters should already assume this. (0)

Anonymous Coward | more than 3 years ago | (#33873890)

If you want to keep your users safe you should issue them a secure random password by default and make them log in with it at least once before giving them the option of changing it. That way many of them will just store the password in their browser and not bother changing it to something that they use elsewhere. Weak passwords shouldn't be allowed at all.

Ideally you wouldn't want them saving it in the browser to begin with and can prevent that if you wish, but if you make them remember the password they are probably going to use a password that is also used on other sites.

Password (2, Insightful)

kellyb9 (954229) | more than 3 years ago | (#33873936)

I've been using a variation of the same password for years. It was secure when I first started using it, its not so secure anymore. Although, if it were any more secure, not even I would know what my password was. Password security is getting nearly impossible considering many sites and resources expect you to update your password every few months.

Pot, meet kettle (2, Funny)

Astatine (179864) | more than 3 years ago | (#33873956)

"86 percent do not check for a secure connection when accessing sensitive information when using unfamiliar computers"

Seriously, now. A website with "security" in the title really ought to at least try to present credible security analysis!

*facepalm*

Users aren't the only stupid people (1)

mcmonkey (96054) | more than 3 years ago | (#33873974)

Yes, we all have a gay old time making fun of those stupid users. But to be fair, we're talking about systems that should have been designed with the expectation that they would be used by stupid people. Yet these systems do not take that in to account. There must be a lot of stupid developers and admins.

4 in 10 respondents shared passwords with at least one person in the past year

Sure. I have accounts with information I share with my wife. For example, our joint bank account. [Do not feel free to add rant about online banking here.] One bank account = one set of sign in credentials. So how do we work this situation without sharing passwords?

Nearly as many people use the same password to log into multiple Web sites, which could expose their information on each of the sites if one of them becomes compromised. (A separate recent study revealed that 75% of people use the same password for Social Networking Sites and their email accounts)

I have a dozen different systems with separate sign-ons at work. No, this is not exaggeration. I am actually rounding down to a dozen. Should I remember a dozen different passwords? Because of course It's a no-no to write them down.

And that's just at work. Add to that the dozen or so social sites (/., fb, support boards for my tv, car, universal remote, NAS, DVR, etc.)

Is there anyone who doesn't reuse passwords? I bet it's just the folks using some password manager app. For those folks: did you write that app yourself? No? And yet you trust it with all your passwords?

Almost half of all users never use special characters (e.g. ! ? & #) in their passwords, a simple technique that makes it more difficult for criminals to guess passwords.

Why is this on a list of stupid things users do? I've seen plenty of systems that did not allow special characters in passwords. Admins can be stupid as well.

And this is actually not a good point at all. Allowing (or requiring) more characters in the password is better than adding special characters to a shorter password.

And see the previous point about reusing passwords. When I change my passwords at work, I chose a password that conforms to the least secure system (lowest max character limit, fewest allowed character classes, etc) so that I can have a single password for all those systems.

2 in 10 have used a significant date, such as a birth date, or a pet's name as a password - information that's often publicly visible on social networks.

Okay. This is stupid.

Re:Users aren't the only stupid people (1)

0123456 (636235) | more than 3 years ago | (#33874174)

One bank account = one set of sign in credentials. So how do we work this situation without sharing passwords?

We have a joint account and two different logins.

Using the same password (1)

Posting=!Working (197779) | more than 3 years ago | (#33874004)

Using the same password for most of the sites I visit isn't a security risk because those sites themselves aren't that important. If someone hacks my NY Times login, does it matter? What would they do with my message board accounts anyway? Post spam? Hasn't that already happened to a few people you know already? It's not a big deal.

Now if you use the same password for your bank, ebay, or paypal, it's a different story. But it's pointless to try to remember dozens of passwords for inconsequential sites.

Telling someone else your password is only a risk if they are untrustworthy. There are a few people who I trust with a lot more than my online information, these people can know my password. If they wanted to screw up my life that's the last thing they'd need or use.

Browser side key repository (1)

Colin Smith (2679) | more than 3 years ago | (#33874076)

Why are we still choosing and typing in passwords? Replace the password repo with a key repo. The site should generate a large random password for each user. We could do it with the password fields now. Simply automatically generate a big (100 character), secure password when someone applies for an account and get them to cut/paste it into the password field, the browser will automatically cache it. The user never has to see it again. Hell, I bet javascript could even do it automatically.

keypass safes/password wallets are far more secure than having the same username/password everywhere.

Re:Browser side key repository (1)

Todd Knarr (15451) | more than 3 years ago | (#33874224)

HTTP and the browsers already allow for that. It's just that sites don't want to use the built-in HTTP authentication mechanism, they want to roll their own based on form submissions.

Lastpass (1)

Maddog Batty (112434) | more than 3 years ago | (#33874080)

So what do people think of Lastpass and the like? It gives a single point of failure and you have to trust them (which I do for everything apart from my bank stuff). It does allow you to use impossible to guess (nor remember!) passwords though with a different one for each account.

Re:Lastpass (1)

Wonko the Sane (25252) | more than 3 years ago | (#33874304)

I think it's awesome. Besides the features you mentioned it has mobile apps to access your passwords from your phone and it will allow you to generate one time passwords so that you can access your passwords from an untrusted computer without worrying about keyloggers.

The password requesters are most of the problem (3, Insightful)

gurps_npc (621217) | more than 3 years ago | (#33874134)

The problems with variable password rules makes it harder to create password systems. More importantly, usually we don't really need one. Really, is there any need for a site like moviefone to have a password? I mean really, it's a freaking movie website list. Let them track you with a cookie, not a login and a password. I don't agree to give my credit card number to my grocery store permanently just to get "one click" payout, what possibly reason would I do it for a freakin movie ticket. Honestly, even slashdot could work almost as well without a real password. Just set it up so that it has a username that does not show the last 4 letters, and the only way to change the password is by asking them to send a reset to the email account you signed up in. A 4 letter password plus an email reset would work fine for something as unimportant as tech news site with commenting. I mean really, would it be that horrible if someone stole your slashdot identity? It's not a bank account for god's sake. Or set it up with a camera ID system.

It's Not Carelessness (1)

rebmemeR (1056120) | more than 3 years ago | (#33874140)

Who can remember "aL8+4#ys!Gk=^" ? Should I write it down somewhere? And I should use a different password for each of the 50 services/sites I use? And I should change my password in each site every month? And never repeat a password?

The other end of the stupidity (1)

stefaanh (189270) | more than 3 years ago | (#33874152)

What percentage of online systems store their user's passwords one-way encrypted (let alone encrypted)?

Blame it on SAAS (1)

loom_weaver (527816) | more than 3 years ago | (#33874260)

For work it seems that various departments love to use solutions only available over the internet:

  • Travel booking
  • Expense reporting
  • Time tracking
  • Knowledge base for customer issues
  • SCM
  • Bug tracking
  • Wiki
  • HR info
  • HR health benefits
  • HR paystubs
  • HR retirement investment matching
  • MBO reports
  • Salesforce
  • WebEx

And this is just for work. None of these services have local clients that can run off-line. Only a handful are integrated with AD/LDAP. Finally, several have rotating passwords that need to be changed every month. @#$%#$

Give me a better option! (1)

odin84gk (1162545) | more than 3 years ago | (#33874284)

I hate the fact that I have well over 20 passwords. I also have at least 5 different machines that I need to use.

Give me a better option, please!!!!

What's the point really? (1)

Derekloffin (741455) | more than 3 years ago | (#33874302)

Seriously. Don't ever share, use unique passwords every time, don't write it down, and always make them strong, and thus unmemorable... All rather useless in the end. My 60-sem-odd accounts on line with weak as hell practices have yet to be hacked (not that I'd care all that much in most cases). The one account I cared about and put heavy protections on got keylogged rendering all that wonderful protection worthless. These security experts really need to clue in and realize that this system of password management for security is impractical, ineffective, and unrealistic.

You're tellin' me. (0)

Anonymous Coward | more than 3 years ago | (#33874320)

I regularly recieve RSA tokens w/ PW & UID on them.

Some even take the time to label them w/ a labeling machine.

and they make it all the way back to ME. Unfortunately I have no authority to do anything about this but alert my boss.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?