Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Passwords Are the Weakest Link In Online Security

CmdrTaco posted more than 3 years ago | from the wish-i-spoke-british dept.

Security 277

Orome1 writes "It's not surprising to find that 79% of consumers use risky password construction practices, such as including personal information and words. The recent Gawker breach and a detailed analysis of breached passwords show undeniably that passwords continue to be the Achilles' heel of the average Internet user. This insecure trend sadly doesn't shift as 26% of users reuse the same password for important accounts such as email, banking or shopping and social networking sites while 29% had their own email or social network account hacked, and over half (52%) know someone who has had a similar problem."

cancel ×

277 comments

Sorry! There are no comments related to the filter you selected.

Bad Passwords Are the Weakest Link. (1)

John Hasler (414242) | more than 3 years ago | (#34640960)

n/t

maybe we should have some other method of authenti (0)

yincrash (854885) | more than 3 years ago | (#34640990)

cation rather than passwords. clearly human beings are not going to make sure they are secure.

Re:maybe we should have some other method of authe (1)

Anonymous Coward | more than 3 years ago | (#34641498)

cation rather than passwords. clearly human beings are not going to make sure they are secure.

Nothing is more annoying than someone who starts a sentence in the subject and finishes it in the body except maybe someone who starts a WORD in the subject and finishes it in the body.

Re:maybe we should have some other method of authe (1)

Ismellpoop (1949100) | more than 3 years ago | (#34641540)

"Genetic bum print accepted activating Poop-chute."
http://en.wikipedia.org/wiki/Zeroman [wikipedia.org]

You could just do what I do (1)

Pojut (1027544) | more than 3 years ago | (#34641032)

Use made-up words that come from your own brain. Let's see a brute-force script figure out a combination of seven to twelve letters and numbers that, other than as my passwords, don't exist anywhere besides in my head.

Of course, that's irrelevant in something like the Gawker breach, but still...

Re:You could just do what I do (1)

oldspewey (1303305) | more than 3 years ago | (#34641088)

There's a balance between what's secure (a bunch of random characters with no relationship to anything in the real world) and what can realistically be memorized by the average person ... times twenty or thirty variations to account for all the different sites you visit.

For most people, it seems that balance lies somewhere near "have 2 or 3 shitty, easily guessed passwords and reuse them across all my online accounts."

Re:You could just do what I do (1)

Pojut (1027544) | more than 3 years ago | (#34641130)

lol, my wife still uses her high school password for a couple of sensitive things (which is a jumble of random different case letters and numbers), even though she graduated back in 2003.

Re:You could just do what I do (2)

Chrisq (894406) | more than 3 years ago | (#34641332)

lback in 2003.

Sigh .... back in 2003. It must be nice top be young

Re:You could just do what I do (1)

formfeed (703859) | more than 3 years ago | (#34641926)

lol, my wife still uses her high school password for a couple of sensitive things

I know!

Re:You could just do what I do (1)

Low Ranked Craig (1327799) | more than 3 years ago | (#34642062)

Well, I still use the same random passwords I've been using since I graduated in 1986. Now get off my lawn.

Re:You could just do what I do (1)

Chrisq (894406) | more than 3 years ago | (#34641316)

There's a balance between what's secure (a bunch of random characters with no relationship to anything in the real world) and what can realistically be memorized by the average person ... times twenty or thirty variations to account for all the different sites you visit.

For most people, it seems that balance lies somewhere near "have 2 or 3 shitty, easily guessed passwords and reuse them across all my online accounts."

I use a variation on that. Just in case someone from one site has access to my password and guesses its used in other sites I append an "easy" password to the end ... meaning that they would go and try someone else's account for example a root Guess24This76is76Hard : would be

Guess24This76is76Hard1FatCountry for Nationwide

Guess24This76is76Hard1Dogleys for barclays

Guess24This76is76Hard1SlaveCard for Master card

Re:You could just do what I do (1)

Cwix (1671282) | more than 3 years ago | (#34641386)

It really isnt that hard to memorize a good password... come up with a phrase or saying your likely to remember. For our religious friends a bible verse would work well. Then use the first letter of every word, salt it with something meaningful, and you have a password.

Now is the time for all good men to come to the aid of their country.

nittfagmtcttaotc

now lets say your favorite number is 25

nitt2fagm5tctt.aotc

I added a . in there so its easy to remember that every 4 letters something has to be added.

Now you have a 19 character password that is memorable and secure. Even better if you mix up the case in that password too.

Re:You could just do what I do (1)

edmicman (830206) | more than 3 years ago | (#34641524)

How the fuck is that memorable? Maybe after awhile you'd get the muscle memory to type it in, but initially that is a PITA that would succumb to something easier. "Average" folk aren't going to come up with a phrase, salt it, then pepper it with numbers in their head.

Re:You could just do what I do (1)

oldspewey (1303305) | more than 3 years ago | (#34641852)

I'm sure it's memorable for somebody with Aspergers.

Re:You could just do what I do (2)

markdj (691222) | more than 3 years ago | (#34641568)

But what if one site only allows lower case letters and another requires a mix of lower and aupper case and special characters? Are you really going to remember that if you visit the sites infrequently?

Re:You could just do what I do (1)

houghi (78078) | more than 3 years ago | (#34641836)

Or only 6-8 (or must be 6, 7 8) is allowed, or no special characters are allowed.

Re:You could just do what I do (3, Interesting)

fwarren (579763) | more than 3 years ago | (#34641726)

Password Composer http://www.xs4all.nl/~jlpoutre/BoT/Javascript/PasswordComposer/ [xs4all.nl] is what I use.

For example http://www.slashdot.org/ [slashdot.org] and my master password of buba yields a right(md5sum("slashdot.org:buba"),8) yields fc56e979

They have a static web form, a bash script, and a greasemonkey script. I have also written a delphi app that runs in Linux, Windows, Mac that I keep on my memory stick. So all I have to do is remember one master password, for example "buba". And with that master password every site gets a unique password that is hard to crack. I decided about four years back that if anyone ever hacks one password of mine or can fool me into revealing a password to them, that is all they get one password.

The ironic thing is the only site that I use a regular password that I came up with, that is related to me, that can be broken by a dictionary attack, is the one for my slashdot account. Still the same password I came up with in 1999 or 2000. I assume no one else would want to hijack my opinions.

Re:You could just do what I do (2)

John Hasler (414242) | more than 3 years ago | (#34641770)

> ...what can realistically be memorized by the average person ...

And there is the real flaw: not the use of passwords, but the silly notion that average people should memorize them. WRITE THE DAMN THINGS DOWN!

Re:You could just do what I do (1)

mcgrew (92797) | more than 3 years ago | (#34642052)

I just write work passwords down and keep them in my wallet, home passwords are written down and secured by the lock on my front door. IMO "Never write your password down" is incredibly STUPID advice, especially for the root password on your home computer. If you forget your root password you're screwed, unless you're a better crhacker than me.

Re:You could just do what I do (1)

Iphtashu Fitz (263795) | more than 3 years ago | (#34641172)

What I do is create passwords based on street addresses that I am familiar with. For example, one password is based on the address where I lived as a child. I seriously doubt anybody outside my family would even know what the address is so it's pretty secure.

Suppose you have an address like 123 Main Street, Jonesville, NY. Just take the key pieces along with some punctuation and a pattern of upper/lower case letters and you can quickly come up with a password like 123ms,J.NY

Change around the punctuation, capitalization, etc. and you've got a fairly easy to memorize mnemonic.

Re:You could just do what I do (1)

Culture20 (968837) | more than 3 years ago | (#34641550)

7 characters? Child's play. Start with a minimum of 15 characters, and increase by four to eight every time you change your password.

Re:You could just do what I do (0)

Anonymous Coward | more than 3 years ago | (#34642042)

...your password would take 160 seconds.

http://www.codinghorror.com/blog/2007/09/rainbow-hash-cracking.html

WRONG (5, Insightful)

binarylarry (1338699) | more than 3 years ago | (#34641078)

Users are the weakest link.

Re:WRONG (5, Insightful)

sco08y (615665) | more than 3 years ago | (#34641166)

Users are the weakest link.

Really? How often do people leave their keys lying around? Or blindly hand them to a stranger?

People can be pretty responsible with secure tokens when they understand the protocol to use them.

Re:WRONG (1)

BagOBones (574735) | more than 3 years ago | (#34641220)

I know many people who misplace their keys frequently.

Re:WRONG (1)

Monkeedude1212 (1560403) | more than 3 years ago | (#34641294)

Really? How often do people leave their keys lying around? Or blindly hand them to a stranger?

People can be pretty responsible with secure tokens when they understand the protocol to use them.

Most people leave them lying around for about 8 hours of a day while they sleep. I've also seen keys "loaned to a friend" many a times before for a wide variety of reasons. Not that you should be paranoid of your friends, but essentially whatever happens to your keys while not in your possession is out of your control. Perhaps your friends have a habit of leaving keys lying around.

I think a lot of people "understand the protocol" with passwords... They just don't want to follow it.

Re:WRONG (1)

BobMcD (601576) | more than 3 years ago | (#34641820)

I think a lot of people "understand the protocol" with passwords... They just don't want to follow it.

Partly, but also I think a lot of people just don't care. This is the third, fourth, or even fifth time 'OMG GAWKER" has appeared on slashdot, so I'm sure you can find lots of discussion there, but suffice to say that most of these online accounts just aren't that important. Kind of like how I don't lock the doors on my Taurus.

Re:WRONG (1)

houghi (78078) | more than 3 years ago | (#34641942)

They just don't want to follow it.

If nobody wants to follow it, perhaps you should look at what you CAN fix.

Mostly this is focused at 'fixing' human behavior, but if the majority of people has an issue with it, then perhaps it is just a flay you need to take into your solution.

Re:WRONG (1)

Himring (646324) | more than 3 years ago | (#34641684)

Concur, but not concur, not when it doesn't matter what your password is when you visit digg.com to look at Grand Torino screens, to find later your gmail has been accessed from China, because of a recent .php hack, and finally conclude that digg.com is an infestation due to its very nature of anyone being able to leverage a malicious page to a top site.... A hack where your very strong password was plainly attained on the other side of the globe, but thank god the email account you accessed at the time was your trash one....

When you have an em-effing strong password, and your only error was using Windows, because that's where you play wow, and thank god you're using the authenticator, and you setup separate linux boxes to do sensitive work on, and now you're doubling your spending in computing: one for fun one for work, and you realize your wife's ipad is more secure than anything for fun and leisure, and she beats the hell out of surfing on it and you have no fear, but it sucks and you hate it for yourself with a gd passion....

Yea, used to be users were the weakest link, not anymore....

Basically, wow is now the most secure thing I do bcs of the authenticator. I'm putting my entire family on it. I plan on having them bank there and email there, etc. I can see it now, calling my sister, "mom got killed on the way to the bank...." Sister: WHAT?!?!?!?

Re:WRONG (1)

stonewallred (1465497) | more than 3 years ago | (#34642074)

Eh, common sense and security are much easier than using an authenticator. Now Blizz'es idea of using the same user name and password, along with using the user name (which is an email address) on three separate sites (forums, account management and game client)is fucking retarded.

gpg-authentication? (1)

muckracer (1204794) | more than 3 years ago | (#34641090)

Why not upon registration upload one's public GPG key to somesite and then, when logging in, having the server send a challenge (i.e encrypted with the public key) to the browser/user, where you use your normal secret key and its passphrase to respond. Voila! One keyring to rule them all...

Re:gpg-authentication? (3, Informative)

MickyTheIdiot (1032226) | more than 3 years ago | (#34641158)

You obviously not had to deal with the average user. I run a web site that has accounts and many non-tech users and many people can't even understand the concept of password let alone asking them to upload a public key. I regularly get complaints that our site isn't "user friendly" because the person can't manage to even remember their username... so anything that is even slightly more complicated or involves something that they don't deal with in every day life it's right out.

Re:gpg-authentication? (1)

muckracer (1204794) | more than 3 years ago | (#34641248)

> anything that is even slightly more complicated
> or involves something that they don't deal with
> in every day life it's right out.

Well, I agree with you, that methods should be close to real life. And that's why passwords suck. But most people do know the concept of a key and if implemented correctly, I can see even average users being comfortable with sticking in a USB-stick, aka key to unlock their computer and remote account(s).

Re:gpg-authentication? (1)

betterunixthanunix (980855) | more than 3 years ago | (#34641422)

I can see even average users being comfortable with sticking in a USB-stick, aka key to unlock their computer and remote account(s).

I cannot see that, to be perfectly honest. Someone will forget to bring the USB stick with them, or lose it, or put it through a washing machine, etc. I am a big fan of cryptographic authentication, but requiring people to carry a physical token around is only going to work if they are committed to security -- which is not true of most people.

The biggest problem is that people want convenience. Passwords, simply put, are so convenient that we will never quite get rid of them. People want to be able to log in from random computers, regardless of what they are carrying with them or who actually owns the computer they are using. Most people do not take security seriously enough to sacrifice a little convenience, at least not until someone takes advantage of them.

Re:gpg-authentication? (1)

MickyTheIdiot (1032226) | more than 3 years ago | (#34641466)

Passwords THEMSELVES aren't considered convenient enough to many non-techs or people that have managed to dodge most of the Internet revolution that I see in my day to day working life... so you can see how changing to even something like a USB key (many not ever using anything USB related in their life) cam be just as bad.

Re:gpg-authentication? (2)

markov_chain (202465) | more than 3 years ago | (#34641584)

The biggest problem is that people want convenience

This kind of thinking pisses me off. (Agent Smith voice) If only we didn't have this... problem... these... users... life would be so much easier!

In your honor I'm gonna go and change a bunch of my online account passwords to simple English words. What's that sound I hear? Ah, it must be hackers beating down the doors to read my email. Maybe they will also get into my bank account and pay my bills or something.

Re:gpg-authentication? (1)

muckracer (1204794) | more than 3 years ago | (#34641160)

Would free the server-side from having to store any passwords etc. and render brute-force-attacks (except RSA :-D) a thing of the past...

Re:gpg-authentication? (1)

omgwtfroflbbqwasd (916042) | more than 3 years ago | (#34641228)

That's fine, until someone wants to log in from a different computer where they don't have their private key available..

Re:gpg-authentication? (1)

mlts (1038732) | more than 3 years ago | (#34641388)

Or if the user wants to be anonymous, and have everything they post on their fetish sites be tied to their same userID as they use for everything else.

Of course, we could move to client certificates stored on smart cards which would make the need for passwords moot, but I don't want every single site to know exactly who I am, and allow third party ad trackers to have absolute knowledge of whom is visting, regardless of cookie stomping, adblocking, or other privacy functions.

Re:gpg-authentication? (1)

muckracer (1204794) | more than 3 years ago | (#34641516)

> if the user wants to be anonymous, and have
> everything they post on their fetish sites be
> tied to their same userID as they use for
> everything else.

Well, you can make the key say anything you want. User/KeyID "Furry Donald" is perfectly valid and for authentication purposes it doesn't matter at all. All that matters is, that you got the other half on your USB-stick.

Re:gpg-authentication? (1)

mlts (1038732) | more than 3 years ago | (#34641678)

That is true, but the current spec for client keys uses a CA that wants people's real names and other info. Some don't care if the E-mail address is unique though, so perhaps multiple keys can be used.

In any case, it makes it easier for cross-site advertisers to tie a single person together. Client certs are a boon to security, but a serious blow to anonymity.

Re:gpg-authentication? (1)

muckracer (1204794) | more than 3 years ago | (#34641724)

> That is true, but the current spec for client
> keys uses a CA that wants people's real names and
> other info.

I am not talking your NSA-CA-signed certificate, but GPG keys. You can create your own and it would do nicely for authentication.

Re:gpg-authentication? (1)

mlts (1038732) | more than 3 years ago | (#34641864)

Aha... very true. I was meaning client certs. However, for authentication, PGP/gpg keys just like you state work just as well (if not better because a self maintained WOT is more secure than trusting someone else's PKI any way), and would definitely provide both security and anonymity. PGP keys also work in smart cards, so a key for bouncybunny101@mailinator.com could be easily used and if needed, deleted without having it be linked to one's work key or personal info.

Re:gpg-authentication? (1)

muckracer (1204794) | more than 3 years ago | (#34641978)

Exactly. And the WOT, as cool as it is, is irrelevant here (though it could optionally be used server-side for additional authentication). All you need is the key-pair...any key-pair wih any name name attached.
Was, btw., very nicely implemented with NYM-(email)-servers, where you can create a virtual persona simply based on your GPG-keys.

Re:gpg-authentication? (1)

muckracer (1204794) | more than 3 years ago | (#34641544)

> That's fine, until someone wants to log in from a
> different computer where they don't have their
> private key available..

Most people do not forget their house or car keys because they got used to needing them. The same could be done for cryptographic keys, if used widely. And that's the chicken/egg issue: it will only make sense to the average user, if all his sites (say 90+%) s/he uses can be opened with that key.

News at 11 (1)

magsol (1406749) | more than 3 years ago | (#34641094)

What will be truly newsworthy is the day when passwords / users aren't the weakest link in security. Until that happens, I'll stay in my underground bunker sipping on Ramen and playing tower defense.

Not ideal case for study (5, Insightful)

Anonymous Coward | more than 3 years ago | (#34641104)

There's lots of buzz going around about the Gawker breach and discussions on how good/bad the passwords were. I looked at the websites that Gawker owned and most of them are tech websites, frequented by people that have some knowledge of security and computer systems.

I would assume that much of the readership is like myself. They know that access to their Gawker account is the most sacred and guarded of personal intrusions, and would thus treat security as the utmost important thing. My Gawker password was the ultimate in high security. It was a 280 character alpha-numeric password containing my social security number, all of my credit card numbers, my date of birth, my address, every password to every other website I use, plus all of my wife's data. That way I know that anyone who tried to crack my Gawker password could never do it, and all my information would be safe.

Wait, no, I got that backwards. Sorry, I used "cock" as the password for Gawker... probably. You see, if I were to log into Gawker, I would assume that the password was about as secure as writing it on the bathroom wall. In addition, I know my browser would remember whatever stupid password I typed and I wouldn't have to remember it for more than 30 seconds. Furthermore, if someone hacked it, and posted a stupid comment as "bullcrapgawkeruser222" I would likely neither notice nor care. If I did care, I would create "bullcrapgawkeruser223" with a password like "cockk".

Even more likely, if I ever commented more than once on any Gawker owned site, I probably just created a new account because I forgot I had an old one.

So, can we stop doing ultra-security analysis on what is probably a bogus set? Next I'm going to see an analysis on how insecure Masterlock combination locks are because the users don't use uppercase letters and punctuation.

Re:Not ideal case for study (1)

Lije Baley (88936) | more than 3 years ago | (#34641390)

The most sensible post here. Please mod up.

really long passwords (2)

theshowmecanuck (703852) | more than 3 years ago | (#34641110)

Hang on, I have to look at my post-it note on the side of my monitor so I can remember all the 20 character complicated passwords for each web site I visit and secure application I use. Especially since I can't remember them as well since I started changing them every six weeks.

Passwords become pointless when you can't remember them and can no longer access the site/service/program that they were put there for to protect. Passwords are pointless when you have to keep cheatsheets in order to 'remember' them (cheatsheets that can be stolen, copied, or lost; making it impossible to for access what you need and possible for others to...).

Either some other method than passwords like those time based random PIN generator fob watchama-call-its we get to log into VPNs at some companies, or we just learn to deal with it.

Re:really long passwords (3, Interesting)

mlts (1038732) | more than 3 years ago | (#34641204)

Having the Web browser handle passwords is one way to address this. For a new site, I make a password in KeePass, store it in that database, as well as have my Web browser store it. This way, I don't have to bother typing it in, it will be of a decent character length (20 chars), and of random characters, and a blackhat that gets that password won't have access anywhere else I go.

Since my KeePass database syncs with my phone, if I'm using another computer somewhere else, I still have access to sites I go to.

This isn't the best of all worlds solution, but it does work.

Security Questions Are The Weakest Link (4, Interesting)

rolfwind (528248) | more than 3 years ago | (#34641124)

And I would say that it's even worse when you can't type your question. Too many people know my mother's maiden name, my first car, my high school -- and I assume much of this information can be had publicly as well. If I were to imagine trying to get this information on someone, I'd just call them or their family, pretend to be some High School Reunion Committee, and say "We are celebrating the class of 1987 at Shrub High" and they'd probably go "Oh no, I'm graduated in 1992 at Rose Garden High". Then reply "Oh really? I guess you're the wrong Joe Blow, I'm sorry for your trouble, thanks bye."

Multiple attack vectors over one secure password, ridiculous. I think GMail at least does the semi-sane thing and instead of security questions, uses a phone number to verify you if you would ever lose your password.

And that's what is needed, identity verification if the password fails. Not a cheap way to do that in an automated and very dumb way.

There was, also for years, really dumb advice such as to never write a password down. That is unrealistic given the number of passwords someone needs to know today and leads to using the same password again and again. Now, you don't have to write it unencrypted, you could use Rot13 or, even better, some other code of your devising -- but it's better than keeping all this in your head in this day and age.

Re:Security Questions Are The Weakest Link (1)

Speare (84249) | more than 3 years ago | (#34641446)

And I would say that it's even worse when you can't type your question. Too many people know my mother's maiden name, my first car, my high school -- and I assume much of this information can be had publicly as well.

While I expect there are many dunderheads out there who set up naively truthful answers to the canned security questions, there's no reason you should. If forced to set them up, I generally give untruthful answers. Don't go too far, as some sites give the challenges in "multiple choice" format. What's your hometown? (A) Peoria, (B) Detroit, (C) London, (D) The Fifth Inner Plane of Lord Zgothos' Realms.

Re:Security Questions Are The Weakest Link (1)

muckracer (1204794) | more than 3 years ago | (#34641756)

> some sites give the challenges in "multiple choice" format. What's your hometown?
> (A) Peoria, (B) Detroit, (C) London, (D) The Fifth Inner Plane of Lord Zgothos' Realms.

That's why I always pick: (E) None of the above.

Ha!

Re:Security Questions Are The Weakest Link (1)

Monkeedude1212 (1560403) | more than 3 years ago | (#34641986)

The problem is that I often have trouble remembering my ridiculous answer to security questions. If I ever need to use the password recovery tool and they ask where I grew up, I'll try 50 different ways to spell where I live and forget that I put "Earth" or something silly.

Re:Security Questions Are The Weakest Link (0)

Anonymous Coward | more than 3 years ago | (#34641494)

That's why I list my high school as dv6n)>L6-a}O],N and mother's maiden name as 10u{(-;Y%XB,!&If as the answers to "secret" questions. Store your answers in the Notes field in Password Safe (http://pwsafe.org/) database.

I have almost 200 web accounts, all with different passwords that even I can't remember, and it's all very easy to manage with Password Safe.

Re:Security Questions Are The Weakest Link (0)

Anonymous Coward | more than 3 years ago | (#34641752)

And I would say that it's even worse when you can't type your question. Too many people know my mother's maiden name, my first car, my high school -- and I assume much of this information can be had publicly as well. If I were to imagine trying to get this information on someone, I'd just call them or their family, pretend to be some High School Reunion Committee, and say "We are celebrating the class of 1987 at Shrub High" and they'd probably go "Oh no, I'm graduated in 1992 at Rose Garden High". Then reply "Oh really? I guess you're the wrong Joe Blow, I'm sorry for your trouble, thanks bye."

Multiple attack vectors over one secure password, ridiculous. I think GMail at least does the semi-sane thing and instead of security questions, uses a phone number to verify you if you would ever lose your password.

And that's what is needed, identity verification if the password fails. Not a cheap way to do that in an automated and very dumb way.

There was, also for years, really dumb advice such as to never write a password down. That is unrealistic given the number of passwords someone needs to know today and leads to using the same password again and again. Now, you don't have to write it unencrypted, you could use Rot13 or, even better, some other code of your devising -- but it's better than keeping all this in your head in this day and age.

Here is my solution for the security question problem..... I pick any question in the list then I have my reply be a passphrase only I know for all password security questions. Like: What is your mothers maden name? answer: are_you_too_stoned_2_remember_your_passsword

Re:Security Questions Are The Weakest Link (1)

irid77 (1539905) | more than 3 years ago | (#34641840)

And I would say that it's even worse when you can't type your question. Too many people know my mother's maiden name, my first car, my high school -- and I assume much of this information can be had publicly as well. If I were to imagine trying to get this information on someone, I'd just call them or their family, pretend to be some High School Reunion Committee, and say "We are celebrating the class of 1987 at Shrub High" and they'd probably go "Oh no, I'm graduated in 1992 at Rose Garden High". Then reply "Oh really? I guess you're the wrong Joe Blow, I'm sorry for your trouble, thanks bye."

Multiple attack vectors over one secure password, ridiculous. I think GMail at least does the semi-sane thing and instead of security questions, uses a phone number to verify you if you would ever lose your password.

And that's what is needed, identity verification if the password fails. Not a cheap way to do that in an automated and very dumb way.

There was, also for years, really dumb advice such as to never write a password down. That is unrealistic given the number of passwords someone needs to know today and leads to using the same password again and again. Now, you don't have to write it unencrypted, you could use Rot13 or, even better, some other code of your devising -- but it's better than keeping all this in your head in this day and age.

Ok, but most of these mechanisms using security questions don't just tell you the new password or allow you to reset it. They email you the new password. So unless the hacker has access to your email, guessing your security questions won't do much good. If a site is allowing you to reset your password directly, then that's obviously a security risk. But I don't think this is how it's usually done.

Sites sometimes limit passwords (1)

iamvego (785090) | more than 3 years ago | (#34641136)

It doesn't help that some sites restrict the character set and length of passwords.

Input 25 character password: "Error: password must be between 6-14 characters"

Input 8 character password with % and ] in: "Error: password can only contain alphanumeric characters"

__wHY&the&f**k]]can"t this l_i_n_e b3 m~y p45sw%rd?!__!?

Re:Sites sometimes limit passwords (1)

the_cosmocat (1009803) | more than 3 years ago | (#34641696)

yep! Gmail for exemple. You can't use the character http://en.wikipedia.org/wiki/Section_sign [wikipedia.org] that we have in azerty keyboard :( And I just saw that slashdot can't even display it (at least in the preview). you don't have it in qwerty keyboards?

Not me. I'm cheerfully paranoid. (1)

Whumpsnatz (451594) | more than 3 years ago | (#34641142)

Every time I need a password, I either beat out a spastic smattering of letters and numbers, or dream up a weird phrase, and use the first letters, with a few of them converted to numbers.

I'm fine, as long as no one gets to my written log of all those passwords. If that happens, I'm screwed.

I refuse to create any password that has the vaguest connection to anything. Which seems apt for today's disjointed world.

Re:Not me. I'm cheerfully paranoid. (1)

John Hasler (414242) | more than 3 years ago | (#34641882)

Every time I need a password, I either beat out a spastic smattering of letters and numbers, or dream up a weird phrase, and use the first letters, with a few of them converted to numbers.

I use pwgen. It is much better at generating truly random strings than I am.

I'm fine, as long as no one gets to my written log of all those passwords. If that happens, I'm screwed.

Keep it with your credit cards and cash.

Re:Not me. I'm cheerfully paranoid. (0)

Anonymous Coward | more than 3 years ago | (#34641904)

me to, but I refuse to write them down, exactly for the reason you mention.

posting as AC, having a little logon problem at the moment.

paranoid253 (aka paranoid1 - 252)

3 factor authentication (1)

Iphtashu Fitz (263795) | more than 3 years ago | (#34641152)

When I've worked in for companies whose equipment is housed in commercial datacenters, most of them required three factor authentication to gain access:
  • something you know (a password)
  • something you are (biometrics)
  • something you have (a key, security token, etc)

To gain entry into the last datacenter I worked at I needed a cardkey to get through the first door (something I have). I then had to have my hand scanned at the entrance to a man-trap (something I am). Once inside the man-trap with the door closed I again had to scan my hand and then enter a PIN onto a keybad (something I know). Only then did I have access to the datacenter floor.

Doing two of these on the web should be fairly easy. Companies like eBay & Paypal have tested RSA SecurID fobs as a security token, but in this day and age where so many people have smartphones then using it to generate security keys should be very easy. I already have a Verisign app on my iPhone that generates a random key every 60 seconds like SecurID does. Unfortunately not very many websites support it. I wish more would. And I have no idea how something like biometrics could be applied to the web...

Re:3 factor authentication (1)

Sponge Bath (413667) | more than 3 years ago | (#34641254)

I have no idea how something like biometrics could be applied to the web...

A phone or laptop camera could take naked pictures of you and send the images to a remote security worker for "analysis". Hey, if it's good enough for air travel, it's good enough for online shopping.

Re:3 factor authentication (2)

fuzzyfuzzyfungus (1223518) | more than 3 years ago | (#34641268)

Biometrics are pretty dubious for widespread use. They sure do add that "just like the movies" flavor to flashy secure facilities(and, as long as their use is rare, they are likely to be stolen only in the most targeted of attacks); but the majority of them are dangerously weak(and impossible to change).

Were they to be used widely, it would be a matter of months before huge numbers of people had their biometric data skimmed with enough resolution that fakes could be constructed with relative ease(imagine the problem of ATM card skimmer devices, already cheap and common, spreading to biometric verification systems: is that "broken" biometric verification setup on the door/atm/whatever actually broken, or transmitting high resolution scans of your fingerprints to some gang even now?) If you do get skimmed, what are you going to do about it?

As long as they are largely a novelty, confined to a few specific situations, you really have to be Somebody Important for your prints to be pulled off your glass at the bar and used to access your system; but, if you try to use it at a population level, the probability that attacks will become widespread rises enormously.

Re:3 factor authentication (1)

0123456 (636235) | more than 3 years ago | (#34641734)

Were they to be used widely, it would be a matter of months before huge numbers of people had their biometric data skimmed with enough resolution that fakes could be constructed with relative ease(imagine the problem of ATM card skimmer devices, already cheap and common, spreading to biometric verification systems: is that "broken" biometric verification setup on the door/atm/whatever actually broken, or transmitting high resolution scans of your fingerprints to some gang even now?) If you do get skimmed, what are you going to do about it?

Don't forget that the US government now has a database of millions of travellers' fingerprints, so they can trivially break online fingerprint biometrics for those people.

As you say, the rush to 'biometric ID' is making 'biometric ID' useless.

Ridiculous password requirements (0)

Anonymous Coward | more than 3 years ago | (#34641192)

Often times the ridiculous password requirements that are imposed on some networks only force users to have to write the password down and keep it someplace close by. If all I have to do is lift up the keyboard to find a sticky note, your 12+ character alphanumeric with special characters password that changes every month becomes no more secure than "12345".

Expecting a user to use 100s of passwords idiotic (1)

syousef (465911) | more than 3 years ago | (#34641216)

I don't have the best memory in the world, but I'm no moron either. I've resorted to using a password safe program because between work and personal life I'm expected to remember literally hundreds of passwords (now they're in a password manager i can count them). Guess what? Even with the safe I continue to use a couple of "low security" passwords for certain activities. That means most things at home I can work out remembering only about a dozen passwords. Work's a different story...

Important accounts? (1)

Bogtha (906264) | more than 3 years ago | (#34641226)

important accounts such as email, banking or shopping and social networking sites

Okay, a vulnerable email account can lead to compromising other accounts, banking and shopping sites can cost you money... since when is Twitter or Facebook an "important" account in the same category as your bank account!?

Re:Important accounts? (1)

Monkeedude1212 (1560403) | more than 3 years ago | (#34641376)

Well for starters your Facebook will have almost all your personal info, possibly where you live, your phone number, and even if you adjusted privacy settings, some embarassing pictures. Next thing you know you know you're on /b/ being asked hot or not.

Actually I've noticed a few people on 4chan who will hack Facebook accounts for you if you get them the victim's Hotmail Address. I wonder if it's just common to use your HM for FB or if they've found a vulnerability in hotmail that leads to compromising the facebook account (Like asking for a new password to be emailed to that email account).

Personal info (1)

jwietelmann (1220240) | more than 3 years ago | (#34641508)

You mean the Facebook info and pictures that I can get you to voluntarily give me by:
  1. Creating a fake Facebook account.
  2. Using a picture of an attractive female in your age range.
  3. Locating your friends.
  4. Carpet-bombing them with friend requests. (Surely someone will bite.)
  5. Sending you a friend request. (I'm a friend of a friend, so we've probably met, and you've just forgotten.)
  6. Reading everything about you.

It doesn't matter what your privacy settings are. I would bet money that you could get access to 99% of Facebook targets' info by following that pattern. Social networks are practically designed for social engineering hacks.

Re:Personal info (1)

Monkeedude1212 (1560403) | more than 3 years ago | (#34641650)

ummm. No.

You can get THAT Facebook info you described often by just GOOGLING the name.

I was talking about login credentials. To do some real damage.

HUMANS SUCK (0)

Anonymous Coward | more than 3 years ago | (#34641246)

Humans are the weakest link. Humans want to exploit dominate and win against other humans. That goes double for the ones that already have obtained power and control.

The "detailed analysis" needs to be ditched. (2)

dreemernj (859414) | more than 3 years ago | (#34641346)

That "detailed analysis" of the Gawker breach needs to be stricken from the web. The passwords that were decrypted were the easiest passwords in the set for the most part. That's why they were able to decrypt them. They were in dictionaries or their hashes were already on lookup tables. Then some joker takes those decrypted passwords and acts as if they are in any way representative of the rest of the passwords that could not be decrypted.

Idiotic.

Secure Sentence Based Passwords (1)

_16s (1963724) | more than 3 years ago | (#34641354)

I wrote SHA1 Pass and use it everywhere. Feel free to modify or implement it yourself: http://16s.us/sha1_pass/ [16s.us]

expiry (0)

Anonymous Coward | more than 3 years ago | (#34641356)

Password expiration is the biggest problem, people have to remember several passwords at work that change constantly because of some misguided policy.

I wish I could work in a land where I could keep my password as long as the admins hadn't cracked it. As soon as they crack it my password expires. They would get to try each person's account 1 time per minute, so they could get through a basic dictionary attack in a matter of days. The stronger the password, the longer it lasts.

No. (1)

arndawg (1468629) | more than 3 years ago | (#34641358)

YOU are the weakest link. Good bye.

4ny1K1n L34rn 2 Sp311 'L337' (1)

tunapez (1161697) | more than 3 years ago | (#34641362)

I give my clients a swap list(1=i, 3=E, 4=A, 5=S, etc...) and ask them to swap at least 2 alphas for numerals of their fav passwords, add a random cap and make it 9+ characters. We do a couple examples with words/phrases of their choosing. Most actually catch on quickly when they feel involved in the process...and a little L337. Changing passwords doesn't have to be like pulling teeth.
 
  Goodbye '57 chevy', hello 'Ch3vy83l41R'.

I'm skeptical. (1)

jwietelmann (1220240) | more than 3 years ago | (#34641658)

If you're using real, common words and phrases and just transcribing them to 1337, I'm pretty sure there are password cracking tools out there to account for that.

KeePass/KeePassX (1)

mikewilsonuk (1676196) | more than 3 years ago | (#34641404)

I recommend using KeePass on Windows and KeePassX on Linux. I carry my passwords around on a USB stick. I use a password I can remember to access the password database. That wouldn't be too hard to crack, but first the cracker would need to steal the physical stick. KeePass generates nice long unmemorable strings of random characters, so attack without stealing the stick is tough.

One word of warning: one oafishly implemented site I registered with silently truncated the 20 character password I pasted from KeePass to 12 characters.

Do we really need secure passwords for Gawker? (1)

hermiquin (1588683) | more than 3 years ago | (#34641420)

Who cares about their password security on Gawker's sites and other like them. I personally use the crappiest password I can remember for stuff like that. Just keep that passwrd away from you email and bank account. If you feel the need to have an ultra secure random 25 character password to protect your Paris Hilton article clippings security is the least of your problems. On the other hand if you use your gawker password for your bank account also security is the least of your problems.

Re:Do we really need secure passwords for Gawker? (1)

muckracer (1204794) | more than 3 years ago | (#34641844)

> Who cares about their password security on Gawker's sites and other like them.
> I personally use the crappiest password I can remember for stuff like that.

Please read the story of the guy using his neighbor's wireless and sent e-mails in 'his' name to threaten various high-profile people, sent childporn etc.. While you might get cleared eventually, when somebody used YOUR oh so unimportant account for such purposes, good luck in the meantime until it gets to that point. And hopefully your boss is OK with you being in jail for the interim 3 months and will welcome you back with open arms, since he still trusts you to work for him after the USSS grilled him about you...

Re:Do we really need secure passwords for Gawker? (1)

John Hasler (414242) | more than 3 years ago | (#34641970)

> I personally use the crappiest password I can remember for stuff like that.

Thereby enabling comment spammers.

Most users consider passwords a hindrance (1)

petes_PoV (912422) | more than 3 years ago | (#34641426)

They get between a person and their goals, they are too easily forgotten and once you have to keep track of more than a few they become unreliable and burdensome. Add on to that, most of the "information" that these passwords protect is not really worth protecting, anyway.

So, since they are an annoyance and don't give users any tangible benefits, you shouldn't be surprised when users choose their passwords so they require the least amount of effort: either to remember or to enter. As for enforcing rules to require users to change them regularly - you might as well forget it. All they'll do is take their core password and add a number onto it - I know: that's all I do.

Passwords have been in effect since the beginning of multi-user systems: what? 50 years or so. Surely in all that time the world could have come up with something better, easier, more reliable and keyed to the user rather than the piece of paper all the passwords are undoubtedly written on.

Some SysAdmins too (1)

Fibe-Piper (1879824) | more than 3 years ago | (#34641560)

Yesterday our admins changed our wireless access from WEP to WPA in order to make our connections more secure - sadly the password we have been using for over a year stayed the same.

This has been discused and nothing gets done (1)

markdj (691222) | more than 3 years ago | (#34641442)

We have discussed this ad nauseum - still nothing gets done. We have way to many passwords to remember. We have way too many different password policies to follow. What is a valid password on one site is not at another. It takes too much time to look up a password you have "written" down and you need a separate password to get into the list!. That supposes you have the list with you when you need it. Today the internet is mobile and not just used at home or at the office. Additionally, there are sites whose compromise could ruin you financially or ruin your reputation and sites where compromise doesn't matter. So most resort to a few easy to remember passwords, phrases or algorithms and these are probably easy to crack.

It's not clear what could be done. An RSA key fob and biometrics need a reader. You have to remember to have the fob with you. The blind can't read it. All this costs extra.

So what? (1)

RKThoadan (89437) | more than 3 years ago | (#34641470)

Passwords may be the weakest link, but they are not the most common attack vector because what they are protecting is of minimal worth. The most common attack vector is exactly what we have seen here: someone uses CSS/default password/other vulnerability and grabs the whole database. It's certainly sensible to keep good passwords on e-mail and financial accounts, but even there I'm much more worried about the backend being hacked than someone trying to brute force my password.

Do passwords even matter? (0)

Anonymous Coward | more than 3 years ago | (#34641484)

If anything, situations like the Gawker security breakdown make me less likely to put effort into creating/maintaining passwords. It seems to me like accounts are more likely to be hacked by means where the hacker has your password, no matter what it is. For example I had my Warcraft account hacked, and the password I used was 10 characters and a mix of random symbols numbers and letters. The reason it was hacked was because a trojan found its way on to my system through a new, infected USB stick. I don't really see why any hacker would sit there and try and brute force their way into a single account without already knowing the login/password by some other means.

And, did you know that the sky is blue? (2)

sitarlo (792966) | more than 3 years ago | (#34641492)

This isn't news. It's common sense. Of course people and their passwords are the weakest link. Same thing in physical space. You can have the best lock in the world, but if you make copies of the key and are careless with them you'll get robbed.

Passwords are fine (1)

jdoug (1560951) | more than 3 years ago | (#34641532)

as long as they're used correctly, both by the user and the system, and that they correspond to the amount of security a particular system requires. That includes the usual refinements such as salting, proper storage, moderate to high strength, etc. Saying that passwords are weak is like saying that hammers are dangerous. Tools, when used properly, will do the job.

I've used an online banking system that required entering a password, selecting an image and answering a question before being able to log in. These three systems in themselves are not particularly full-proof, but used together (and correctly) make for good security. Other systems also include a hardware token.

Exploits exist for routers and firewalls. Put more than one layer and getting in gets more difficult. Passwords are only one of many security schemes that exist and not all systems require the same amount of security. I'm quite happy slashdot doesn't need as many security elements as my bank does to log in.

When articles about passwords come up, the usual rant is mostly against users choosing weak passwords or writing them down. In cases where the security of an account is compromised, the user, that is, the customer, should never be blamed. It is the responsibility of the system to pick a suitable security scheme, enforce it and take all possible measures to avoid leaking the data. Blaming a customer for choosing hunter2 as a password and getting hacked is ridiculous. It's like blaming the customer for "excessive bandwidth" while using their 100Mbit/s line. Users will take what you give them.

You want strong security? Implement it. You don't need it? Stick with passwords.

Stop blaming the users.

It is safe to say that (2)

gotpoetry (1185519) | more than 3 years ago | (#34641546)

combination codes are the weakest link in bank vaults.

Re:It is safe to say that (1)

DigiShaman (671371) | more than 3 years ago | (#34641886)

So what your saying is that a safe is "safe", not secure. Right?

Lastpass (1)

defaria (741527) | more than 3 years ago | (#34641580)

Again, in a world - Lastpass!

The amount is the problem (4, Insightful)

houghi (78078) | more than 3 years ago | (#34641642)

How many places do need a login? Websites, computers, programs, ...
If all websites would use openID, that would solve already a lot. However many places give me my login and then ask me to change that every month. At work every first day of the month I change all my passwords. That takes me about 20 minutes.

So I have several passwords depending on level
1. Generic websites. Lowest security level (e.g. Pa55word)
2. Work related. These will change every month and will include some sort of year/month where only that part changes (e.g. 10Work12 for this month)
3) Provider related pass word for email and connection (Resused semi-random 8 charcater password)
4) Personal password for local system and openID and banking(Reused semi-random 8 carcater password. Different from 3)
5) Secure password for encryption, ssh and the like (Loooong semi-password of at least 16 characters.)

So the moment I am forced to change passwords where I used first 3 or even 5, I will go back to less secure of 2.

The main problem is that each security person treats their security as if they are the only one and treat security with the standard error. Solving a social problem with a technical solution. It is very hard to explain people that changing passwords every month will LOWER the security.

It is the nature of people to find the way of least resistance and as long as security people do not understand that, nothing will change.

I sometimes feel that it is not about security, but about reliability. Reliability is moved from the IT department to people who do not understand security, because they 'did something' and now it is not their issue anymore. That is why they also look only to the security of 'their' system and not at security as a whole.

Re:The amount is the problem (1)

Chucky_M (1708842) | more than 3 years ago | (#34642016)

It is very hard to explain people that changing passwords every month will LOWER the security.

If I had a penny for every time I had to say that ....

So we force users to change passwords using complicated passwords, users being human (mostly) make typos and in coordination with mandatory locking after multiple password failures and there we have it a whole new department servicing user password problems and stability and functionality are thrown out of the window. Then came SOx but after that things just became silly, I wonder how many campaign contributions auditing and high tech security companies made.

Why should this be a concern? (0)

Anonymous Coward | more than 3 years ago | (#34641910)

People nowadays have on the average 15 passwords they need to memorize. E-mail accounts (work and personal), ATM pin, bank web accts, shopping accts, etc. Chances are you can't memorize 15 different ones, so they are the same password or very close variation. More likely you use 10 of those accounts on a daily basis and the other 5 on an occasional basis, so those 10 you may get away with memorizing because you use it often. But those other 5, you probably forget what they are if they were totally unrelated passwords. This doesn't even give credit to all the people (which is the majority) that set on their PCs/laptops/smart phones to memorize the password, so they shave the extra 10-15 secs of typing username and password. Which when they need to change the password and need the current password, they won't remember.

Now, you're telling us we are not secure because most of our passwords are similar or same, but the same lecture about how dangerous if we write the information down anywhere (on a piece of paper/notepad file) because the majority of us do not have the memory of an elephant.

Need A Good Pasword? (0)

Anonymous Coward | more than 3 years ago | (#34641966)

Here is a quick and easy method for generating passwords on a Linux system. Just open a terminal and enter the following command:

openssl rand -base64 20 | tr -d '/' | cut -c1-X

Substitute the final "X" with the number of characters desired (e.g. 12, 16, etc.).

This will produce very strong passwords that can be pasted into any application. The only remaining problem is remembering the password, but most browsers provide a method for storing and retrieving the passwords that are used for on-line accounts. Otherwise, a simple text file can be used for storage and retrieval.

There is no excuse for using weak passwords.

Security that prevents use fails. (1)

rickb928 (945187) | more than 3 years ago | (#34642056)

I'm facing more restrictive password policies at work every day. Some expire every 14 days. Some require that they start AND end with an alphanumeric character, include a symbol from a short list of acceptable symbols, upper and lower case characters, and be 8-11 characters long. These restrictions broke my normal conventions. I'm pretty much forced to keep a cheat sheet of hints to my passwords. Today I have 11 unique passwords shared among 22 different systems comprising 32 different hosts and services. That's just work. I'm required to change at least one password 4 out of 5 days a week. Some of these require me to use unique passwords, not using any of the 5 to 8 previous passwords. Some deny using duplicate sequential characters, some any duplicate characters, some deny using specific words, one denies using any character that is in my master employee ID (8 chars, 1 alpha & 7 numeric), and some restrict using the same password as other systems that use the same authentication server - yes, our SSO server is no longer SSO, depending on the service it is supporting. They still call it SSO. Perhaps 5 of these systems permit me to recovery my password by resetting it via a process or phone call. Two of them require managment approval for a password reset. One, the magic one, requires me to get upper management approval for resetting a password, and this system will expire my password if I don't log in before the periodic change period expires. This password expires every 30 days, and I need to use it ever 30 days. Yup, I make a note to log in mid-month to keep it alive. Most users only use it monthly, and it is designed that way. Several services delete my user account if I let a password expire, requiring a new user ID setup. I also have to watch for my access being denied due to any of various initiatives, Sarbanes-Oxley regulations, arbitrary system resets, etc., but that's just corporate policy. The weasels think they are winning.

No fix is in sight. This company is proud of their record of zero breaches ever. But I spend a noticeable amount of time managing passwords, and am delayed in work by failed authentication. Security for my position is becoming an impediment to work. I am in a relatively unique position, requiring a lot of access to several different systems, and combinations that bring me to the attention of our Corporate Lawyers occasionally, and I'm not even doing anything wrong, just my job. I'm not proud to say I've never looked up sensitive data out of curiosity. If I got caught, it would be my dismissal. And they watch specifically for that stuff.

For my personal business, I have only 7 specific payroll, banking, or healthcare sites I need to maintain passwords for. Some expire, some don't. Some require specific rules, some don't. Two of them show me their score for relative strength of the password I'm trying to use.

Then I have all the other stuff. I easily have 30+ logins to various technical and social sites, probably 50+. Some I don't use for years. I use a lot of conventions to manage them by role and relative importance to me. Don't get me started on usernames.

My only, ONE AND ONLY password breach was thanks to my lovely wife, who was too lazy to change the Facebook page to HER signon, and clicked away on a bunch of quizzes, tests, free stuff, and finally an auction link. eBay had me down to buy a bunch of stuff and I got the emails confirming it. I cancelled them all with eBay's help, they tracked down the offending user which was pointless as they don't exist, and I avoided bad feedback and PayPal problems. Looks like the seller was creating fake buys to get feedback and enhance their rep enough to attract more willing victims. My wife was shocked. Then she was angry with me. Then she started playing Farmville. I got her a computer of her own. Grrr...

Passwords are not enough. My home notebook has a fingerprint scanner I use, wish I could teach it some tricks. I use a couple of password keyrings online, but not for everything. I'm using OpenID more, but I can't yet see the value.

We need something better. Fingerprint scanners or camera-based something that isn't fooled by a photo.

Speak for yourself (0)

Anonymous Coward | more than 3 years ago | (#34642086)

My passwords are easy to remember when you know the trick, but look like a big, incomprehensible string of letters numbers and special characters. Good luck trying to bruteforce that!

Clearly the weakest link is website administraters without the common sense to use encryption, and those who do encryption wrong. Is it really so hard just to generate a random salt for every password and store it along with a salted hash? And I'm not even talking about the fact that you can't even know what the websites intentions are. For all you know, they could be storing it in plain text and harvest it for id theft.

So the best plan is to have unique passwords for every little site/service/forum wich requires registration you ever use. Another method is to have seperate tiers of passwords important and less important thngs. Both are a hassle.
Passwords: Convinience, Security. Pick one or suffer in both.

Maybe a better way is to have every user generate their own certificate (simplified compared to those currently in use in other areas) based on a passphrase. The user could easily generate it again if lost, or maybe even on the fly during authenticating, or generate a new one if he needs another identity. Others will not be able to authenticate as the intended victim without a matching certificate. But for this to work it would have to be able to be integrated into OS and/or and websites in a way that is easy to use.

Irony (1)

Bandman (86149) | more than 3 years ago | (#34642088)

Does anyone else find it ironic that they're using information obtained from a cracked server to determine that the weakest security is the password? Anyway, I think the passwords are only weak because the users get to choose them, and *users* are the weakest link in the security chain.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?