×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Why People Are So Bad At Picking Passwords

samzenpus posted about 5 months ago | from the 1-2-3-4-5 dept.

Security 299

mrspoonsi writes "Studies suggest red-haired women tend to choose the best passwords and men with bushy beards or unkempt hair, the worst. These studies also reveal that when it comes to passwords, women prefer length and men diversity. On the internet, the most popular colour is blue, at least when it comes to passwords. If you are wondering why, it is largely because so many popular websites and services (Facebook, Twitter and Google to name but three) use the colour in their logo. That has a subtle impact on the choices people make when signing up and picking a word or phrase to form a supposedly super-secret password. The number one conclusion from looking at that data — people are lousy at picking good passwords. 'You have to remember we are all human and we all make mistakes,' says Mr Thorsheim. In this sense, he says, a good password would be a phrase or combination of characters that has little or no connection to the person picking it. All too often, Mr Thorsheim adds, people use words or numbers intimately linked to them. They use birthdays, wedding days, the names of siblings or children or pets. They use their house number, street name or pick on a favourite pop star. This bias is most noticeable when it comes to the numbers people pick when told to choose a four digit pin. Analysis of their choices suggests that people drift towards a small subset of the 10,000 available. In some cases, up to 80% of choices come from just 100 different numbers."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

299 comments

Huh? (5, Funny)

hduff (570443) | about 5 months ago | (#45574463)

These studies also reveal that when it comes to passwords, women prefer length and men diversity.

We are still talking about passwords, right?

Re:Huh? (5, Funny)

QQBoss (2527196) | about 5 months ago | (#45574895)

Is it too obvious to point out that it isn't so much the length of the password that is important, but how you use it? The luckiest, of course, are able to take advantage of both.

Re:Huh? (1)

KDN (3283) | about 5 months ago | (#45575027)

That is, ....interesting. Great way to wake everyone up monday morning :-).

Re:Huh? (4, Funny)

Anonymous Coward | about 5 months ago | (#45575227)

This is why women never use 'penis' as their password since it's never long enough.

women prefer length and men diversity. (1)

Anonymous Coward | about 5 months ago | (#45574465)

"women prefer length and men diversity"

Fnarr fnarr.

Women prefer length (0)

Anonymous Coward | about 5 months ago | (#45574471)

[quote]These studies also reveal that when it comes to passwords, women prefer length and men diversity.[/quote]
Fuck. We'll never win!

Except (0)

Anonymous Coward | about 5 months ago | (#45574481)

Actually it's not a good password if you can't remember it.

Re:Except (1)

Anonymous Coward | about 5 months ago | (#45574767)

Security researchers agree: It's OK to write down passwords for online accounts. The typical threat model is a remote attacker, so a password written on a piece of paper is as secure as a password can be. People forget passwords all the time, even really simple passwords. That's why we have stupid mechanisms like "three questions to reset your password - let's just hope nobody else knows your mother's maiden name, your favorite dish and your favorite color".

Takeaway (1)

Anonymous Coward | about 5 months ago | (#45574503)

So from this article I take it I'm supposed to track down aredhead and have her make my password for me?

She [guim.co.uk] looks like she has a trustworthy face.

writes eh? (0)

Anonymous Coward | about 5 months ago | (#45574507)

Nice cut and paste arsehole. I'll forward a link to Mark Ward of the BBC Technology unit.

Before choosing an important password (4, Funny)

LongearedBat (1665481) | about 5 months ago | (#45574561)

So, before choosing an important password make sure you have shaved, had a haircut and dyed your hair red.

(A sex change is asking too much though.)

Horse Battery Staple is common too (3, Informative)

Dave Whiteside (2055370) | about 5 months ago | (#45574579)

Re:Horse Battery Staple is common too (1)

gmack (197796) | about 5 months ago | (#45574835)

Not all of my passwords can be that long. My bank password (the one I care about the most) has a 5 char limit and and I hate random passwords. I came across a good method a few years ago for generating passwords that need to be short: Take a song and chose a line then take the first character of each word and you have an easy to remember but hard to guess password.

Re:Horse Battery Staple is common too (0)

Anonymous Coward | about 5 months ago | (#45574967)

A five character password? Which bank is this?

Re:Horse Battery Staple is common too (3, Funny)

BobNET (119675) | about 5 months ago | (#45575059)

Presumably the same one that designed the air shield for planet Druidia.

Re:Horse Battery Staple is common too (0)

Anonymous Coward | about 5 months ago | (#45575033)

My brokerage has an 8 character limit on passwords. I keep meaning to forward them a report that 8 characters is insufficient.

Serious question: What value is there in having a low limit on password lengths?

Re:Horse Battery Staple is common too (4, Funny)

14erCleaner (745600) | about 5 months ago | (#45575151)

What value is there in having a low limit on password lengths?

When they store it in clear text on a laptop, it takes up less disk space.

Re:Horse Battery Staple is common too (0)

Anonymous Coward | about 5 months ago | (#45575063)

My favorite way of achieving easy to remember and hard to guess is to use qwerty encoding. Simply move your hands from the f/j row to the r/u row and then type a memorable word or simple phrase. The password 'password' would become '0qww294e' and yet can be typed just as quickly and remembered just as easily. The only downside is that it's less effective for people who don't touch type.

because (0)

Anonymous Coward | about 5 months ago | (#45574583)

people are too lazy/stupid to remember a simple word or phrase critical for logging into essential accounts e.g. your bank, your email, or just your PC. My father had to write down his PC password. It was his dog's name. How can you not remember that?

Re:because (0)

Anonymous Coward | about 5 months ago | (#45574641)

My father had to write down his PC password. It was his dog's name. How can you not remember that?

I'm pretty sure he has no problem remembering his dog's name (assuming he is still mentally OK). However remembering that his password for the computer is the same as his dog's name is the problem. People sometimes have trouble associating one thing with another. Instead of writing the password down, put a picture of his dog as his account tile (if Windows), or a picture of his dog on the edge of the screen or somewhere visible on the computer. Presto - problem solved. He'll remember.

Re:because (1)

mlts (1038732) | about 5 months ago | (#45574697)

These days, I just use a decent password manager (KeePass or Password Safe.) Of course, that comes with its own risks, but with so many passwords one uses, all should be unique [1], might as well have a system that uses a known good cryptographically secure RNG and a decent password length [2] does the trick.

[1]: That way, a cracked password from site "A" won't be able to get access to site "B".

[2]: Even now, some sites will choke at a password length greater than 8-10 characters.

Re:because (1)

Anonymous Coward | about 5 months ago | (#45575095)

I started using the Readable Password plug-in for KeePass. For anything I need to remember, a random sentence is much more useful than random characters.

Re:because (2)

jonbryce (703250) | about 5 months ago | (#45574699)

A lot of these studies come from accounts where people do not care if someone else knows the password, because the password doesn't protect anything of use to the subscriber. For accounts like that, my password is the same as my username, and it is linked to a spamtrap email account that doesn't get used for anything else. I know it is insecure, but I don't care.

Re:because (4, Interesting)

master_kaos (1027308) | about 5 months ago | (#45574711)

Here is the problem: You constantly hear about don't use the same password on every site. Ok, makes sense, except that a lot of people have login information to 100+ websites. Sure that are tools like keepass or lastpass or whatever, but then you just need to break 1 password to have access to them all
Then you get redicoulous requirements on some websites, like can't use special characters, can't be longer than 10 chars. Why? You should be using a hashing algo which means special characters or max length shouldn't matter (within reason)

I have about 4 passwords
My low security one where I do not give a shit if people hack my account eg slashdot/most forums
Medium security - Password for sites I care a little about and that contain some personal information eg, some forums, some online shopping sites that don't store cc info, etc
High security - Mostly used for sites that are used for purchasing things and that have linked CC info to it
Very High security - Used for financial institutions

This way I always know when I go to a site which password it uses.

However, I have been thinking about changing slightly how I do my passwords... the base password will always stay the same, but I may prepend or append the the first 3 characters of the sites name or something (maybe not quite this obvious). This may increase security of password a little, as well as benefit of most passwords being unique.. but not sure how much it increases the security by

Re:because (1)

SuperCharlie (1068072) | about 5 months ago | (#45574919)

Ive been doing the 4 tiered password thing for over 10 years now. There is NOTHING like hitting an old website you havent been to in years and logging in first try.

Re:because (0)

Anonymous Coward | about 5 months ago | (#45575191)

There's NOTHING like hacking into an old abandoned website with half-decade-old security practices and unpatched software, then being able to log into a bunch of people's current accounts on the first try.

Re:because (2)

js3 (319268) | about 5 months ago | (#45574965)

I ended up using something similar. I just have a bunch of memorized passwords using a very simple 3 keyed format

like "AB#" "EF#" "I#K"

This way whenever I need a new password to add to my list I write anything that pops into my head on a note. for example..

J92bd3Yp4. "J92" "bd3" "Yp4". write it down, use it for a week until it's memorized and it's done. I have about 6 passwords in this format completely memorized and cycle them everywhere.

Re:because (2)

femtobyte (710429) | about 5 months ago | (#45575173)

Re-using the same "high security" or "very high security" password across financial institutions, etc., is a recipe for disaster. You may have very high security standards... but it turns out sometimes those tasked with taking care of the peons' data don't (and fail on simple precautions like salted hash password storage). Whichever institution has the crappiest security gets hacked (maybe even that old bank you moved your money out of years ago), and suddenly all your accounts are vulnerable.

The proper and secure way to do things is one high-security passphrase, that decrypts your (well-backed-up) encrypted store of thoroughly unmemorable random character passwords for each institution. It takes a couple extra seconds to look up the password for each site, and puts additional control over security in your own hands (which care more about you personally losing all your monies than some random bank contractor). And, for anything that you use moderately often, you'll end up remembering the random-jumble password just fine after the first several times typing it in.

Re:because (1)

HairOfTheBambit (1281718) | about 5 months ago | (#45575237)

Here is the problem: You constantly hear about don't use the same password on every site. Ok, makes sense, except that a lot of people have login information to 100+ websites. Sure that are tools like keepass or lastpass or whatever, but then you just need to break 1 password to have access to them all

The thing is, your password with KeepPass or what have you is up to your encryption level and password strength. The password you use on any given site is reliant on their password encryption. So if someone gets a hold of, say, LinkedIn's passwords and is able to decrypt your password there, they can hit every site with it and your email address. Getting access to your KeepPass file will grant them all access to all your accounts, but they are going to have a harder time getting the info out of it if you've done it correctly.

Re:because (4, Insightful)

xelah (176252) | about 5 months ago | (#45575145)

Given that it's widespread across huge numbers of people, presumably of all kinds and intelligence levels, I think that dismissing the problem as being because people are too lazy/stupid is...well....lazy and stupid.

Remember that people treat their computers like a social being - and a subordinate one at that. Every morning, someone will go and sit down at their office computer and find it's forgotten who he is, even though it sees him every day. He can walk away for an hour and it'll forget again. It'll fail to understand that he's him over and over again as he uses websites, servers, etc, stopping each time to refuse his instructions and demand that he perform some silly little task purely to help the computer out in functioning correctly: remember an irrelevant string of nonsense. And, very occasionally, the computer will fail and do something like send banking details to someone in Russia, or show his ex-wife his e-mails to his lawyer.....even though it's blatantly obvious to even an imbecile that these are the wrong things to do.

We all know that computers are unintelligent tools that are not capable of doing better than this - on slashdot, at least. But it still feels like talking to a forgetful, obstructive, naive, reckless, stupid and insubordinate little shit. Even the most stupid of assistants should be expected to do better most of the time.

People can certainly do better, but we have to accept that humans behave like humans and recognize that we're going to need to improve the technology as well as people's habits. In the short term that could mean things like providing ways to generate secure passphrases and asking them to write them down, using authentication devices and using UIs to promote better practices....and we need security researchers who stop looking a memory dumps for a while and look for more secure ways to interact with users.

Re:because (0)

Anonymous Coward | about 5 months ago | (#45575157)

It was his dog's name. How can you not remember that?

Perhaps, given some inane number/symbol requirements, it was because his dog had to be named cHu8#raf?

In other news... (0)

Anonymous Coward | about 5 months ago | (#45574615)

In other news: The sky is blue, bears shit in the woods, fish swim in water, and this story is a repost from 1995.

They lack knowledge and are lazy (0)

Anonymous Coward | about 5 months ago | (#45574651)

One of my relatives passwords was their pets name, ie Chloe, Phoebe. I asked "don't you think that is easy to guess?" and they said "No, how would anyone know that was MY password?".

What people don't realise is that hackers arn't usually attacking them specifically but are attacking everyone, anyone with a lame password. I'm pretty sure simple names are high on the list of things to try first.

Basically, bad passwords are a lack of education in how their password is vulnerable, or are just lazy.

Pretty much the only good passwords are random (1)

tlhIngan (30335) | about 5 months ago | (#45574659)

A modern day password cracker (brute force) with a reasonably large dictionary can basically break all human generated paswords these days.

First - besides the dictionary, they also try variations - including l33t 5p34k variations, various capitalizations and putting numbers at the beginning or end of the word.

Second, the old trick of picking a phrase and using it? Also done - the dictionaries often pick phrases out of the Bible and other texts and run with those, too. You'd think this would be difficult, but surprisingly not. And there's the variations in the above as well.

A brute forcer that uses a dictionary often enlarges it through variations, which is still far less to check through than a full test-every-combination brute force.

About the only choices left are pure random passwords that the only way to break them is testing every combination.

Re:Pretty much the only good passwords are random (2)

east coast (590680) | about 5 months ago | (#45574723)

If a system is making it possible for you to do a brute for attack for "days" then your system is the problem more than your password.

Sorry, but brute force attacks should throw up a red flag in a way that any well designed system can automatically detect it and shut down the user account. Most already do this in more roundabout fashions such as locking the account after a number of invalid tries or by forcing the user to wait between failed attempts or a combination of both.

Re:Pretty much the only good passwords are random (2, Insightful)

Anonymous Coward | about 5 months ago | (#45574881)

A brute force attack is typically done on a stolen list of hashed passwords, not on the running system.

Re:Pretty much the only good passwords are random (2)

mlts (1038732) | about 5 months ago | (#45574995)

If an attacker were brute-forcing against an account, something like sshguard or a lockout mechanism [1]. However, since hashed password lists like /etc/shadow are the target, once those are snarfed, those can be cracked at the blackhat's leisure. Stuff like bcrypt helps, but there is a balance between having a number of rounds high enough to slow down an attacker, versus it interfering with legitimate uses.

I have a dedicated appliance that is in testing stages which just stores usernames and hashes, and does not allow the whole database to be dumped at once to a remote site (access is done per user, and the only thing returned is "yes" or "no", so a bad password gives the same result as not having a username.) It will help with this, but still awaits any real commercial use.

[1]: I set Windows's mechanism on an AD forest to be only 3-5 minutes for a lockout, not 20. That is enough to stop the people trying random stuff, but not paralyze a user too long, assuming the attack isn't still going on.

Re:Pretty much the only good passwords are random (1)

silas_moeckel (234313) | about 5 months ago | (#45575037)

WTF brute force still? All password system should enforce at least x failed attempts in y time lockouts if not requiring multiple things (time+seed based passwords are trivial with everybody having a smartphone). If they have the hashes and salts your pretty much damned anyways.

Re:Pretty much the only good passwords are random (1)

melikamp (631205) | about 5 months ago | (#45575205)

This. But the problem, as I see it, is not with people designing poor passwords. The password authentication itself is the problem. One basic issue is that passwords, ostensibly, authenticate a person, but in practice they do not. It is the computer that gets the direct access, not a person, so we could as well be consistent and have a procedure designed to authenticate a person+computer pair. And that leads us to a much more secure way to authenticate: using the strong encryption, either symmetric or asymmetric. Arguably, this is also easier on the human user! Instead of remembering hundreds of weak passwords, many of which are identical, one can simply outsource this whole thing to a piece of trusted, secure hardware. Let the computer generate and remember the public/private key pairs (asymmetric) and the shared secrets (symmetric), and to use them automagically. Given a properly secured cyber-brain (a private, wearable computer with absolutely no remote control of any kind), stealing the keys remotely is impossible, even if they are kept unencrypted. The only practical way to get them is to steal the actual hardware, which is prohibitively expensive for most kinds of illegal activities.

The biggest benefit to the user, IMHO, is the simplicity of the security protocol. Keep your cyber-brain and its backups physically secure. End of story. Even the dumbest of people can do this much for their wallets today.

What about red headed women with beards? (3, Funny)

toonces33 (841696) | about 5 months ago | (#45574661)

What is the quality of the password then?

Re:What about red headed women with beards? (0)

Anonymous Coward | about 5 months ago | (#45574729)

Gingerchaps?

Re:What about red headed women with beards? (0)

Anonymous Coward | about 5 months ago | (#45574893)

I'll have you know that my mom picks great passwords.

Fixation on pass'words'. (2)

Junta (36770) | about 5 months ago | (#45574681)

As a very well known xkcd points out, a great deal of the problem could be averted if people weer encouraged to use long passphrases with spaces and everything rather than a pass'word'. password as a concept was good enough for the time of it's popularity, to defend against people typing their way into someone else's account. When the model fell apart in a world with much more automation and network connectivity, the 'fix' was 'keep length about the same, but toss some numbers and maybe some punctuation in there'.

The madness comes in when a great deal of the sites I visit put a 12 character *maximum* on a password for their site.

My personal strategy: base64.b64encode(os.urandom(12)) for every site and store the values on a couple of my devices with a phrase that is about 32 characters long (but easy for me to remember and easy to type). hashing a master key with the domain to generate passwords like some chrome and firefox plugins (password hasher) can do is similarly nice without having to worry that you won't have access to the copy of the database.. Of course, the annoying thing is my 16 random numbers and letters frequently fail the 'complexity' check and I have to add some punctuation character to it.

Re:Fixation on pass'words'. (1)

sjwt (161428) | about 5 months ago | (#45574807)

I was somewhere the other day that needed at lest one Upper Case, one Lowecase, one Number and a symbol. Not too bad, except they also limited you to 6 chr only.

Re:Fixation on pass'words'. (1)

bill_mcgonigle (4333) | about 5 months ago | (#45574851)

Not too bad, except they also limited you to 6 chr only.

How nice of them to completely reduce the complexity space of the 6-character search!

We needed a study for this?!? (4, Insightful)

tiberus (258517) | about 5 months ago | (#45574687)

Please tell me no one is surprised by the general conclusion (haven't we been here a time or ten before?) of these studies. Add to this the corporate or government attitude demonstrated so equivalently here [xkcd.com] , the lack of effective computer security training, including a complete failing of organizations to have or heaven forbid enforce policies about password practices and you've got a pretty pickle.

Sadly, it took the recent Adobe compromise, to get me to finally start using a password wallet and use different passwords for each Internet service I use. Have to admit I was stunned, by the number of accounts I had when I got through most of the sites I access.

After hearing a few disturbing stories from my wife, about how computer security and passwords are treated at her place of work, I stepped up my training for her and her co-workers that will listen. Based on what I've heard from her the choice of poor passwords is the least of our troubles.

  • Passwords on sticky notes on monitors.
  • Passwords shared with co-workers, that have not been granted access.
  • System does not require default password to be changed.
  • Default password is a known pattern.
  • Techs routinely ask users for passwords
  • Co-workers say, "Just give them your password".
  • And so on . . .

Unless the underlying problem of poor culture surrounding computer security is changed and an understanding of the associated risks is cultivated, it won't matter one whip whether users can choose "Good Passwords TM".

Re:We needed a study for this?!? (0)

Anonymous Coward | about 5 months ago | (#45574771)

Passwords on sticky notes on monitors.

While I wouldn't do this for a password at work, since you can't control the space, passwords on a sticky note are not a bad thing. By the time someone has physical access to your machine, they have access to your passwords, pure and simple.

Re:We needed a study for this?!? (3, Insightful)

ccguy (1116865) | about 5 months ago | (#45575223)

complete failing of organizations to have or heaven forbid enforce policies about password practices

Most of the time the problem is the opposite. Absurd policies and a delusion of the password being important to the user. And lately, the retarded concept of the security questions that the user cannot choose (or can choose from a set or around the same 10 in every site).

For like 95% of the sites I don't give a shit if my account if hacked. I use the same password for most of those sites (if they are too retarded with requirements I might add a few 0s or #s at the end). If you make me change the password even if once a year then I'm not going back to your site because I don't care much about it in the first place. So I'll forget the new password.

-Passwords on sticky notes on monitors.
-Passwords shared with co-workers, that have not been granted access.
System does not require default password to be changed.

None of these are user problems. They are system design problems which I can translate to this:

- They make me change the password every 90 days, so I have to write it down.
- Danny needs to access credit card information because it's part of his job to do refunds but they won't give him access because for some reason that also means they have to give him access to XXX (they have one permission for two things) so I have to type my password at his terminal 10 a day. I cannot be interrupted that much, or I might not be around, etc, so I just let him use my password.
- My sysadmin uses the same default password for everyone.

up to 80% of choices... (1)

Anonymous Coward | about 5 months ago | (#45574715)

" up to 80% of choices come from just 100 different numbers."

It gets worse, as 100% of those are chosen from just 10 numerals.

Meaning (2)

gmuslera (3436) | about 5 months ago | (#45574717)

If we start with the asumption that that passwords must be memorized somewhat, we are better remembering things with an attached meaning than something random, and those meanings make usually bad passwords. But, we don't need to remember all passwords, there are password managers for making and storing a bunch of meaningless, secure passwords, and for the keys you must remember (the password manager one at the very least) there are some mnemonic tricks [xkcd.com] that can help to have safe enough passwords.

...really? (2)

Seta (934439) | about 5 months ago | (#45574727)

Must be an idle day at the BBC. A couple paragraphs of statistical wank about physical attributes seeming to correlate with password quality. Then a rehash of old news about bad passwords being easy to crack. My hair is unkempt and I have a 62 character password encompassing a good chunk of ASCII printable characters. Bring on the "compensating for something" jokes. ;)

Re:...really? (1)

camperdave (969942) | about 5 months ago | (#45575123)

My hair is unkempt and I have a 62 character password encompassing a good chunk of ASCII printable characters. Bring on the "compensating for something" jokes. ;)

Okay... 62 character password? Are you compensating for not being ginger [youtube.com] ?

I guess I should shave. (0, Funny)

Anonymous Coward | about 5 months ago | (#45574733)

I am going to shave, so my passwords get better.

PI-N? (0)

Anonymous Coward | about 5 months ago | (#45574743)

Okay, how many of you use the digits of pi when you have to pick your own PIN?

People are taught wrong (4, Interesting)

Archangel Michael (180766) | about 5 months ago | (#45574749)

On passwords, what was once thought to be good password security is no longer true. The length of a password matters more than diversity and given the right instructions, can be much easier to remember than complex passwords.

My current suggestion for passwords is this: Pick three (or more) random words. mongoose, screwdriver, automobile. Now you have a password you can remember, but is very hard for a computer to "crack" and you only have to remember three things, as opposed to memorizing eight (or more) things that don't make any sense.

And, to make it unique for each System you log in to, add in the name: Amazon Mongoose Screwdriver Automobile, or Ebay or whatever.

Posted passwrod lists.. (1)

sjwt (161428) | about 5 months ago | (#45574765)

I love them.. I trawl through them laughing at the passwords on them, at least so far as mine have never shown or close variants of them.

We live in a post-password world (0)

Anonymous Coward | about 5 months ago | (#45574775)

It's long been known that using a password is insecure and dangerous. Public key authentication is the bare minimum I'd accept these days.

Make passwords visible (0)

Anonymous Coward | about 5 months ago | (#45574791)

My problem is being able to correctly type long character strings containing caps and special characters without visual feedback.
I could make my passwords much longer if I could see them as I type them.

weak, because they don't care (3)

jessepdx (1207628) | about 5 months ago | (#45574811)

there are a lot of sites, that require setting up and account, i could care less about. i use a junk email account and a simple junk password. those accounts, if they are hacked, won't give you any useful information to get into another site's account that i do care about. i think many people do the same. those junk sites also get hacked and the stolen lists get published. then the appalling headlines stating "OMG these passwords are so easy!!!" get published... so what...

Who works for whom? (5, Insightful)

mcmonkey (96054) | about 5 months ago | (#45574821)

"people are lousy at picking good passwords"

This begs the question. There is some reasonable expectation that people should learn to properly use the tools of modern society, but in the end, the tools should serve the people, not the other way around. If your car pulled to the left, would you say you were lousy at driving in a straight line? No, you'd say your car was out of alignment and get it fixed.

A password is something we're expected to remember, but we're wrong to pick words or numbers that might be easy to remember, such as familiar names or dates. Even if you say pick a system of choosing passwords to remember rather than an individual password, that's impossible. Every different system and site has different password requirements, so no single easy to remember system will work for all of them.

"You have to remember we are all human and we all make mistakes"

Yes, and Mr Thorsheim's mistake is assuming the issue is with the people who are using the system and not the people designing the system. The truth is,

"password systems are lousy at serving people."

(as an aside, WTF is up with systems that do not allow special characters in passwords? Are they worried about SQL injection? If that's possible from a password field, the system is FUBAR.)

10,000 pins? (1)

damn_registrars (1103043) | about 5 months ago | (#45574827)

I would hope the list of allowable PINs is shorter than that. The 10 possibilities with the same number repeated all the way through should be disallowed (and usually are), as well as 1234, 4321, and anything else with four consecutive digits. While taking those 24 possibilities out doesn't dramatically reduce the number of possible PINs (only 2.4% reduction) it is still a list of less than 10,000.

Re:10,000 pins? (2)

Qzukk (229616) | about 5 months ago | (#45574969)

The 10 possibilities with the same number repeated all the way through should be disallowed

If it's good enough for nuclear launch code, it's good enough for my bank card!

keepassx is the way to go (1)

Anonymous Coward | about 5 months ago | (#45574837)

Humans are no good at generating passwords. That is just a fact. The best option is to use a password generator and to change the passwords often. I started using keepassx a couple of years ago and I have never looked back.

Re:keepassx is the way to go (1)

aaarrrgggh (9205) | about 5 months ago | (#45575231)

It will always be easier for a computer to evaluate likely passwords that a human would create than for the human to come up with an algorithm that the computer would not anticipate. Password generators eliminate this break point, but create a new weak point in that the password must be stored somewhere other than memory.

My wife might do a great job of creating passwords, but if they are stored in an unencrypted and unobscured place then they aren't necessarily more secure.

Say what? (1)

BringsApples (3418089) | about 5 months ago | (#45574841)

I have a really really good password that I use to get into my server at home. All other passwords are for random sites (like slashdot) and I use a very simple password for them. Does this make me 'bad at picking passwords', or do I simply not care if someone hijacks my slashdot account, ruining my excellent karma?

A good password is one that you don't mentally consider a word or string of words, as much as it is a dance that you do with your hands and fingers, really really fast.

Re:Say what? (1)

mcmonkey (96054) | about 5 months ago | (#45574907)

A good password is one that you don't mentally consider a word or string of words, as much as it is a dance that you do with your hands and fingers, really really fast.

On that note, non-printing characters should be allowed as part of a password. E.g. "12345" is a bad password. But why shouldn't we be able to use "12356[backspace][backspace]45"?

Statistic studies also suggest... (0)

Anonymous Coward | about 5 months ago | (#45574887)

... That the average inhabitant of the galaxy has 2.4 legs and owns a hyena, right?

My Password solution (4, Funny)

OzPeter (195038) | about 5 months ago | (#45574905)

I use regexes related to the site name/function. (*)

Now the hackers have 2 two problems when they want to break into my account!

* I actually I do incorporate regex like strings.

Re:My Password solution (0)

Anonymous Coward | about 5 months ago | (#45575019)

already reduced the search space. Your password always starts with a ^ and ends with a $
infact I am guessing it is
^.*$

Why isn't this taught in school? (0)

Anonymous Coward | about 5 months ago | (#45574949)

Any grade school education in a developed country ought to include at least a couple of hours on computer security, including how to pick a good passphrase. Everyone doesn't need to learn information theory and complexity theory, but teaching kids that passwords have different amounts of entropy depending on how they are chosen and which level of entropy you need in order to be safe against various types of attacks should definitely be possible. Roughly 10 bits for every word chosen at random from a list of 1000 different words. Roughly 80 bits needed for protection against most hackers. 8 words needed. Here's a card of printed words and a dice. If they can learn history and biology they can learn this.

Good passwords (0)

Anonymous Coward | about 5 months ago | (#45574955)

Are so good, that they cannot be remembered, and need to be stored and then they are not passwords but tokens (something you have, not something you know). And then they become like keys that they give you for your house or car or your workplace. I understand why passwords came to be used on computers when hardware and software was much more limited, but in 2013 and beyond it would seem like a more reasonable approach would be to use a simple hardware solution via USB and replicate the data. But then nobody would trust the replication people, so we end up with passwords that cannot be remembered which become keys which are not replicated.

I got a new job some time ago, and they don't believe in single sign on or even using one password for common users (ie, root), and its a PITA to have to copy/paste a password list all day long. I don't know my passwords anymore and don't even try to remember them.

Any password can be hacked... (0)

Anonymous Coward | about 5 months ago | (#45574989)

The only thing that is important is that your password cannot be guessed. Using highly complex cipher algorithms to create overly complex strings of letters/numbers/symbols is a waste of time. Just come up with something that isn't a dictionary and is reasonable in length. Depending on how much I care about the security of an online account I use 1 of 6 different passwords ranging from 5 characters (made-up/non-dictionary word) to a 12 character string of numbers/letters/symbols that is easy to remember (it's kind of a phrase but non-dictionary). Never been hacked in over 20 years of using the same passwords. The only password I ever bother to modify over time is the one for my checking account and email account since those are the only 2 that could have a direct impact on my life. If someone stole my credit card info I couldn't care less, but if someone drained my checking account, that would be a major nuisance.

Why do I need to remember passwords? (1)

ISoldat53 (977164) | about 5 months ago | (#45575155)

Why can't my home computer manage passwords. Seems like it's smart enough to generate a password, pass it to the secure site, then at log off generate another password pass it to the site and then log off. Let the computers handle the task. Then have one master password or some other technique to log onto the computer that can only be used from the keyboard.

How are these studies made? (0)

flyingfisch (3406027) | about 5 months ago | (#45575161)

How do you get a bunch of people to give you their passwords? Sounds like someone has set up a scam site that doesn't hash passwords.... I wonder if we should trust people like that?

Re:How are these studies made? (0)

Anonymous Coward | about 5 months ago | (#45575199)

From TFA:

Adobe, LinkedIn and game website RockYou have all been hit in breaches that involved the theft of login names and passwords. Add to this the steady drip of security breaches at other firms and you have a vast corpus of data that can shed light on what passwords people pick.

1Password (2)

ilsaloving (1534307) | about 5 months ago | (#45575187)

Every time I see articles like this, I feel compelled to bring up the solution I'm using, which is (so far) the single best solution I have been able to find.

It's called 1Password. Runs on Mac, Windows, Linux (read only I think), iOS, Android, and has plugins for all major browsers.

It records your login details for you, has a password generator that you can customize in various ways, and stores an AES encrypted archive on dropbox so that all your devices can sync together.

Now I can safely create new logins everywhere with abandon, because I'm not afraid that if one service is compromised (*cough*Adobe*cough*) I'm not afraid something else is at risk.
It can generate passwords up to 50 characters in length with your choice of number of digits and symbols. It can even make easily pronounceable passwords if you need, and avoid ambiguous characters (eg O (oh) and 0 (zero) ).

It's a little pricey, but IMO it's worth every penny because there is no other product out there that is this easy to use, AND supports so many platforms all at once.

hmm (1)

nomadic (141991) | about 5 months ago | (#45575219)

I also blame sysadmins who frequently don't understand that security is contextual; you do not need the same level of password complexity for a gardening forum or slashdot that you need for your bank account. But you still see ridiculous requirements for low-security sites.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...