Giving Up Passwords For Chocolate 710
RonnyJ writes "The BBC is reporting that, according to a recent survey, more than 70% of people would willingly give up their computer password in exchange for as little as a bar of chocolate. Over a third of the people surveyed even gave out their password without having to be bribed, and most indicated that they were fed up with having to use passwords."
I'd give up mine for sex! (Score:5, Funny)
Re:I'd give up mine for sex! (Score:3, Funny)
Hey! That's my password for my root account too. (Except I don't add have spaces.)
No-one has cracked my computer yet, so I know it must be a good password.
I'm not sure whether (Score:5, Funny)
The second one might not be so pleasant.
Still, it's probably better than being an OpenBSD hacker and having never been rooted at all.
(and please don't mod up the karma whore who follows this going "don't stereotype geeks waa waa waa" it's a joke...laugh)
Re:I'm not sure whether (Score:5, Funny)
Re:I'd give up mine for sex! (Score:5, Funny)
Our new tablet PC's have card readers. When I worked at a Fortune 70, we found that no employee over Sr Manager level could remember a password, even if written down where they could see it. So what do you do. We just gave them a blank password. Now they could do emails and spreadsheets but not passwords.
Go figure.
Re:I'd give up mine for sex! (Score:4, Funny)
Re:I'd give up mine for sex! (Score:5, Interesting)
-B
Re:I'd give up mine for sex! (Score:5, Funny)
IANAFB (Fraternity Brother)
Re:I'd give up mine for sex! (Score:5, Funny)
Re:I'd give up mine for sex! (Score:5, Funny)
Re:I'd give up mine for sex! (Score:5, Funny)
Re:I'd give up mine for sex! (Score:5, Funny)
I worked for a small privately-held HR-and-Admin services firm, and the head honcho managed to lock himself out on a regular basis...despite the fact that his password was his flipping first name with a 1 at the end.
I never did have the guts to "hint" him with, "What's your first name, Sir? Then put your I.Q. at the end. No, not your shoe size. Your I.Q. It's gotta be one digit..."
Oh well. I had a great supervisor and I learned a lot.
GTRacer
- It's not me
Re:I'd give up mine for sex! (Score:3, Informative)
Fraternity secrets would involve the procedure of becoming a member, the rituals of the house, etc. Some houses are more secretive than others.
Watch Animal House or any other fraternity movie to get the general idea.
Re:I'd give up mine for sex! (Score:5, Funny)
just like the old commercials... (Score:3, Funny)
*shakes head in shame*
e.
Passwords and memory (Score:5, Interesting)
It takes less than 5 minutes to remember a new sequence, just by typing it lots of times, and I find that if I *do* forget one from (say) 6 months ago, if I put my fingers through the first 1 or 2 chars, I get the whole sequence back... Holographic memory at its best
I've found this works much better for me than what I used to do (take 2 words, reverse them, catenate them, and take the central 8 chars) - the recovery of "forgotten" passwords is much easier when I let my fingers "remember" what to do... It also allows me to give clients obviously hard-to-forge passwords and easily use them
Simon
Re:Passwords and memory (Score:5, Interesting)
I have a 6 alpha char, but not-so-secret (public), password I use for all my low-risk passwords. Then I have another simple 8 alpha-num, but secret, password for all my secure sites (like Slashdot).
For high-security (Banking/root/PGP) I use a 13 character randomly generated passsword or two.
I would give out my not-so secret one to anyone who dares ask, and my 8 char one for an Aero milk bar...
Slashdot's a secure site? (Score:5, Funny)
Re:Passwords and memory (Score:5, Interesting)
I go a little further than this:
Additionally, every 6 months or so I create (using a random password generator) a new password, which becomes my systems password. My systems password becomes my financial password, my financial password becomes my need-to-keep secure, and so on down...
Works for me...
Re:Passwords and memory (Score:3, Interesting)
Re:Passwords and memory (Score:5, Funny)
Low security Internet (slashdot/monster/..etc..)
one for home (12 random key strokes)
one for finance (another 12 random key strokes)
and one for work....my onw for work is "password"
any one care to guess how much I like my job?
Re:Passwords and memory (Score:5, Insightful)
The key is to make them memorable, pronouncable non-words. You can do this using passwdgen on linux. Just set it to the number of characters, add the "pronouncable" switch and - optionally - the "non alphaneumeric characters" switch and you'll have something that is very secure yet easy for YOU to recall.
Further, what a bunch of whiney fucks. "Boo hoo, I have to use passwords. Boo hoo, I have to use a key to open my car door, house, bank deposit box, home safety, glove compartment, trunk. Boo hoo, I have to turn the knobs on doors and open them before walking into a building or home or car."
Come on people.
Re:Passwords and memory (Score:3, Informative)
Reading a lot of science-fiction and fantasy books also helps much - especially when you can read them in some non-Western language. "Rohan" or "Alderan" will be too obvious, but "BalduryiBadubiny" won't be that easy to be crack by brute force - while it's very easy to memorize (and pronounce!) if you can read Stanislaw Lem in Polish.
Re:Passwords and memory (Score:5, Insightful)
As we learned in Econ 101, it probably comes down to value. Most people do not ascribe value to computer security; they see it as "something the IT guys make us do." Example: walk into any small shop and check out their security. It has been my experience that all passwords are taped to the monitor more times than not, or you can just ask the admin for them.
On the other hand, people ascribe much more value to the security of their home and/or car.
Re:Passwords and memory (Score:3, Funny)
yes for me too! for example - my name is Rick, so my password is rICK. or RiCk or rick.
it is very easy to remember, and, when someone asks me for my password, I just tell em what it is! I dont have to put it on a piece of paper or nothing.
Re:Passwords and memory (Score:5, Insightful)
True, but does turning a key force you to remember a complex stored memory? Nope.
Re:Passwords and memory (Score:5, Funny)
Finding my keys does...
Re:Passwords and memory (Score:5, Informative)
http://sourceforge.net/projects/passwordsafe/
Re:Passwords and memory (Score:5, Funny)
I just changed all my passwords to 'passwordsafe'. They seem to work just as well as all those hard-to-remember passwords I had before. That is what you meant, isn't it?
Re:Passwords and memory (Score:4, Interesting)
No guarantees as to how secure it is. So far I haven't found any problems with it.
Re:Passwords and memory (Score:5, Interesting)
I couldn't have told them my care-about passwords anyway though - I don't remember them, I just remember how to type them in.
I do the same thing. I base my passwords on a pattern of keys on the keyboard. I was haplessly surprised earlier this year while I was on vacation in Europe, when I realized that the keyboard on the hotel terminal had a different key mapping than the one I based my password on! :-( It took me several minutes just to remember what all the keys would have been on a US keyboard and then alter my pattern just to be able to type in my password...
Yes, I know I probably could have changed the key mapping in the operating system, but it was a Windows machine, and I only know how to use xmodmap.
Re:Passwords and memory (Score:3, Interesting)
Now I use the split as an extra piece of information in the pattern, makes it a nonsense pattern on a normal keyboard.
Doug
Re:Passwords and memory (Score:3, Funny)
All this by showing half an interest and sounding like you know what you're talking about. But then, maybe the IT department here is useless.
Dude, show competance like that and you'll be drafted into the IT department and then you'll really be sorry.
Also over 30% will just tell you..... (Score:3, Interesting)
Troc
Re:Also over 30% will just tell you..... (Score:5, Interesting)
They should have tried doing the survey by knocking on people's front doors and asking them. I bet significantly less people would tell them then, because they would realise there was a much greater chance that the divulged information could actually be used.
I am sure that somewhere in my town, there is a computer with the Windows login "Administrator", with password set to "password". Now in order for that information to be useful I still need to find that computer. (The only likely way is brute force scanning, which, by extension could be applied to the password cracking anyway.)
Clearly, if the attacker was more malicious and started following you, etc they could get this information. However, most people will assume that noone else actually has a major reason to be interested in their PC or indeed downloading their pr0n collection. This is part of the reason why Joe Public does have such strong feelings about spyware as the average slashdotter.
Wait a minute (Score:5, Insightful)
So people can just make it up.
Yes Mr "Researcher" if offered chocolate 79% of people can think of a random word.
Big deal,
John.
Re:Wait a minute (Score:5, Insightful)
Depends what type of password they're asking for. I can imagine my boss giving up some of his real passwords for a bribe because he thinks "big deal... that one's not protecting anything sensitive anyway". Except, that comes down to him not understanding that whole "weakest link in the defenses" problem. Yea, maybe THAT password isn't, but what does that give a malicious user access to that could be abused elsewhere? What apps level attacks are we now vulnerable to? What databases could be stolen? Could the attacker now impersonate you to get more information from other people?
Management and business types, and of course home users, don't think security is a big complex model. They think "oh, we have a firewall... we're safe" and that's the end of it.
Re:Wait a minute (Score:3, Funny)
> don't think security is a big complex model. They think
> "oh, we have a firewall... we're safe" and that's the end of it.
I am a management type [electric-cloud.com], you insensitive clod
John.
Re:Wait a minute (Score:5, Interesting)
There's a difference between having a sysadmin that's insane and having one that understands reasonable protections based on the content being protected and the overall position of the system in question. If a single compromise could result in a $200 million dollar loss of sensitive information, maybe forcing people who access that info to use a 12 character password that's not vulnerable to a dictionary attack isn't such a bad idea, hmm?
Yet, I see it all the time: some stupid suit thinks they know better and wants to be exempt from the policy. Dysfuntion exists at every level, but when it runs rampant in people with authority, you have a real problem. What amazes me is that the excuse from these boneheads is always the same when something goes wrong: "well, I'm a MANAGER, I handle BUSINESS DECISIONS. You don't expect me to understand your technical mumbo jumbo, do you!?"
Uh, no dumbass.... I expect you to sit back, STFU, and let me do my job. You HIRED me to do this so you didn't HAVE to understand the technical mumbo jumbo... remember?
I'm sure not all management is like this, but from my vantage point, most of it is. It's so much easier for them to point fingers after the shit hits the fan than it is to sit down and work with the technical people from the start, I suppose. This whole story is probably a good example of that. I tried to get these bozos to pay for some of our front line people to take classes on preventing social engineering attacks. Something like 90 people would have been enrolled to the tune of $25K. They refused. So, to make my point, I told my buddy to get into the veeps office. Sure as all hell, he did it without raising any eyebrows... they thought it was a "cute trick" and still didn't sign anyone onto the class because they don't think anyone would ever try it with us. I then tried to point out that while WE might not have anything particularly valuable, we do act as interface to a much larger International that DOES have a lot of valuable assets that competitors and crooks would love.. no dice. Idiots, says I. Idiots. They hire people to do things they don't understand, then tell them how to do it anyway. That's like hiring a builder to build your house, then hanging over them all the time and telling them they're doing it wrong.
Re:Wait a minute (Score:5, Interesting)
Sadly, I doubt they will ever realise how worthless their surveys are, after all the NYT still hasn't got the message after about a billion fake login names.
Pork Rinds! (Score:5, Funny)
This doesn't surprise me at all... (Score:5, Funny)
Punk: Okay, you say you can't get the NVidia card to work in Red Hat. Let's go to the NVidia site and download--
Dude: My root password is money45!
Punk: [dope smack] NEVER DO THAT AGAIN!
Even back in the days I did call support for an ISP, sometimes I'd just ask their login name and they'd just blurt out, "My login is sueray22 and my password is newyork!"
Re:This doesn't surprise me at all... (Score:5, Interesting)
Even back in the days I did call support for an ISP, sometimes I'd just ask their login name and they'd just blurt out...
My ISP always asks me what my password is. I've explained to them many times that it gets people into a bad habit and that I have to repeatedly tell my end users to NEVER give out passwords to anyone, even me. After several times, they finally said, "I'll make a note in your account to not ask for your password."
Idiots.
Re:This doesn't surprise me at all... (Score:4, Informative)
Re:This doesn't surprise me at all... (Score:3, Insightful)
Recently I've been asked by "tech support" for some stupid websites for my username AND password. Does someone here know a site that explains the CONs about this?
One holds my employee's salaries and such. I'm perfectly happy that the support people can access that if they need to. The system can then log "helpdesk-Tom" accessed XYZ's f
Re:This doesn't surprise me at all... (Score:3, Interesting)
Same goes for people who open virus e-mails. For some reason, after I help people, they tend to stop doing stupid crap like that on my network. I gu
Re:This doesn't surprise me at all... (Score:4, Insightful)
If you worked for me, you would not get an opportunity to do this a second time. Sanctioning the offender is fine, but costing the company 5 months worth of work is not.
Re:This doesn't surprise me at all... (Score:5, Funny)
Me: Now I need you to log in, please, using your account and password.
They: OK, that's M459465, uhh... k-e-v-i-n-2-1. There. I'm in!
Me: sigh.
Re:This doesn't surprise me at all... (Score:5, Funny)
First thing he did was accidently posting his root-pw in a irc channel with 2600 users. Damn fine password it was =)
Uh ... yeah I'll tell you my password. (Score:5, Funny)
Oh, wait. You wanted my REAL password? Well, that'll cost you another chocolate bar. Of course I'll give you my real password this time. Would I lie to you?
A big problem... (Score:5, Informative)
...at many of the places I've worked at is that the users have as many as a dozen passwords to remember for different systems, and each one expires at a different time and has different rules for how long and complex it has to be.
Most of them keep their passwords written down on a sheet of paper right on their desk.
Re:A big problem... (Score:5, Insightful)
The problem is, the vast majority of people who work here are either academic researchers, who are used to open collaborative discussion and find passwords inherently distasteful, or administrative workers, who, while they may be very dedicated civil servants, find the different password systems for email, LAN logon, timesheets, billing, contracts, grants, etc., to be tedious at best and bewildering at worst. Since they are not allowed to have the same universal password, for obvious security reasons, nor is that password allowed to be a recognizable English phrase, they have a great deal of difficulty memorizing each one.
Add in the fact that each password must be changed every six months at a minumum (monthly for some systems) and that passwords cannot be repeated for five cycles, and that's as many as fifty or so passwords over the course of a year for some administrative officers. That's a lot to ask, even for someone with a technically-oriented mindset.
Recognizing that writing them in a booklet next to the desk- or lap-top is a problem, many offices have taken to writing them down inside a lockbox.
Biometrics may help, but if our physical plant is any evidence, we'll be ten or so years behind the curve getting such systems installed.
Re:A big problem... (Score:3, Interesting)
And passwords, they have to be changed every month, however I know at least 4 other people's logins (by necessity, because I didn't have an account) and since you can't reuse any of your
Re:A big problem... (Score:3, Interesting)
which is why I think a standalone program that stores all these different passwords would be helpful. A program that uses tough encyrption that d
Re:A big problem... (Score:3, Interesting)
So I see the password thing as similar. Keep them in your wallet
Re:A big problem... (Score:4, Insightful)
Re:A big problem... (Score:3, Insightful)
Usernames and passwords do nothing to authenticate someone. All they mean is that someone knows a username and password. Besides being a lowsy way to authenticate somebody, passwords are a pain in the ass. Everybody has different rules for having a "good password" , they expire at different times, and it seems as though every website now requres a username and password to buy something
does this surprise anyone? it's not a fingerprint! (Score:5, Insightful)
this, i think, is a big problem and the onyl way to solve it is to re-educate people for them to understand that such a password is important and should not be shared. clearly an alternate solution would be to install fingerprint scanners on all computers (a viable option in the future), but that would not help overcome the erroneous attitute towards computer security. in fact, such scanners would work well as again people are used to the fact that their fingerprint makes them unique and should not be "shared".
finally, this will be an important concern in the future: already we are able to shop online and the future where all transactions go via the internet is near. one account (a la
Re:does this surprise anyone? it's not a fingerpri (Score:4, Insightful)
Passwords are used in part becuase of history, but mostly because they work and can be changed.
"Sir, your bio-passport is invalid due it being compromised. No, I'm sorry, sir, you cannot get a new one. No, not ever."
Sad but true... (Score:4, Insightful)
Comment removed (Score:5, Insightful)
Re:Break their fingers (Score:3, Informative)
Because of all the extra vulnerabilities it exposes. If a malicious attacker gains access to their account the number of ways they can try to get root privledges grows. There are quite a few root exploits you have to have an account on the system to use. Besides, the passwords are for their protection too, from things such as the E-mail to the user's boss you mention to losing personal information. (I've seen users who stored their credit card
Re:Break their fingers (Score:3, Insightful)
Ah, yet another nugget (Score:4, Funny)
really dont give a crap about anything past their next meal.
So, thats why admins are fat! (Score:5, Funny)
Secret tools of the hacker toolbox... (Score:5, Funny)
DSL......$20/month
nmap.....free.
Being pipped to the post by a reporter with a snickers bar.....Priceless.
There are some things even money can't buy, for everything else there's Masterfoods, Plc. [masterfoods.com]
this study.... (Score:5, Funny)
67 passwords (Score:4, Funny)
Kinda useless, if you ask me. I prefer to have 3-5 different passwords and use post-its attached to my monitor.
Some password advice ... (Score:5, Funny)
Bryan: "What's your password on this system?"
Tammy: "Uh
Bryan: "No, you can always call the help desk like you're supposed to, but I can't reset your password on this system."
Tammy: "Um
Bryan: "Considering your husband and I have the same initials I think I'll keep that one to myself. But in the future you might want to select a less
Re:Some password advice ... (Score:5, Funny)
Price has gone up, it used to be a cheap pen. (Score:3, Interesting)
"Workers are prepared to give away their passwords for a cheap pen, according to a somewhat unscientific - but still illuminating - survey published today."
Office workers give away passwords for a cheap pen [theregister.co.uk]
Anybody know the favourite chocky bar of....... (Score:3, Funny)
Any help will be gratefully recieved and results will be shared with all. Oh boy will they be shared........
Password Security (Score:5, Interesting)
By the way, it _is_ possible to come up with strong memorable passwords. Think of a phrase involving numbers and punctuation. Then translate it into a password by using the initials of the words (alternating capitalization), the numbers, and the punctuation. As an example, consider: "Don't forget 9/11/01!" That becomes dF91101! Research indicates the passwords generated by that algorithm are as strong as the randomly generated passwords some systems force unto users.
I also use a network password here at school that Windows can't handle. Basically, the network login script parsing on the machines used by students can't handle imbedded punctuation, but my research machine is OK with it, so my network password is only usable from specific machines in secure areas. It's not perfect, but it reduces the exposure.
This is news? (Score:5, Insightful)
As Ben Franklin would put it... (Score:5, Funny)
Extracting passwords from sleeping sysadmins... (Score:5, Funny)
About 7 years ago, he was crashed out on the floor of my apartment after a late night session. Since I was still coherent, I started saying random command prompts and command lines to him. He had just fallen asleep, and was finishing the prompts!
Me: rm -rf
Him: star
Me: apachectl
Him: restart
Me: shutdown
Him: -h now
And then I upped the stakes.
Me: username
Him: blurted out his username
Me: password
Him: blurted out his password
I left him an e-mail from himself that evening, and then went to bed. The next morning, he said "cute trick, but anyone can forge the From: header". I told him to go and double-check the received line, and he'd see that it was sent from localhost on a server that I didn't have an account on.
He was rather annoyed and amused at the same time...
Priceless.
He's not joking, I've seen this done before ... (Score:4, Informative)
I have seen it done on three occasions, each time someone who has just fallen asleep ( cat/power napped ) at their desk.
Re:Extracting passwords from sleeping sysadmins... (Score:3, Funny)
You started saying random command lines to a sleeping person, and you claim you were still coherent?
Great story, though.
Because people have been doing security wrong (Score:5, Insightful)
Passwords came into popularity a long time ago. Things that have changed since the introduction of the password:
* Many people have accounts on many, many systems (thanks to websites with accounts).
* Users on such systems may not be primarily benevolent -- on a UNIX box used by a small bunch of researchers in the early 80s, a password may be an acceptable barrier to anyone poking around. A password on eBay, on the other hand, may be of interest to a number of less savory characters.
* The ability to attack systems has significantly increased. Internet accessability means that remote, hard-to-trace attacks are more common. A brute force attack on a computing system physically isolated in a building may be simply infeasible, and choosing "cheese" as a password may be perfectly acceptable -- such a thing is no longer reasonable.
* Computing power is much greater now. Attacks on password hashes (including those sent over the network) are much more feasible. The relative strength of passwords to CPUs has decreased logarithmically.
* Many systems require passwords frequently. If you are a defense contracting employee, you might have only needed your password once when walking in the door in the morning and once after lunch. Now, corporate intranets have passwords, Yahoo has passwords, Slashdot has passwords, eBay has passwords, etc. Many of these require passwords multiple times a day (or, if they have an option to cache a password, do not have sufficient data about the client side to know how long it is safe to continue to cache the data).
* The demographic of password users has changed. Almost everyone has many passwords now -- not just a couple of engineers or scientists, or the occasional person with an ATM PIN.
What I Suspect Needs To Be Changed
A couple of things that probably need to change:
* It needs to be standard (and have a common interface for doing so) for users to be able to delegate a subset of their authority. Few systems currently have authorization systems smart enough to allow users to delegate chunks of their power to other users for a short term (and audit any moves). This needs to be simple, *easy*, and secure. If Sharon wants to let Bob purchase something online and charge it to her credit card account, she needs a quick and easy way to say "I authorize Bob to spend up to $500 in the next week and charge it to my credit card." That could be via her cell phone or on a computer. Most systems should have at least several forms of authorized actions that can be delegated to other users that require no more than entering a limit on the degree of the actions taken. A list of actions that other users have taken with that authorization should also be easily visible.
* Where feasible, passwords should be replaced by smartcard/PIN combinations. It's easier to remember a four-digit PIN than a long, secure password, and for anyone that doesn't have physical access to a user's smartcard, the strength of the token on the card is much greater than that of a password. Currently, this is particularly disasterous in the form of credit card information. Currently, many vendors store full credit card information used in purchases in databases. If any such database is compromised, authentication data providing full access to money accounts is granted the compromiser -- this is, frankly, insane. Credit card providers have one effective line of defense against a compromised card -- they do statistical analysis against purchases, which isn't the most reliable method of dealing with such attacks, and requires intense monitoring of anything users do -- producing a strong disincentive to provide users with privacy. (I realize that there are a few attempts at improving t
What does it protect? (Score:3, Funny)
What does my password protect? Private files? Am I supposed to have private files at work? I guess not. Secrit files then? Ok. possibly.
To track possible abuse? They're allowed to use my phone too, do I have to password-protect that too?
But hey, if it's about my admin password..
That's a different story.
Then I'd like to have some chocolate too!
This is old news... (Score:4, Informative)
It's still interesting to see that in two years of cybercrime and media frenzies that nothing has really changed...
And the other side of the coin.... (Score:3, Informative)
Hell, I have received maybe 200 passwords while working here, and I don't remember any of them. I don't keep them stored anywhere, and I don't have eidetic memory, so there's no risk. And still I hear the "I use the same password in several places, and I don't want to change all those passwords if I gave you my password!". If you are so careful when it comes to security, you shouldn't use the same password everywhere! And yes, you CAN give your password to the IT-department if they walk up to you and ask you for it. If you don't... well, we can always reset your password!
Sheesh, some people....
What about *passphrases* INSTEAD of passwords (Score:3, Interesting)
Either one requires you to know how to type, and a passphrase will more likely be albe to be typed without being a contortionist.
Unfair survey... (Score:5, Insightful)
The survey should have also asked the following questions:
1) Please specify your major credit card number and expiration date.
2) Please specify your address, bank account number, and SSN (if it applied to citizens of the United States - otherwise insert THEIR form of special identification).
Would the numbers have coincided as to who revealed that particular bit of information? Absolutely not. The average person would see the risk in giving those pieces of information to a complete stranger.
If a direct association could be made between their Internet password and their money, those people would have guarded their password under lock and key. Why? Because the loss of money is readily understood, versus having to call an ISP and say "Someone hijacked my account."
Although people may be tired of using passwords (or PIN numbers), they are still a somewhat effective means of preventing improper access to their assets, be it Internet access, money, or personal information. The quality of the password is directly related to the importance of the stuff being protected.
The article cites that birthdates, pet names, etc. are common passwords. However, if someone applied the same level of protection on say...
Instead of asking that 16-digit number (an abstract version of a password), one were to ask "What is your credit card phrase?" Answer: "Buddy."
Instead of asking that expiration date, one were to ask "What is your age?" Answer: 30. These easy "passwords" would make is easier to make fraudulant charges on someone's account.
Public awareness of the importance of securing their own personal information is a key issue that needs to be resolved. Using an easy to understand analogy would be a good first step for those who are being surveyed.
Password Rules (Score:5, Insightful)
It irks me, because even if I wanted to use a completly different password for every login, there is no pattern or strategy I can follow to appease all of them.
How do we know they got the real passwords? (Score:3, Interesting)
And "I'm tired of passwords, so I'm going to give it to a stranger" doesn't really parse.
SecurID! (Score:4, Insightful)
I wish I could use SecurID (or something like it) for everything. It would dramatically simplify my life.
Did they really give it up? (Score:3, Funny)
How come I only get cookies (Score:3, Funny)
Personal Info (Score:3, Funny)
"What are you wearing?"
His response?
"I don't think that's an appropriate question."
--Stephen
Most passwords don't protect anything (Score:3, Informative)
A whole lot of the places I visit protect absolutely nothing of significance to me with their password. As in, maybe I can select a color scheme for a site, or similar. And for a lot of those, I know perfectly well I'll never go back to a site; I just have to do a one-time transaction. Exactly how concerned am I supposed to be that "hackers" might change my color scheme on a news website. Actually, a lot are even worse than that--like commercial newspapers (NYT and friends): I can't even change a color scheme, they just insist on me giving them demographic info. But it's a one way thing, you can't see or change it after "registration." Even if crackers -could- change how old the NYT thinks I am, why do I care about that exacty?
Opinions of security are probably harmed by the overuse of security measures where there is self-evidently no reason to have them. Casual users get in the habit of thinking passwords are just a nuisance... even when the -do- something significant.
here's a typical IT move... (Score:4, Funny)
Of course, to read your email, much less change your password, you need to log in. And you can no longer log in because your password has been deleted. Therefore, no one ever receives the email that their passwords need to be changed, nor could they do anything about it even if informed. Eventually enough people call up IT to ask them what the hell is going on, prompting them to restore the old passwords long enough for everyone to get on, read their mail, and change their password.
The IT department at her university has pulled this idiocy more than once. In fact, one time they restored the old passwords, everyone dutifully changed them, and then IT deleted the new passwords!
If ever there was an IT department where it was a requirement to have the word "LOSER" stenciled on one's forehead, this one takes the cake.
Max
Re:Scope of article (Score:3, Insightful)
back when i was a sysadmin i once ran a test: we had asked all users to use DIFFERENT password for the 2 NT machines we had and all the other linux workstations. i started cracking passwords on the linux box and found some after 48h (~5% of user passwords). then i used L0phtcrack (awesome tool!) on the NT machine and had about 45% of the pas
Re:Wow... I mean... wow... (Score:5, Interesting)
here they added the restriction that you password can not contain any characters that can be typed at the keyboard... oh and you cant use any of your last 50 passwords.
Ok, so I'm kind-of joking... but their stupidity at corperate to make passwords insanely complex has weakened computer security as most users now have their password (and the last 20 or so) written down under their desk blotter, in the drawer or even on a post-it on the monitor...
Oh and corperate's extreme wisdom has the last four of your SSN in your user ID, and they use that same 4 digits to verify who you are to tech support lines...
so basically they, through extremely stupid decisions have significantly weakened the network and computer security here to the point that it is a gigantic joke.
yay for MIS directors that have no clue!
Re:Username (Score:3, Interesting)
Re:Use Password Functions (Score:4, Insightful)
It sounds funny to the geek, who prides himself on the security of his passwords and winces every time his wireless provider asks him to say his password over the phone. h-d-asterisk--
"Asterisk?"
Yeah, hit shift-8. h-d-asterisk-captial-l-capital-v-lowercase-b-clos
Re:I weep for the future. (Score:5, Insightful)
I know you mean this as a joke, but I want to take a second to remind people why biometric authenticaion is stupid:
When you're using somrt sort of key/password, you want it to meet the following criteria:
Many of the best security systems rely on "something you know and something you have". This means that there is a physical object, and some sort of password.
Biometrics are stupid because they rely on the secrecy of something like your fingerprints, which you leave on everything you touch. They're just not secret. And they're not changeable once the secret is out and the bad guys have your fingerprints.
It makes me cringe every time I hear about biometrics being used as a substitute for passwords, credit card numbers etc. [slashdot.org] What happens when I get a copy of your fingerprint (using a only piece of tape and some talc)? I can go around making purchases as you, and it's not exactly like you can cancel your fingerprints and get new ones.
The only place biometrics really shine are the times when the person doesn't WANT to be identified. You kinda have to carry your fingerprints around with you. For everything else, they suck.
I would much rather fork over my credit cards at gunpoint than be kidnapped or have my fingers chopped off.
Re:I weep for the future. (Score:3, Interesting)
* Your biometrics are not secret
* Your biometrics are not changeable
It sounds like biometrics could work well as a replacement for your username rather than your password.
The only problem I see is that they're a bit more private than a username. This will tend to lull users into considering the secrecy of their passwords less important. "Who cares if they know my password, they
Re:Solution (Score:3, Funny)
Corporate Security Password rules:
Re:Ugh (Score:3, Insightful)
Honestly, who do you know that bitches and moans about having to use a separate key for both their car and house/apartment?
Nobody, because people can easily see the reason for this. That doesn't mean it's a great thing. Lots of people hide keys, in case they misplace one--near the door to their house, in magnetic boxes under a fender, under a rock, etc. A system that relies on the memory and presence of mind of average (or, frequently, above-average) people to maintai