Passwords Are the Weakest Link In Online Security

Orome1 writes "It's not surprising to find that 79% of consumers use risky password construction practices, such as including personal information and words. The recent Gawker breach and a detailed analysis of breached passwords show undeniably that passwords continue to be the Achilles' heel of the average Internet user. This insecure trend sadly doesn't shift as 26% of users reuse the same password for important accounts such as email, banking or shopping and social networking sites while 29% had their own email or social network account hacked, and over half (52%) know someone who has had a similar problem."

WRONG

[binarylarry]

Users are the weakest link.

Not ideal case for study

[Anonymous Coward]

There's lots of buzz going around about the Gawker breach and discussions on how good/bad the passwords were. I looked at the websites that Gawker owned and most of them are tech websites, frequented by people that have some knowledge of security and computer systems.

I would assume that much of the readership is like myself. They know that access to their Gawker account is the most sacred and guarded of personal intrusions, and would thus treat security as the utmost important thing. My Gawker password was the ultimate in high security. It was a 280 character alpha-numeric password containing my social security number, all of my credit card numbers, my date of birth, my address, every password to every other website I use, plus all of my wife's data. That way I know that anyone who tried to crack my Gawker password could never do it, and all my information would be safe.

Wait, no, I got that backwards. Sorry, I used "cock" as the password for Gawker... probably. You see, if I were to log into Gawker, I would assume that the password was about as secure as writing it on the bathroom wall. In addition, I know my browser would remember whatever stupid password I typed and I wouldn't have to remember it for more than 30 seconds. Furthermore, if someone hacked it, and posted a stupid comment as "bullcrapgawkeruser222" I would likely neither notice nor care. If I did care, I would create "bullcrapgawkeruser223" with a password like "cockk".

Even more likely, if I ever commented more than once on any Gawker owned site, I probably just created a new account because I forgot I had an old one.

So, can we stop doing ultra-security analysis on what is probably a bogus set? Next I'm going to see an analysis on how insecure Masterlock combination locks are because the users don't use uppercase letters and punctuation.

Re:WRONG

[sco08y]

Users are the weakest link.

Really? How often do people leave their keys lying around? Or blindly hand them to a stranger?

People can be pretty responsible with secure tokens when they understand the protocol to use them.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Bad Passwords Are the Weakest Link.

[grumbel]

No, the weakest link is the flawed authentication mechanics that requires you to use passwords in the first place. Bad password are just the natural result of that. If you want to fix the problem, you have to fix the way users authenticated themselves, not just chose a better password.

Re:Bad Passwords Are the Weakest Link.

[bitingduck]

I have a mobile phone (two, actually). I also live in a hole in the ground (not quite literally, but close) that's a cell shadow with intermittent coverage at best, and zero signal a lot of the time. Your authentication scheme won't work there, and will also be spotty in my office, which is smack in the center of a building.