Passwords Are the Weakest Link In Online Security 277
Orome1 writes "It's not surprising to find that 79% of consumers use risky password construction practices, such as including personal information and words. The recent Gawker breach and a detailed analysis of breached passwords show undeniably that passwords continue to be the Achilles' heel of the average Internet user. This insecure trend sadly doesn't shift as 26% of users reuse the same password for important accounts such as email, banking or shopping and social networking sites while 29% had their own email or social network account hacked, and over half (52%) know someone who has had a similar problem."
Security Questions Are The Weakest Link (Score:5, Interesting)
And I would say that it's even worse when you can't type your question. Too many people know my mother's maiden name, my first car, my high school -- and I assume much of this information can be had publicly as well. If I were to imagine trying to get this information on someone, I'd just call them or their family, pretend to be some High School Reunion Committee, and say "We are celebrating the class of 1987 at Shrub High" and they'd probably go "Oh no, I'm graduated in 1992 at Rose Garden High". Then reply "Oh really? I guess you're the wrong Joe Blow, I'm sorry for your trouble, thanks bye."
Multiple attack vectors over one secure password, ridiculous. I think GMail at least does the semi-sane thing and instead of security questions, uses a phone number to verify you if you would ever lose your password.
And that's what is needed, identity verification if the password fails. Not a cheap way to do that in an automated and very dumb way.
There was, also for years, really dumb advice such as to never write a password down. That is unrealistic given the number of passwords someone needs to know today and leads to using the same password again and again. Now, you don't have to write it unencrypted, you could use Rot13 or, even better, some other code of your devising -- but it's better than keeping all this in your head in this day and age.
Re:really long passwords (Score:4, Interesting)
Having the Web browser handle passwords is one way to address this. For a new site, I make a password in KeePass, store it in that database, as well as have my Web browser store it. This way, I don't have to bother typing it in, it will be of a decent character length (20 chars), and of random characters, and a blackhat that gets that password won't have access anywhere else I go.
Since my KeePass database syncs with my phone, if I'm using another computer somewhere else, I still have access to sites I go to.
This isn't the best of all worlds solution, but it does work.
Re:You could just do what I do (Score:4, Interesting)
Password Composer http://www.xs4all.nl/~jlpoutre/BoT/Javascript/PasswordComposer/ [xs4all.nl] is what I use.
For example http://www.slashdot.org/ [slashdot.org] and my master password of buba yields a right(md5sum("slashdot.org:buba"),8) yields fc56e979
They have a static web form, a bash script, and a greasemonkey script. I have also written a delphi app that runs in Linux, Windows, Mac that I keep on my memory stick. So all I have to do is remember one master password, for example "buba". And with that master password every site gets a unique password that is hard to crack. I decided about four years back that if anyone ever hacks one password of mine or can fool me into revealing a password to them, that is all they get one password.
The ironic thing is the only site that I use a regular password that I came up with, that is related to me, that can be broken by a dictionary attack, is the one for my slashdot account. Still the same password I came up with in 1999 or 2000. I assume no one else would want to hijack my opinions.