Forgot your password?
typodupeerror
Security The Internet IT Technology

Passwords Are the Weakest Link In Online Security 277

Posted by CmdrTaco
from the wish-i-spoke-british dept.
Orome1 writes "It's not surprising to find that 79% of consumers use risky password construction practices, such as including personal information and words. The recent Gawker breach and a detailed analysis of breached passwords show undeniably that passwords continue to be the Achilles' heel of the average Internet user. This insecure trend sadly doesn't shift as 26% of users reuse the same password for important accounts such as email, banking or shopping and social networking sites while 29% had their own email or social network account hacked, and over half (52%) know someone who has had a similar problem."
This discussion has been archived. No new comments can be posted.

Passwords Are the Weakest Link In Online Security

Comments Filter:
    • by grumbel (592662) <grumbel@gmx.de> on Wednesday December 22, 2010 @12:39PM (#34642326) Homepage

      No, the weakest link is the flawed authentication mechanics that requires you to use passwords in the first place. Bad password are just the natural result of that. If you want to fix the problem, you have to fix the way users authenticated themselves, not just chose a better password.

  • Use made-up words that come from your own brain. Let's see a brute-force script figure out a combination of seven to twelve letters and numbers that, other than as my passwords, don't exist anywhere besides in my head.

    Of course, that's irrelevant in something like the Gawker breach, but still...

    • What I do is create passwords based on street addresses that I am familiar with. For example, one password is based on the address where I lived as a child. I seriously doubt anybody outside my family would even know what the address is so it's pretty secure.

      Suppose you have an address like 123 Main Street, Jonesville, NY. Just take the key pieces along with some punctuation and a pattern of upper/lower case letters and you can quickly come up with a password like 123ms,J.NY

      Change around the punctuation,

      • by delinear (991444)
        Unless you use exactly the same formatting rules for each password, I don't see how that's particularly any more easy to remember than a random string. If you can come up with a formatting system that works with all of your address based passwords then I agree that's a pretty good method. I use a similar one for systems that require a password renewal every X days - I use a system based on town and village names near the place I grew up. That place is in the middle of nowhere and nobody's ever heard of it s
    • by Culture20 (968837)
      7 characters? Child's play. Start with a minimum of 15 characters, and increase by four to eight every time you change your password.
    • by N1AK (864906)
      I'm actually quite surprised that password quality is as good as this article makes out. For my own shame, I'm a CS graduate with plenty of experience and awareness of how poor password use can be a risk.... I still used the same password almost anywhere until around 2 weeks ago. I don't know why, beyond sheer laziness and prioritising convenience over security. The password I used is secure (no real words, includes numbers etc) but that's no protection if any site I use it at is compromised.
      I have now b
  • WRONG (Score:5, Insightful)

    by binarylarry (1338699) on Wednesday December 22, 2010 @10:58AM (#34641078)

    Users are the weakest link.

    • Re:WRONG (Score:5, Insightful)

      by sco08y (615665) on Wednesday December 22, 2010 @11:08AM (#34641166)

      Users are the weakest link.

      Really? How often do people leave their keys lying around? Or blindly hand them to a stranger?

      People can be pretty responsible with secure tokens when they understand the protocol to use them.

      • by BagOBones (574735)

        I know many people who misplace their keys frequently.

      • Really? How often do people leave their keys lying around? Or blindly hand them to a stranger?

        People can be pretty responsible with secure tokens when they understand the protocol to use them.

        Most people leave them lying around for about 8 hours of a day while they sleep. I've also seen keys "loaned to a friend" many a times before for a wide variety of reasons. Not that you should be paranoid of your friends, but essentially whatever happens to your keys while not in your possession is out of your control. Perhaps your friends have a habit of leaving keys lying around.

        I think a lot of people "understand the protocol" with passwords... They just don't want to follow it.

        • by BobMcD (601576)

          I think a lot of people "understand the protocol" with passwords... They just don't want to follow it.

          Partly, but also I think a lot of people just don't care. This is the third, fourth, or even fifth time 'OMG GAWKER" has appeared on slashdot, so I'm sure you can find lots of discussion there, but suffice to say that most of these online accounts just aren't that important. Kind of like how I don't lock the doors on my Taurus.

        • by houghi (78078)

          They just don't want to follow it.

          If nobody wants to follow it, perhaps you should look at what you CAN fix.

          Mostly this is focused at 'fixing' human behavior, but if the majority of people has an issue with it, then perhaps it is just a flay you need to take into your solution.

      • by Rhaban (987410)

        Really? How often do people leave their keys lying around? Or blindly hand them to a stranger?

        How often do they put their keys into their mailbox for someone else to get it in order to feed the cat while they're on vacation?

      • by delinear (991444)
        If only there was some government sponsored secure key system for passwords, enabling the average user to have a secure key with one strong password to access all their others and some education on how to properly use it (I know these things are trivial to find if you know what you're doing, but let's face it, users who know what they're doing aren't really the issue here), we might be able to overcome some of the problems. Having said that, the government hardly have a great reputation for looking after da
        • by Alrescha (50745)

          "If only there was some government sponsored secure key system for passwords"

          I don't know how to express my unhappiness that someone actually thinks like this.

          A.

      • I've got maybe 12 or 15 keys on my ring, all bound together to form one not too large of an object. It's easy to keep track of where it is and keep watch over it. But if my key ring had several dozen keys on it, and if I had to take keys off the ring and hand them to someone else to get various doors open, and oh by the way, I had to make the keys myself (with more secure keys being larger, heavier, and more difficult to make than less secure keys), then you'd see the same problems with physical keys as you

    • by Himring (646324)
      Concur, but not concur, not when it doesn't matter what your password is when you visit digg.com to look at Grand Torino screens, to find later your gmail has been accessed from China, because of a recent .php hack, and finally conclude that digg.com is an infestation due to its very nature of anyone being able to leverage a malicious page to a top site.... A hack where your very strong password was plainly attained on the other side of the globe, but thank god the email account you accessed at the time wa
      • Eh, common sense and security are much easier than using an authenticator. Now Blizz'es idea of using the same user name and password, along with using the user name (which is an email address) on three separate sites (forums, account management and game client)is fucking retarded.
    • Not at all.

      The current paradigm is inherently flawed. You cannot expect what is asked of the users: To remember 20-30 secure passwords. Sure, some of use are rain men, but the security design is out of touch with reality. We need something common, like signed certificates.

      Step 1: Create a solution. Like OpenID. Or maybe we already have a solution in OpenID.
      Step 2: Mandate it.
      Step 3: Make password authentication online illegal.

      Seriously. That's what it's going to take. The HUGE, HUGE downside is that this wi

    • Re:WRONG (Score:4, Informative)

      by blair1q (305137) on Wednesday December 22, 2010 @01:55PM (#34643238) Journal

      Close. Journalists are the weakest link.

      Most of the stuff that's password-protected isn't worth anything.

      A Gawker account? How much does having that hacked that cost me?

      A lot less than the time it takes to tell a journalist that it didn't cost me anything.

  • Why not upon registration upload one's public GPG key to somesite and then, when logging in, having the server send a challenge (i.e encrypted with the public key) to the browser/user, where you use your normal secret key and its passphrase to respond. Voila! One keyring to rule them all...

    • by MickyTheIdiot (1032226) on Wednesday December 22, 2010 @11:07AM (#34641158) Homepage Journal

      You obviously not had to deal with the average user. I run a web site that has accounts and many non-tech users and many people can't even understand the concept of password let alone asking them to upload a public key. I regularly get complaints that our site isn't "user friendly" because the person can't manage to even remember their username... so anything that is even slightly more complicated or involves something that they don't deal with in every day life it's right out.

      • > anything that is even slightly more complicated
        > or involves something that they don't deal with
        > in every day life it's right out.

        Well, I agree with you, that methods should be close to real life. And that's why passwords suck. But most people do know the concept of a key and if implemented correctly, I can see even average users being comfortable with sticking in a USB-stick, aka key to unlock their computer and remote account(s).

        • I can see even average users being comfortable with sticking in a USB-stick, aka key to unlock their computer and remote account(s).

          I cannot see that, to be perfectly honest. Someone will forget to bring the USB stick with them, or lose it, or put it through a washing machine, etc. I am a big fan of cryptographic authentication, but requiring people to carry a physical token around is only going to work if they are committed to security -- which is not true of most people.

          The biggest problem is that people want convenience. Passwords, simply put, are so convenient that we will never quite get rid of them. People want to be able

          • Passwords THEMSELVES aren't considered convenient enough to many non-techs or people that have managed to dodge most of the Internet revolution that I see in my day to day working life... so you can see how changing to even something like a USB key (many not ever using anything USB related in their life) cam be just as bad.

          • The biggest problem is that people want convenience

            This kind of thinking pisses me off. (Agent Smith voice) If only we didn't have this... problem... these... users... life would be so much easier!

            In your honor I'm gonna go and change a bunch of my online account passwords to simple English words. What's that sound I hear? Ah, it must be hackers beating down the doors to read my email. Maybe they will also get into my bank account and pay my bills or something.

    • Would free the server-side from having to store any passwords etc. and render brute-force-attacks (except RSA :-D) a thing of the past...

  • What will be truly newsworthy is the day when passwords / users aren't the weakest link in security. Until that happens, I'll stay in my underground bunker sipping on Ramen and playing tower defense.
  • by Anonymous Coward on Wednesday December 22, 2010 @11:01AM (#34641104)
    There's lots of buzz going around about the Gawker breach and discussions on how good/bad the passwords were. I looked at the websites that Gawker owned and most of them are tech websites, frequented by people that have some knowledge of security and computer systems.

    I would assume that much of the readership is like myself. They know that access to their Gawker account is the most sacred and guarded of personal intrusions, and would thus treat security as the utmost important thing. My Gawker password was the ultimate in high security. It was a 280 character alpha-numeric password containing my social security number, all of my credit card numbers, my date of birth, my address, every password to every other website I use, plus all of my wife's data. That way I know that anyone who tried to crack my Gawker password could never do it, and all my information would be safe.

    Wait, no, I got that backwards. Sorry, I used "cock" as the password for Gawker... probably. You see, if I were to log into Gawker, I would assume that the password was about as secure as writing it on the bathroom wall. In addition, I know my browser would remember whatever stupid password I typed and I wouldn't have to remember it for more than 30 seconds. Furthermore, if someone hacked it, and posted a stupid comment as "bullcrapgawkeruser222" I would likely neither notice nor care. If I did care, I would create "bullcrapgawkeruser223" with a password like "cockk".

    Even more likely, if I ever commented more than once on any Gawker owned site, I probably just created a new account because I forgot I had an old one.

    So, can we stop doing ultra-security analysis on what is probably a bogus set? Next I'm going to see an analysis on how insecure Masterlock combination locks are because the users don't use uppercase letters and punctuation.
  • by theshowmecanuck (703852) on Wednesday December 22, 2010 @11:01AM (#34641110) Journal

    Hang on, I have to look at my post-it note on the side of my monitor so I can remember all the 20 character complicated passwords for each web site I visit and secure application I use. Especially since I can't remember them as well since I started changing them every six weeks.

    Passwords become pointless when you can't remember them and can no longer access the site/service/program that they were put there for to protect. Passwords are pointless when you have to keep cheatsheets in order to 'remember' them (cheatsheets that can be stolen, copied, or lost; making it impossible to for access what you need and possible for others to...).

    Either some other method than passwords like those time based random PIN generator fob watchama-call-its we get to log into VPNs at some companies, or we just learn to deal with it.

    • by mlts (1038732) * on Wednesday December 22, 2010 @11:11AM (#34641204)

      Having the Web browser handle passwords is one way to address this. For a new site, I make a password in KeePass, store it in that database, as well as have my Web browser store it. This way, I don't have to bother typing it in, it will be of a decent character length (20 chars), and of random characters, and a blackhat that gets that password won't have access anywhere else I go.

      Since my KeePass database syncs with my phone, if I'm using another computer somewhere else, I still have access to sites I go to.

      This isn't the best of all worlds solution, but it does work.

  • by rolfwind (528248) on Wednesday December 22, 2010 @11:03AM (#34641124)

    And I would say that it's even worse when you can't type your question. Too many people know my mother's maiden name, my first car, my high school -- and I assume much of this information can be had publicly as well. If I were to imagine trying to get this information on someone, I'd just call them or their family, pretend to be some High School Reunion Committee, and say "We are celebrating the class of 1987 at Shrub High" and they'd probably go "Oh no, I'm graduated in 1992 at Rose Garden High". Then reply "Oh really? I guess you're the wrong Joe Blow, I'm sorry for your trouble, thanks bye."

    Multiple attack vectors over one secure password, ridiculous. I think GMail at least does the semi-sane thing and instead of security questions, uses a phone number to verify you if you would ever lose your password.

    And that's what is needed, identity verification if the password fails. Not a cheap way to do that in an automated and very dumb way.

    There was, also for years, really dumb advice such as to never write a password down. That is unrealistic given the number of passwords someone needs to know today and leads to using the same password again and again. Now, you don't have to write it unencrypted, you could use Rot13 or, even better, some other code of your devising -- but it's better than keeping all this in your head in this day and age.

    • by Speare (84249)

      And I would say that it's even worse when you can't type your question. Too many people know my mother's maiden name, my first car, my high school -- and I assume much of this information can be had publicly as well.

      While I expect there are many dunderheads out there who set up naively truthful answers to the canned security questions, there's no reason you should. If forced to set them up, I generally give untruthful answers. Don't go too far, as some sites give the challenges in "multiple choice" format

      • > some sites give the challenges in "multiple choice" format. What's your hometown?
        > (A) Peoria, (B) Detroit, (C) London, (D) The Fifth Inner Plane of Lord Zgothos' Realms.

        That's why I always pick: (E) None of the above.

        Ha!

      • The problem is that I often have trouble remembering my ridiculous answer to security questions. If I ever need to use the password recovery tool and they ask where I grew up, I'll try 50 different ways to spell where I live and forget that I put "Earth" or something silly.

    • by DrXym (126579)
      It sounds like you're saying the person was the weakest link for telling a complete stranger the answer to their personal question.

      Most sites allow you to choose from more than one question or even write one yourself. If you must choose one, memorise an answer which is deliberately wrong. For example the site asks your mother's maiden name so choose McGonagall, Peshwari, Boondoggle or something memorable but not guessable even to those who know your personal history. If you are allowed to make up a questi

  • Every time I need a password, I either beat out a spastic smattering of letters and numbers, or dream up a weird phrase, and use the first letters, with a few of them converted to numbers.

    I'm fine, as long as no one gets to my written log of all those passwords. If that happens, I'm screwed.

    I refuse to create any password that has the vaguest connection to anything. Which seems apt for today's disjointed world.

    • Every time I need a password, I either beat out a spastic smattering of letters and numbers, or dream up a weird phrase, and use the first letters, with a few of them converted to numbers.

      I use pwgen. It is much better at generating truly random strings than I am.

      I'm fine, as long as no one gets to my written log of all those passwords. If that happens, I'm screwed.

      Keep it with your credit cards and cash.

  • When I've worked in for companies whose equipment is housed in commercial datacenters, most of them required three factor authentication to gain access:
    • something you know (a password)
    • something you are (biometrics)
    • something you have (a key, security token, etc)

    To gain entry into the last datacenter I worked at I needed a cardkey to get through the first door (something I have). I then had to have my hand scanned at the entrance to a man-trap (something I am). Once inside the man-trap with the door clos

    • I have no idea how something like biometrics could be applied to the web...

      A phone or laptop camera could take naked pictures of you and send the images to a remote security worker for "analysis". Hey, if it's good enough for air travel, it's good enough for online shopping.

    • Biometrics are pretty dubious for widespread use. They sure do add that "just like the movies" flavor to flashy secure facilities(and, as long as their use is rare, they are likely to be stolen only in the most targeted of attacks); but the majority of them are dangerously weak(and impossible to change).

      Were they to be used widely, it would be a matter of months before huge numbers of people had their biometric data skimmed with enough resolution that fakes could be constructed with relative ease(imagine
      • by 0123456 (636235)

        Were they to be used widely, it would be a matter of months before huge numbers of people had their biometric data skimmed with enough resolution that fakes could be constructed with relative ease(imagine the problem of ATM card skimmer devices, already cheap and common, spreading to biometric verification systems: is that "broken" biometric verification setup on the door/atm/whatever actually broken, or transmitting high resolution scans of your fingerprints to some gang even now?) If you do get skimmed, what are you going to do about it?

        Don't forget that the US government now has a database of millions of travellers' fingerprints, so they can trivially break online fingerprint biometrics for those people.

        As you say, the rush to 'biometric ID' is making 'biometric ID' useless.

  • I don't have the best memory in the world, but I'm no moron either. I've resorted to using a password safe program because between work and personal life I'm expected to remember literally hundreds of passwords (now they're in a password manager i can count them). Guess what? Even with the safe I continue to use a couple of "low security" passwords for certain activities. That means most things at home I can work out remembering only about a dozen passwords. Work's a different story...

  • important accounts such as email, banking or shopping and social networking sites

    Okay, a vulnerable email account can lead to compromising other accounts, banking and shopping sites can cost you money... since when is Twitter or Facebook an "important" account in the same category as your bank account!?

    • Well for starters your Facebook will have almost all your personal info, possibly where you live, your phone number, and even if you adjusted privacy settings, some embarassing pictures. Next thing you know you know you're on /b/ being asked hot or not.

      Actually I've noticed a few people on 4chan who will hack Facebook accounts for you if you get them the victim's Hotmail Address. I wonder if it's just common to use your HM for FB or if they've found a vulnerability in hotmail that leads to compromising the

      • You mean the Facebook info and pictures that I can get you to voluntarily give me by:
        1. Creating a fake Facebook account.
        2. Using a picture of an attractive female in your age range.
        3. Locating your friends.
        4. Carpet-bombing them with friend requests. (Surely someone will bite.)
        5. Sending you a friend request. (I'm a friend of a friend, so we've probably met, and you've just forgotten.)
        6. Reading everything about you.

        It doesn't matter what your privacy settings are. I would bet money that you could get access to 99% o

        • ummm. No.

          You can get THAT Facebook info you described often by just GOOGLING the name.

          I was talking about login credentials. To do some real damage.

  • by dreemernj (859414) on Wednesday December 22, 2010 @11:22AM (#34641346) Homepage Journal
    That "detailed analysis" of the Gawker breach needs to be stricken from the web. The passwords that were decrypted were the easiest passwords in the set for the most part. That's why they were able to decrypt them. They were in dictionaries or their hashes were already on lookup tables. Then some joker takes those decrypted passwords and acts as if they are in any way representative of the rest of the passwords that could not be decrypted.

    Idiotic.
    • That "detailed analysis" of the Gawker breach needs to be stricken from the web.

      You are absolutely right. It was gawker... While I did not have a gawker account, I use the same password among multiple sites on the web and I still feel secure. For blog, news aggregate, and log-in-just-to-view sites, I use a relatively weak password. For email accounts, I use a much stronger individual password. For my home banking site, I use another unique and strong password.

      Seriously, How will my life be affected if someone stole my slashdot account? Wow, I would need to post more to get excellent ka

  • I give my clients a swap list(1=i, 3=E, 4=A, 5=S, etc...) and ask them to swap at least 2 alphas for numerals of their fav passwords, add a random cap and make it 9+ characters. We do a couple examples with words/phrases of their choosing. Most actually catch on quickly when they feel involved in the process...and a little L337. Changing passwords doesn't have to be like pulling teeth.
     
      Goodbye '57 chevy', hello 'Ch3vy83l41R'.

  • They get between a person and their goals, they are too easily forgotten and once you have to keep track of more than a few they become unreliable and burdensome. Add on to that, most of the "information" that these passwords protect is not really worth protecting, anyway.

    So, since they are an annoyance and don't give users any tangible benefits, you shouldn't be surprised when users choose their passwords so they require the least amount of effort: either to remember or to enter. As for enforcing rules t

  • We have discussed this ad nauseum - still nothing gets done. We have way to many passwords to remember. We have way too many different password policies to follow. What is a valid password on one site is not at another. It takes too much time to look up a password you have "written" down and you need a separate password to get into the list!. That supposes you have the list with you when you need it. Today the internet is mobile and not just used at home or at the office. Additionally, there are sites whose
  • Passwords may be the weakest link, but they are not the most common attack vector because what they are protecting is of minimal worth. The most common attack vector is exactly what we have seen here: someone uses CSS/default password/other vulnerability and grabs the whole database. It's certainly sensible to keep good passwords on e-mail and financial accounts, but even there I'm much more worried about the backend being hacked than someone trying to brute force my password.

  • This isn't news. It's common sense. Of course people and their passwords are the weakest link. Same thing in physical space. You can have the best lock in the world, but if you make copies of the key and are careless with them you'll get robbed.
  • combination codes are the weakest link in bank vaults.
  • by houghi (78078) on Wednesday December 22, 2010 @11:44AM (#34641642)

    How many places do need a login? Websites, computers, programs, ...
    If all websites would use openID, that would solve already a lot. However many places give me my login and then ask me to change that every month. At work every first day of the month I change all my passwords. That takes me about 20 minutes.

    So I have several passwords depending on level
    1. Generic websites. Lowest security level (e.g. Pa55word)
    2. Work related. These will change every month and will include some sort of year/month where only that part changes (e.g. 10Work12 for this month)
    3) Provider related pass word for email and connection (Resused semi-random 8 charcater password)
    4) Personal password for local system and openID and banking(Reused semi-random 8 carcater password. Different from 3)
    5) Secure password for encryption, ssh and the like (Loooong semi-password of at least 16 characters.)

    So the moment I am forced to change passwords where I used first 3 or even 5, I will go back to less secure of 2.

    The main problem is that each security person treats their security as if they are the only one and treat security with the standard error. Solving a social problem with a technical solution. It is very hard to explain people that changing passwords every month will LOWER the security.

    It is the nature of people to find the way of least resistance and as long as security people do not understand that, nothing will change.

    I sometimes feel that it is not about security, but about reliability. Reliability is moved from the IT department to people who do not understand security, because they 'did something' and now it is not their issue anymore. That is why they also look only to the security of 'their' system and not at security as a whole.

  • I'm facing more restrictive password policies at work every day. Some expire every 14 days. Some require that they start AND end with an alphanumeric character, include a symbol from a short list of acceptable symbols, upper and lower case characters, and be 8-11 characters long. These restrictions broke my normal conventions. I'm pretty much forced to keep a cheat sheet of hints to my passwords. Today I have 11 unique passwords shared among 22 different systems comprising 32 different hosts and servic

  • How to be safe(r) online

    Here's an excerpt from an article I wrote for my law school's paper about online security w/ some suggestions about passwords. (I doubt there's any interest in the whole article but here's the link if you are for some reason: http://law.gsu.edu/thedocket/node/519 [gsu.edu] )
    -----

    1) Stop using the same password for everything. At a minimum come up with a base password and then append (or prepend) it with something unique for each application. If your base password is "fido" then for Twi

  • It was recently reported that the sky is BLUE and the Earth is NOT FLAT!!! File this under "DUH!"

  • Why not a universal authenticator? At the very least, I could see a common system setup by the banks here in North America allow the use of any debit card to work on almost every debit machine.

    I'm not sure why my video game character is the most secure bit of digital data I have.
  • My students using 300 nodes of a computing cluster were able to crack 57K DOD spec passwords (7 characters, upper, lower, symbol, number) in a few hours (Windows 2003 enterprise server). The goal was to crack 450K passwords in 24 hours but we had to call off the last run due to finals. Nothing about this project was hard. Using F/OSS and a lot of computing cycles cracking them was a piece of cake. Simple two-factor authentication is horrible. Especially when you give up the userid as an email address, or us
  • The right responsible thing for website and application developers/owners to do is NOT allow users to create their own passwords. Generate one for them.

    But that doesn't mean the passwords have to be hard to remember. Four randomly chosen 3-5 character words from the standard 25k word dictionary on Solaris is identical in strength to an 8 character purely random password that that uses all possible keyboard characters (26 lower case, 26 uppper case, 10 numbers, 12 special characters). Three of those is id

Imitation is the sincerest form of plagarism.

Working...