Passwords Are the Weakest Link In Online Security 277
Orome1 writes "It's not surprising to find that 79% of consumers use risky password construction practices, such as including personal information and words. The recent Gawker breach and a detailed analysis of breached passwords show undeniably that passwords continue to be the Achilles' heel of the average Internet user. This insecure trend sadly doesn't shift as 26% of users reuse the same password for important accounts such as email, banking or shopping and social networking sites while 29% had their own email or social network account hacked, and over half (52%) know someone who has had a similar problem."
Bad Passwords Are the Weakest Link. (Score:2)
n/t
Re:Bad Passwords Are the Weakest Link. (Score:5, Insightful)
No, the weakest link is the flawed authentication mechanics that requires you to use passwords in the first place. Bad password are just the natural result of that. If you want to fix the problem, you have to fix the way users authenticated themselves, not just chose a better password.
Re:Bad Passwords Are the Weakest Link. (Score:4, Insightful)
I have a mobile phone (two, actually). I also live in a hole in the ground (not quite literally, but close) that's a cell shadow with intermittent coverage at best, and zero signal a lot of the time. Your authentication scheme won't work there, and will also be spotty in my office, which is smack in the center of a building.
Re: (Score:3)
Actually, OpenID still solves a big problem - people using one password for all sites so that if you compromise one of them you compromise all of them.
With OpenID you use your password for ONE site, and then you use strong crypto for all the other authentications. Sure, if you crack that one site you still get it all, but that one site is more readily secured, and as soon as you resecure the OpenID site all the others become secure again.
Coming up with one good password isn't nearly as hard as remembering
You could just do what I do (Score:2)
Use made-up words that come from your own brain. Let's see a brute-force script figure out a combination of seven to twelve letters and numbers that, other than as my passwords, don't exist anywhere besides in my head.
Of course, that's irrelevant in something like the Gawker breach, but still...
Re: (Score:2)
What I do is create passwords based on street addresses that I am familiar with. For example, one password is based on the address where I lived as a child. I seriously doubt anybody outside my family would even know what the address is so it's pretty secure.
Suppose you have an address like 123 Main Street, Jonesville, NY. Just take the key pieces along with some punctuation and a pattern of upper/lower case letters and you can quickly come up with a password like 123ms,J.NY
Change around the punctuation,
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
I have now b
Re: (Score:2)
lol, my wife still uses her high school password for a couple of sensitive things (which is a jumble of random different case letters and numbers), even though she graduated back in 2003.
Re: (Score:3)
lback in 2003.
Sigh .... back in 2003. It must be nice top be young
Re: (Score:2)
Um, I'm not young, but a lot has changed since 2003. Hell, in 2003 my divorce had just been finalized, my life was completely different from what it is now, and I'm 58.
Re:You could just do what I do (Score:4, Funny)
Re: (Score:2)
lol, my wife still uses her high school password for a couple of sensitive things
I know!
Re: (Score:2)
Re: (Score:3)
> Now get off my lawn.
You aren't old enough to have one.
Re: (Score:2)
There's a balance between what's secure (a bunch of random characters with no relationship to anything in the real world) and what can realistically be memorized by the average person ... times twenty or thirty variations to account for all the different sites you visit.
For most people, it seems that balance lies somewhere near "have 2 or 3 shitty, easily guessed passwords and reuse them across all my online accounts."
I use a variation on that. Just in case someone from one site has access to my password and guesses its used in other sites I append an "easy" password to the end ... meaning that they would go and try someone else's account for example a root Guess24This76is76Hard : would be
Guess24This76is76Hard1FatCountry for Nationwide
Guess24This76is76Hard1Dogleys for barclays
Guess24This76is76Hard1SlaveCard for Master card
Re: (Score:2)
It really isnt that hard to memorize a good password... come up with a phrase or saying your likely to remember. For our religious friends a bible verse would work well. Then use the first letter of every word, salt it with something meaningful, and you have a password.
Now is the time for all good men to come to the aid of their country.
nittfagmtcttaotc
now lets say your favorite number is 25
nitt2fagm5tctt.aotc
I added a . in there so its easy to remember that every 4 letters something has to be added.
Now y
Re: (Score:2)
How the fuck is that memorable? Maybe after awhile you'd get the muscle memory to type it in, but initially that is a PITA that would succumb to something easier. "Average" folk aren't going to come up with a phrase, salt it, then pepper it with numbers in their head.
Re: (Score:3)
Re: (Score:2)
Now think of 20, with their own different styles (Score:3)
ok, so that's password no.1 .
Most people need 20, maybe more by the time they have all their online utility bills, social media, work accounts, banking accounts, etc. Some of these have specific formats you have to follow (6-8 characters, 6-12 characters, at least one upper and one lower case letter and a number and a non alphanumeric, etc).
So now try and hold all 20 of these in your head with these different formats. And probably some of these have to be changed every three months or so (e.g. decent work p
Re:You could just do what I do (Score:4, Interesting)
Password Composer http://www.xs4all.nl/~jlpoutre/BoT/Javascript/PasswordComposer/ [xs4all.nl] is what I use.
For example http://www.slashdot.org/ [slashdot.org] and my master password of buba yields a right(md5sum("slashdot.org:buba"),8) yields fc56e979
They have a static web form, a bash script, and a greasemonkey script. I have also written a delphi app that runs in Linux, Windows, Mac that I keep on my memory stick. So all I have to do is remember one master password, for example "buba". And with that master password every site gets a unique password that is hard to crack. I decided about four years back that if anyone ever hacks one password of mine or can fool me into revealing a password to them, that is all they get one password.
The ironic thing is the only site that I use a regular password that I came up with, that is related to me, that can be broken by a dictionary attack, is the one for my slashdot account. Still the same password I came up with in 1999 or 2000. I assume no one else would want to hijack my opinions.
Re: (Score:3)
> ...what can realistically be memorized by the average person ...
And there is the real flaw: not the use of passwords, but the silly notion that average people should memorize them. WRITE THE DAMN THINGS DOWN!
Re: (Score:2)
I just write work passwords down and keep them in my wallet, home passwords are written down and secured by the lock on my front door. IMO "Never write your password down" is incredibly STUPID advice, especially for the root password on your home computer. If you forget your root password you're screwed, unless you're a better crhacker than me.
WRONG (Score:5, Insightful)
Users are the weakest link.
Re:WRONG (Score:5, Insightful)
Users are the weakest link.
Really? How often do people leave their keys lying around? Or blindly hand them to a stranger?
People can be pretty responsible with secure tokens when they understand the protocol to use them.
Re: (Score:2)
I know many people who misplace their keys frequently.
Re: (Score:2)
Really? How often do people leave their keys lying around? Or blindly hand them to a stranger?
People can be pretty responsible with secure tokens when they understand the protocol to use them.
Most people leave them lying around for about 8 hours of a day while they sleep. I've also seen keys "loaned to a friend" many a times before for a wide variety of reasons. Not that you should be paranoid of your friends, but essentially whatever happens to your keys while not in your possession is out of your control. Perhaps your friends have a habit of leaving keys lying around.
I think a lot of people "understand the protocol" with passwords... They just don't want to follow it.
Re: (Score:2)
I think a lot of people "understand the protocol" with passwords... They just don't want to follow it.
Partly, but also I think a lot of people just don't care. This is the third, fourth, or even fifth time 'OMG GAWKER" has appeared on slashdot, so I'm sure you can find lots of discussion there, but suffice to say that most of these online accounts just aren't that important. Kind of like how I don't lock the doors on my Taurus.
Re: (Score:2)
Re: (Score:2)
Really? How often do people leave their keys lying around? Or blindly hand them to a stranger?
How often do they put their keys into their mailbox for someone else to get it in order to feed the cat while they're on vacation?
Re: (Score:2)
Re: (Score:2)
"If only there was some government sponsored secure key system for passwords"
I don't know how to express my unhappiness that someone actually thinks like this.
A.
Yes, but how many keys does anyone have? (Score:2)
I've got maybe 12 or 15 keys on my ring, all bound together to form one not too large of an object. It's easy to keep track of where it is and keep watch over it. But if my key ring had several dozen keys on it, and if I had to take keys off the ring and hand them to someone else to get various doors open, and oh by the way, I had to make the keys myself (with more secure keys being larger, heavier, and more difficult to make than less secure keys), then you'd see the same problems with physical keys as you
Selection bias. (Score:3)
Most people never ask you any questions. Only the dumb ones ask dumb ones. You forget the sensible but boring ones. You are confounding the left tail of the distribution with the middle.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Not at all.
The current paradigm is inherently flawed. You cannot expect what is asked of the users: To remember 20-30 secure passwords. Sure, some of use are rain men, but the security design is out of touch with reality. We need something common, like signed certificates.
Step 1: Create a solution. Like OpenID. Or maybe we already have a solution in OpenID.
Step 2: Mandate it.
Step 3: Make password authentication online illegal.
Seriously. That's what it's going to take. The HUGE, HUGE downside is that this wi
Re:WRONG (Score:4, Informative)
Close. Journalists are the weakest link.
Most of the stuff that's password-protected isn't worth anything.
A Gawker account? How much does having that hacked that cost me?
A lot less than the time it takes to tell a journalist that it didn't cost me anything.
gpg-authentication? (Score:2)
Why not upon registration upload one's public GPG key to somesite and then, when logging in, having the server send a challenge (i.e encrypted with the public key) to the browser/user, where you use your normal secret key and its passphrase to respond. Voila! One keyring to rule them all...
Re:gpg-authentication? (Score:4, Informative)
You obviously not had to deal with the average user. I run a web site that has accounts and many non-tech users and many people can't even understand the concept of password let alone asking them to upload a public key. I regularly get complaints that our site isn't "user friendly" because the person can't manage to even remember their username... so anything that is even slightly more complicated or involves something that they don't deal with in every day life it's right out.
Re: (Score:2)
> anything that is even slightly more complicated
> or involves something that they don't deal with
> in every day life it's right out.
Well, I agree with you, that methods should be close to real life. And that's why passwords suck. But most people do know the concept of a key and if implemented correctly, I can see even average users being comfortable with sticking in a USB-stick, aka key to unlock their computer and remote account(s).
Re: (Score:2)
I can see even average users being comfortable with sticking in a USB-stick, aka key to unlock their computer and remote account(s).
I cannot see that, to be perfectly honest. Someone will forget to bring the USB stick with them, or lose it, or put it through a washing machine, etc. I am a big fan of cryptographic authentication, but requiring people to carry a physical token around is only going to work if they are committed to security -- which is not true of most people.
The biggest problem is that people want convenience. Passwords, simply put, are so convenient that we will never quite get rid of them. People want to be able
Re: (Score:2)
Passwords THEMSELVES aren't considered convenient enough to many non-techs or people that have managed to dodge most of the Internet revolution that I see in my day to day working life... so you can see how changing to even something like a USB key (many not ever using anything USB related in their life) cam be just as bad.
Re: (Score:3)
This kind of thinking pisses me off. (Agent Smith voice) If only we didn't have this... problem... these... users... life would be so much easier!
In your honor I'm gonna go and change a bunch of my online account passwords to simple English words. What's that sound I hear? Ah, it must be hackers beating down the doors to read my email. Maybe they will also get into my bank account and pay my bills or something.
Re: (Score:2)
Would free the server-side from having to store any passwords etc. and render brute-force-attacks (except RSA :-D) a thing of the past...
Re: (Score:2)
Or if the user wants to be anonymous, and have everything they post on their fetish sites be tied to their same userID as they use for everything else.
Of course, we could move to client certificates stored on smart cards which would make the need for passwords moot, but I don't want every single site to know exactly who I am, and allow third party ad trackers to have absolute knowledge of whom is visting, regardless of cookie stomping, adblocking, or other privacy functions.
Re: (Score:2)
> if the user wants to be anonymous, and have
> everything they post on their fetish sites be
> tied to their same userID as they use for
> everything else.
Well, you can make the key say anything you want. User/KeyID "Furry Donald" is perfectly valid and for authentication purposes it doesn't matter at all. All that matters is, that you got the other half on your USB-stick.
Re: (Score:2)
That is true, but the current spec for client keys uses a CA that wants people's real names and other info. Some don't care if the E-mail address is unique though, so perhaps multiple keys can be used.
In any case, it makes it easier for cross-site advertisers to tie a single person together. Client certs are a boon to security, but a serious blow to anonymity.
Re: (Score:2)
> That is true, but the current spec for client
> keys uses a CA that wants people's real names and
> other info.
I am not talking your NSA-CA-signed certificate, but GPG keys. You can create your own and it would do nicely for authentication.
Re: (Score:2)
Aha... very true. I was meaning client certs. However, for authentication, PGP/gpg keys just like you state work just as well (if not better because a self maintained WOT is more secure than trusting someone else's PKI any way), and would definitely provide both security and anonymity. PGP keys also work in smart cards, so a key for bouncybunny101@mailinator.com could be easily used and if needed, deleted without having it be linked to one's work key or personal info.
Re: (Score:2)
Exactly. And the WOT, as cool as it is, is irrelevant here (though it could optionally be used server-side for additional authentication). All you need is the key-pair...any key-pair wih any name name attached.
Was, btw., very nicely implemented with NYM-(email)-servers, where you can create a virtual persona simply based on your GPG-keys.
Re: (Score:2)
> That's fine, until someone wants to log in from a
> different computer where they don't have their
> private key available..
Most people do not forget their house or car keys because they got used to needing them. The same could be done for cryptographic keys, if used widely. And that's the chicken/egg issue: it will only make sense to the average user, if all his sites (say 90+%) s/he uses can be opened with that key.
News at 11 (Score:2)
Not ideal case for study (Score:5, Insightful)
I would assume that much of the readership is like myself. They know that access to their Gawker account is the most sacred and guarded of personal intrusions, and would thus treat security as the utmost important thing. My Gawker password was the ultimate in high security. It was a 280 character alpha-numeric password containing my social security number, all of my credit card numbers, my date of birth, my address, every password to every other website I use, plus all of my wife's data. That way I know that anyone who tried to crack my Gawker password could never do it, and all my information would be safe.
Wait, no, I got that backwards. Sorry, I used "cock" as the password for Gawker... probably. You see, if I were to log into Gawker, I would assume that the password was about as secure as writing it on the bathroom wall. In addition, I know my browser would remember whatever stupid password I typed and I wouldn't have to remember it for more than 30 seconds. Furthermore, if someone hacked it, and posted a stupid comment as "bullcrapgawkeruser222" I would likely neither notice nor care. If I did care, I would create "bullcrapgawkeruser223" with a password like "cockk".
Even more likely, if I ever commented more than once on any Gawker owned site, I probably just created a new account because I forgot I had an old one.
So, can we stop doing ultra-security analysis on what is probably a bogus set? Next I'm going to see an analysis on how insecure Masterlock combination locks are because the users don't use uppercase letters and punctuation.
Re: (Score:2)
The most sensible post here. Please mod up.
really long passwords (Score:3)
Hang on, I have to look at my post-it note on the side of my monitor so I can remember all the 20 character complicated passwords for each web site I visit and secure application I use. Especially since I can't remember them as well since I started changing them every six weeks.
Passwords become pointless when you can't remember them and can no longer access the site/service/program that they were put there for to protect. Passwords are pointless when you have to keep cheatsheets in order to 'remember' them (cheatsheets that can be stolen, copied, or lost; making it impossible to for access what you need and possible for others to...).
Either some other method than passwords like those time based random PIN generator fob watchama-call-its we get to log into VPNs at some companies, or we just learn to deal with it.
Re:really long passwords (Score:4, Interesting)
Having the Web browser handle passwords is one way to address this. For a new site, I make a password in KeePass, store it in that database, as well as have my Web browser store it. This way, I don't have to bother typing it in, it will be of a decent character length (20 chars), and of random characters, and a blackhat that gets that password won't have access anywhere else I go.
Since my KeePass database syncs with my phone, if I'm using another computer somewhere else, I still have access to sites I go to.
This isn't the best of all worlds solution, but it does work.
Security Questions Are The Weakest Link (Score:5, Interesting)
And I would say that it's even worse when you can't type your question. Too many people know my mother's maiden name, my first car, my high school -- and I assume much of this information can be had publicly as well. If I were to imagine trying to get this information on someone, I'd just call them or their family, pretend to be some High School Reunion Committee, and say "We are celebrating the class of 1987 at Shrub High" and they'd probably go "Oh no, I'm graduated in 1992 at Rose Garden High". Then reply "Oh really? I guess you're the wrong Joe Blow, I'm sorry for your trouble, thanks bye."
Multiple attack vectors over one secure password, ridiculous. I think GMail at least does the semi-sane thing and instead of security questions, uses a phone number to verify you if you would ever lose your password.
And that's what is needed, identity verification if the password fails. Not a cheap way to do that in an automated and very dumb way.
There was, also for years, really dumb advice such as to never write a password down. That is unrealistic given the number of passwords someone needs to know today and leads to using the same password again and again. Now, you don't have to write it unencrypted, you could use Rot13 or, even better, some other code of your devising -- but it's better than keeping all this in your head in this day and age.
Re: (Score:2)
While I expect there are many dunderheads out there who set up naively truthful answers to the canned security questions, there's no reason you should. If forced to set them up, I generally give untruthful answers. Don't go too far, as some sites give the challenges in "multiple choice" format
Re: (Score:2)
> some sites give the challenges in "multiple choice" format. What's your hometown?
> (A) Peoria, (B) Detroit, (C) London, (D) The Fifth Inner Plane of Lord Zgothos' Realms.
That's why I always pick: (E) None of the above.
Ha!
Re: (Score:2)
The problem is that I often have trouble remembering my ridiculous answer to security questions. If I ever need to use the password recovery tool and they ask where I grew up, I'll try 50 different ways to spell where I live and forget that I put "Earth" or something silly.
Re: (Score:2)
Most sites allow you to choose from more than one question or even write one yourself. If you must choose one, memorise an answer which is deliberately wrong. For example the site asks your mother's maiden name so choose McGonagall, Peshwari, Boondoggle or something memorable but not guessable even to those who know your personal history. If you are allowed to make up a questi
Re: (Score:2)
Not me. I'm cheerfully paranoid. (Score:2)
Every time I need a password, I either beat out a spastic smattering of letters and numbers, or dream up a weird phrase, and use the first letters, with a few of them converted to numbers.
I'm fine, as long as no one gets to my written log of all those passwords. If that happens, I'm screwed.
I refuse to create any password that has the vaguest connection to anything. Which seems apt for today's disjointed world.
Re: (Score:2)
I use pwgen. It is much better at generating truly random strings than I am.
Keep it with your credit cards and cash.
3 factor authentication (Score:2)
To gain entry into the last datacenter I worked at I needed a cardkey to get through the first door (something I have). I then had to have my hand scanned at the entrance to a man-trap (something I am). Once inside the man-trap with the door clos
Re: (Score:2)
I have no idea how something like biometrics could be applied to the web...
A phone or laptop camera could take naked pictures of you and send the images to a remote security worker for "analysis". Hey, if it's good enough for air travel, it's good enough for online shopping.
Re: (Score:3)
Were they to be used widely, it would be a matter of months before huge numbers of people had their biometric data skimmed with enough resolution that fakes could be constructed with relative ease(imagine
Re: (Score:2)
Were they to be used widely, it would be a matter of months before huge numbers of people had their biometric data skimmed with enough resolution that fakes could be constructed with relative ease(imagine the problem of ATM card skimmer devices, already cheap and common, spreading to biometric verification systems: is that "broken" biometric verification setup on the door/atm/whatever actually broken, or transmitting high resolution scans of your fingerprints to some gang even now?) If you do get skimmed, what are you going to do about it?
Don't forget that the US government now has a database of millions of travellers' fingerprints, so they can trivially break online fingerprint biometrics for those people.
As you say, the rush to 'biometric ID' is making 'biometric ID' useless.
Expecting a user to use 100s of passwords idiotic (Score:2)
I don't have the best memory in the world, but I'm no moron either. I've resorted to using a password safe program because between work and personal life I'm expected to remember literally hundreds of passwords (now they're in a password manager i can count them). Guess what? Even with the safe I continue to use a couple of "low security" passwords for certain activities. That means most things at home I can work out remembering only about a dozen passwords. Work's a different story...
Important accounts? (Score:2)
Okay, a vulnerable email account can lead to compromising other accounts, banking and shopping sites can cost you money... since when is Twitter or Facebook an "important" account in the same category as your bank account!?
Re: (Score:2)
Well for starters your Facebook will have almost all your personal info, possibly where you live, your phone number, and even if you adjusted privacy settings, some embarassing pictures. Next thing you know you know you're on /b/ being asked hot or not.
Actually I've noticed a few people on 4chan who will hack Facebook accounts for you if you get them the victim's Hotmail Address. I wonder if it's just common to use your HM for FB or if they've found a vulnerability in hotmail that leads to compromising the
Personal info (Score:2)
It doesn't matter what your privacy settings are. I would bet money that you could get access to 99% o
Re: (Score:2)
ummm. No.
You can get THAT Facebook info you described often by just GOOGLING the name.
I was talking about login credentials. To do some real damage.
The "detailed analysis" needs to be ditched. (Score:3)
Idiotic.
Re: (Score:2)
That "detailed analysis" of the Gawker breach needs to be stricken from the web.
You are absolutely right. It was gawker... While I did not have a gawker account, I use the same password among multiple sites on the web and I still feel secure. For blog, news aggregate, and log-in-just-to-view sites, I use a relatively weak password. For email accounts, I use a much stronger individual password. For my home banking site, I use another unique and strong password.
Seriously, How will my life be affected if someone stole my slashdot account? Wow, I would need to post more to get excellent ka
4ny1K1n L34rn 2 Sp311 'L337' (Score:2)
I give my clients a swap list(1=i, 3=E, 4=A, 5=S, etc...) and ask them to swap at least 2 alphas for numerals of their fav passwords, add a random cap and make it 9+ characters. We do a couple examples with words/phrases of their choosing. Most actually catch on quickly when they feel involved in the process...and a little L337. Changing passwords doesn't have to be like pulling teeth.
Goodbye '57 chevy', hello 'Ch3vy83l41R'.
I'm skeptical. (Score:2)
Re: (Score:2)
Most users consider passwords a hindrance (Score:2)
So, since they are an annoyance and don't give users any tangible benefits, you shouldn't be surprised when users choose their passwords so they require the least amount of effort: either to remember or to enter. As for enforcing rules t
This has been discused and nothing gets done (Score:2)
So what? (Score:2)
Passwords may be the weakest link, but they are not the most common attack vector because what they are protecting is of minimal worth. The most common attack vector is exactly what we have seen here: someone uses CSS/default password/other vulnerability and grabs the whole database. It's certainly sensible to keep good passwords on e-mail and financial accounts, but even there I'm much more worried about the backend being hacked than someone trying to brute force my password.
And, did you know that the sky is blue? (Score:2)
It is safe to say that (Score:2)
Re: (Score:2)
Comment removed (Score:5, Insightful)
Security that prevents use fails. (Score:2)
I'm facing more restrictive password policies at work every day. Some expire every 14 days. Some require that they start AND end with an alphanumeric character, include a symbol from a short list of acceptable symbols, upper and lower case characters, and be 8-11 characters long. These restrictions broke my normal conventions. I'm pretty much forced to keep a cheat sheet of hints to my passwords. Today I have 11 unique passwords shared among 22 different systems comprising 32 different hosts and servic
how to be safe(r) online (Score:2)
Here's an excerpt from an article I wrote for my law school's paper about online security w/ some suggestions about passwords. (I doubt there's any interest in the whole article but here's the link if you are for some reason: http://law.gsu.edu/thedocket/node/519 [gsu.edu] )
-----
1) Stop using the same password for everything. At a minimum come up with a base password and then append (or prepend) it with something unique for each application. If your base password is "fido" then for Twi
And in OTHER ground breaking NEWS! (Score:2)
It was recently reported that the sky is BLUE and the Earth is NOT FLAT!!! File this under "DUH!"
WoW authenticator - But for everything. (Score:2)
I'm not sure why my video game character is the most secure bit of digital data I have.
It is possible where others fear to tread... (Score:2)
The right responsible thing to do (Score:2)
The right responsible thing for website and application developers/owners to do is NOT allow users to create their own passwords. Generate one for them.
But that doesn't mean the passwords have to be hard to remember. Four randomly chosen 3-5 character words from the standard 25k word dictionary on Solaris is identical in strength to an 8 character purely random password that that uses all possible keyboard characters (26 lower case, 26 uppper case, 10 numbers, 12 special characters). Three of those is id
Re: (Score:2)
Re: (Score:2)
> Who cares about their password security on Gawker's sites and other like them.
> I personally use the crappiest password I can remember for stuff like that.
Please read the story of the guy using his neighbor's wireless and sent e-mails in 'his' name to threaten various high-profile people, sent childporn etc.. While you might get cleared eventually, when somebody used YOUR oh so unimportant account for such purposes, good luck in the meantime until it gets to that point. And hopefully your boss is OK
Re: (Score:2)
> I personally use the crappiest password I can remember for stuff like that.
Thereby enabling comment spammers.
Re: (Score:2)
Re: (Score:2)
This is why we should be having real discussions about standardizing on better authentication methods (OAuth, etc.) and multi-step auth instead passwords. I personally think password + hardware (phone / SD / etc.) + retina scan would be a good base to run an auth server off of. I also think identity should be in the browser (see sig).
Re: (Score:3)