Passwords Are the Weakest Link In Online Security

Orome1 writes "It's not surprising to find that 79% of consumers use risky password construction practices, such as including personal information and words. The recent Gawker breach and a detailed analysis of breached passwords show undeniably that passwords continue to be the Achilles' heel of the average Internet user. This insecure trend sadly doesn't shift as 26% of users reuse the same password for important accounts such as email, banking or shopping and social networking sites while 29% had their own email or social network account hacked, and over half (52%) know someone who has had a similar problem."

Bad Passwords Are the Weakest Link.

[John Hasler]

n/t

Re:Bad Passwords Are the Weakest Link.

[grumbel]

No, the weakest link is the flawed authentication mechanics that requires you to use passwords in the first place. Bad password are just the natural result of that. If you want to fix the problem, you have to fix the way users authenticated themselves, not just chose a better password.

Re:Bad Passwords Are the Weakest Link.

[bitingduck]

I have a mobile phone (two, actually). I also live in a hole in the ground (not quite literally, but close) that's a cell shadow with intermittent coverage at best, and zero signal a lot of the time. Your authentication scheme won't work there, and will also be spotty in my office, which is smack in the center of a building.

Re:

[Rich0]

Actually, OpenID still solves a big problem - people using one password for all sites so that if you compromise one of them you compromise all of them.

With OpenID you use your password for ONE site, and then you use strong crypto for all the other authentications. Sure, if you crack that one site you still get it all, but that one site is more readily secured, and as soon as you resecure the OpenID site all the others become secure again.

Coming up with one good password isn't nearly as hard as remembering

You could just do what I do

[Pojut]

Use made-up words that come from your own brain. Let's see a brute-force script figure out a combination of seven to twelve letters and numbers that, other than as my passwords, don't exist anywhere besides in my head.

Of course, that's irrelevant in something like the Gawker breach, but still...

Re:

[Iphtashu Fitz]

What I do is create passwords based on street addresses that I am familiar with. For example, one password is based on the address where I lived as a child. I seriously doubt anybody outside my family would even know what the address is so it's pretty secure.

Suppose you have an address like 123 Main Street, Jonesville, NY. Just take the key pieces along with some punctuation and a pattern of upper/lower case letters and you can quickly come up with a password like 123ms,J.NY

Change around the punctuation,

Re:

[delinear]

Unless you use exactly the same formatting rules for each password, I don't see how that's particularly any more easy to remember than a random string. If you can come up with a formatting system that works with all of your address based passwords then I agree that's a pretty good method. I use a similar one for systems that require a password renewal every X days - I use a system based on town and village names near the place I grew up. That place is in the middle of nowhere and nobody's ever heard of it s

Re:

[Culture20]

7 characters? Child's play. Start with a minimum of 15 characters, and increase by four to eight every time you change your password.

Re:

[N1AK]

I'm actually quite surprised that password quality is as good as this article makes out. For my own shame, I'm a CS graduate with plenty of experience and awareness of how poor password use can be a risk.... I still used the same password almost anywhere until around 2 weeks ago. I don't know why, beyond sheer laziness and prioritising convenience over security. The password I used is secure (no real words, includes numbers etc) but that's no protection if any site I use it at is compromised.
I have now b

Re:

[Pojut]

lol, my wife still uses her high school password for a couple of sensitive things (which is a jumble of random different case letters and numbers), even though she graduated back in 2003.

Re:

[Chrisq]

lback in 2003.

Sigh .... back in 2003. It must be nice top be young

Re:

[mcgrew]

Um, I'm not young, but a lot has changed since 2003. Hell, in 2003 my divorce had just been finalized, my life was completely different from what it is now, and I'm 58.

Re:You could just do what I do

[oldspewey]

You people are determined to ruin my version of reality.

Re:

[formfeed]

lol, my wife still uses her high school password for a couple of sensitive things

I know!

Re:

[Low Ranked Craig]

Well, I still use the same random passwords I've been using since I graduated in 1986. Now get off my lawn.

Re:

[John Hasler]

> Now get off my lawn.

You aren't old enough to have one.

Re:

[Chrisq]

There's a balance between what's secure (a bunch of random characters with no relationship to anything in the real world) and what can realistically be memorized by the average person ... times twenty or thirty variations to account for all the different sites you visit.

For most people, it seems that balance lies somewhere near "have 2 or 3 shitty, easily guessed passwords and reuse them across all my online accounts."

I use a variation on that. Just in case someone from one site has access to my password and guesses its used in other sites I append an "easy" password to the end ... meaning that they would go and try someone else's account for example a root Guess24This76is76Hard : would be

Guess24This76is76Hard1FatCountry for Nationwide

Guess24This76is76Hard1Dogleys for barclays

Guess24This76is76Hard1SlaveCard for Master card

Re:

[Cwix]

It really isnt that hard to memorize a good password... come up with a phrase or saying your likely to remember. For our religious friends a bible verse would work well. Then use the first letter of every word, salt it with something meaningful, and you have a password.

Now is the time for all good men to come to the aid of their country.

nittfagmtcttaotc

now lets say your favorite number is 25

nitt2fagm5tctt.aotc

I added a . in there so its easy to remember that every 4 letters something has to be added.

Now y

Re:

[edmicman]

How the fuck is that memorable? Maybe after awhile you'd get the muscle memory to type it in, but initially that is a PITA that would succumb to something easier. "Average" folk aren't going to come up with a phrase, salt it, then pepper it with numbers in their head.

Re:

[markdj]

But what if one site only allows lower case letters and another requires a mix of lower and aupper case and special characters? Are you really going to remember that if you visit the sites infrequently?

Re:

[account_deleted]

Comment removed based on user account deletion

Now think of 20, with their own different styles

[fantomas]

ok, so that's password no.1 .

Most people need 20, maybe more by the time they have all their online utility bills, social media, work accounts, banking accounts, etc. Some of these have specific formats you have to follow (6-8 characters, 6-12 characters, at least one upper and one lower case letter and a number and a non alphanumeric, etc).

So now try and hold all 20 of these in your head with these different formats. And probably some of these have to be changed every three months or so (e.g. decent work p

Re:You could just do what I do

[fwarren]

Password Composer http://www.xs4all.nl/~jlpoutre/BoT/Javascript/PasswordComposer/ [xs4all.nl] is what I use.

For example http://www.slashdot.org/ [slashdot.org] and my master password of buba yields a right(md5sum("slashdot.org:buba"),8) yields fc56e979

They have a static web form, a bash script, and a greasemonkey script. I have also written a delphi app that runs in Linux, Windows, Mac that I keep on my memory stick. So all I have to do is remember one master password, for example "buba". And with that master password every site gets a unique password that is hard to crack. I decided about four years back that if anyone ever hacks one password of mine or can fool me into revealing a password to them, that is all they get one password.

The ironic thing is the only site that I use a regular password that I came up with, that is related to me, that can be broken by a dictionary attack, is the one for my slashdot account. Still the same password I came up with in 1999 or 2000. I assume no one else would want to hijack my opinions.

Re:

[John Hasler]

> ...what can realistically be memorized by the average person ...

And there is the real flaw: not the use of passwords, but the silly notion that average people should memorize them. WRITE THE DAMN THINGS DOWN!

Re:

[mcgrew]

I just write work passwords down and keep them in my wallet, home passwords are written down and secured by the lock on my front door. IMO "Never write your password down" is incredibly STUPID advice, especially for the root password on your home computer. If you forget your root password you're screwed, unless you're a better crhacker than me.

WRONG

[binarylarry]

Users are the weakest link.

Re:WRONG

[sco08y]

Users are the weakest link.

Really? How often do people leave their keys lying around? Or blindly hand them to a stranger?

People can be pretty responsible with secure tokens when they understand the protocol to use them.

Re:

[BagOBones]

I know many people who misplace their keys frequently.

Re:

[Monkeedude1212]

Really? How often do people leave their keys lying around? Or blindly hand them to a stranger?

People can be pretty responsible with secure tokens when they understand the protocol to use them.

Most people leave them lying around for about 8 hours of a day while they sleep. I've also seen keys "loaned to a friend" many a times before for a wide variety of reasons. Not that you should be paranoid of your friends, but essentially whatever happens to your keys while not in your possession is out of your control. Perhaps your friends have a habit of leaving keys lying around.

I think a lot of people "understand the protocol" with passwords... They just don't want to follow it.

Re:

[BobMcD]

I think a lot of people "understand the protocol" with passwords... They just don't want to follow it.

Partly, but also I think a lot of people just don't care. This is the third, fourth, or even fifth time 'OMG GAWKER" has appeared on slashdot, so I'm sure you can find lots of discussion there, but suffice to say that most of these online accounts just aren't that important. Kind of like how I don't lock the doors on my Taurus.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Rhaban]

Really? How often do people leave their keys lying around? Or blindly hand them to a stranger?

How often do they put their keys into their mailbox for someone else to get it in order to feed the cat while they're on vacation?

Re:

[delinear]

If only there was some government sponsored secure key system for passwords, enabling the average user to have a secure key with one strong password to access all their others and some education on how to properly use it (I know these things are trivial to find if you know what you're doing, but let's face it, users who know what they're doing aren't really the issue here), we might be able to overcome some of the problems. Having said that, the government hardly have a great reputation for looking after da

Re:

[Alrescha]

"If only there was some government sponsored secure key system for passwords"

I don't know how to express my unhappiness that someone actually thinks like this.

A.

Yes, but how many keys does anyone have?

[sean.peters]

I've got maybe 12 or 15 keys on my ring, all bound together to form one not too large of an object. It's easy to keep track of where it is and keep watch over it. But if my key ring had several dozen keys on it, and if I had to take keys off the ring and hand them to someone else to get various doors open, and oh by the way, I had to make the keys myself (with more secure keys being larger, heavier, and more difficult to make than less secure keys), then you'd see the same problems with physical keys as you

Selection bias.

[John Hasler]

Most people never ask you any questions. Only the dumb ones ask dumb ones. You forget the sensible but boring ones. You are confounding the left tail of the distribution with the middle.

Re:

[Himring]

Concur, but not concur, not when it doesn't matter what your password is when you visit digg.com to look at Grand Torino screens, to find later your gmail has been accessed from China, because of a recent .php hack, and finally conclude that digg.com is an infestation due to its very nature of anyone being able to leverage a malicious page to a top site.... A hack where your very strong password was plainly attained on the other side of the globe, but thank god the email account you accessed at the time wa

Re:

[stonewallred]

Eh, common sense and security are much easier than using an authenticator. Now Blizz'es idea of using the same user name and password, along with using the user name (which is an email address) on three separate sites (forums, account management and game client)is fucking retarded.

Re:

[Jeppe Salvesen]

Not at all.

The current paradigm is inherently flawed. You cannot expect what is asked of the users: To remember 20-30 secure passwords. Sure, some of use are rain men, but the security design is out of touch with reality. We need something common, like signed certificates.

Step 1: Create a solution. Like OpenID. Or maybe we already have a solution in OpenID.
Step 2: Mandate it.
Step 3: Make password authentication online illegal.

Seriously. That's what it's going to take. The HUGE, HUGE downside is that this wi

Re:WRONG

[blair1q]

Close. Journalists are the weakest link.

Most of the stuff that's password-protected isn't worth anything.

A Gawker account? How much does having that hacked that cost me?

A lot less than the time it takes to tell a journalist that it didn't cost me anything.

gpg-authentication?

[muckracer]

Why not upon registration upload one's public GPG key to somesite and then, when logging in, having the server send a challenge (i.e encrypted with the public key) to the browser/user, where you use your normal secret key and its passphrase to respond. Voila! One keyring to rule them all...

Re:gpg-authentication?

[MickyTheIdiot]

You obviously not had to deal with the average user. I run a web site that has accounts and many non-tech users and many people can't even understand the concept of password let alone asking them to upload a public key. I regularly get complaints that our site isn't "user friendly" because the person can't manage to even remember their username... so anything that is even slightly more complicated or involves something that they don't deal with in every day life it's right out.

Re:

[muckracer]

> anything that is even slightly more complicated
> or involves something that they don't deal with
> in every day life it's right out.

Well, I agree with you, that methods should be close to real life. And that's why passwords suck. But most people do know the concept of a key and if implemented correctly, I can see even average users being comfortable with sticking in a USB-stick, aka key to unlock their computer and remote account(s).

Re:

[betterunixthanunix]

I can see even average users being comfortable with sticking in a USB-stick, aka key to unlock their computer and remote account(s).

I cannot see that, to be perfectly honest. Someone will forget to bring the USB stick with them, or lose it, or put it through a washing machine, etc. I am a big fan of cryptographic authentication, but requiring people to carry a physical token around is only going to work if they are committed to security -- which is not true of most people.

The biggest problem is that people want convenience. Passwords, simply put, are so convenient that we will never quite get rid of them. People want to be able

Re:

[MickyTheIdiot]

Passwords THEMSELVES aren't considered convenient enough to many non-techs or people that have managed to dodge most of the Internet revolution that I see in my day to day working life... so you can see how changing to even something like a USB key (many not ever using anything USB related in their life) cam be just as bad.

Re:

[markov_chain]

The biggest problem is that people want convenience

This kind of thinking pisses me off. (Agent Smith voice) If only we didn't have this... problem... these... users... life would be so much easier!

In your honor I'm gonna go and change a bunch of my online account passwords to simple English words. What's that sound I hear? Ah, it must be hackers beating down the doors to read my email. Maybe they will also get into my bank account and pay my bills or something.

Re:

[muckracer]

Would free the server-side from having to store any passwords etc. and render brute-force-attacks (except RSA :-D) a thing of the past...

Re:

[mlts]

Or if the user wants to be anonymous, and have everything they post on their fetish sites be tied to their same userID as they use for everything else.

Of course, we could move to client certificates stored on smart cards which would make the need for passwords moot, but I don't want every single site to know exactly who I am, and allow third party ad trackers to have absolute knowledge of whom is visting, regardless of cookie stomping, adblocking, or other privacy functions.

Re:

[muckracer]

> if the user wants to be anonymous, and have
> everything they post on their fetish sites be
> tied to their same userID as they use for
> everything else.

Well, you can make the key say anything you want. User/KeyID "Furry Donald" is perfectly valid and for authentication purposes it doesn't matter at all. All that matters is, that you got the other half on your USB-stick.

Re:

[mlts]

That is true, but the current spec for client keys uses a CA that wants people's real names and other info. Some don't care if the E-mail address is unique though, so perhaps multiple keys can be used.

In any case, it makes it easier for cross-site advertisers to tie a single person together. Client certs are a boon to security, but a serious blow to anonymity.

Re:

[muckracer]

> That is true, but the current spec for client
> keys uses a CA that wants people's real names and
> other info.

I am not talking your NSA-CA-signed certificate, but GPG keys. You can create your own and it would do nicely for authentication.

Re:

[mlts]

Aha... very true. I was meaning client certs. However, for authentication, PGP/gpg keys just like you state work just as well (if not better because a self maintained WOT is more secure than trusting someone else's PKI any way), and would definitely provide both security and anonymity. PGP keys also work in smart cards, so a key for bouncybunny101@mailinator.com could be easily used and if needed, deleted without having it be linked to one's work key or personal info.

Re:

[muckracer]

Exactly. And the WOT, as cool as it is, is irrelevant here (though it could optionally be used server-side for additional authentication). All you need is the key-pair...any key-pair wih any name name attached.
Was, btw., very nicely implemented with NYM-(email)-servers, where you can create a virtual persona simply based on your GPG-keys.

Re:

[muckracer]

> That's fine, until someone wants to log in from a
> different computer where they don't have their
> private key available..

Most people do not forget their house or car keys because they got used to needing them. The same could be done for cryptographic keys, if used widely. And that's the chicken/egg issue: it will only make sense to the average user, if all his sites (say 90+%) s/he uses can be opened with that key.

News at 11

[magsol]

What will be truly newsworthy is the day when passwords / users aren't the weakest link in security. Until that happens, I'll stay in my underground bunker sipping on Ramen and playing tower defense.

Not ideal case for study

[Anonymous Coward]

There's lots of buzz going around about the Gawker breach and discussions on how good/bad the passwords were. I looked at the websites that Gawker owned and most of them are tech websites, frequented by people that have some knowledge of security and computer systems.

I would assume that much of the readership is like myself. They know that access to their Gawker account is the most sacred and guarded of personal intrusions, and would thus treat security as the utmost important thing. My Gawker password was the ultimate in high security. It was a 280 character alpha-numeric password containing my social security number, all of my credit card numbers, my date of birth, my address, every password to every other website I use, plus all of my wife's data. That way I know that anyone who tried to crack my Gawker password could never do it, and all my information would be safe.

Wait, no, I got that backwards. Sorry, I used "cock" as the password for Gawker... probably. You see, if I were to log into Gawker, I would assume that the password was about as secure as writing it on the bathroom wall. In addition, I know my browser would remember whatever stupid password I typed and I wouldn't have to remember it for more than 30 seconds. Furthermore, if someone hacked it, and posted a stupid comment as "bullcrapgawkeruser222" I would likely neither notice nor care. If I did care, I would create "bullcrapgawkeruser223" with a password like "cockk".

Even more likely, if I ever commented more than once on any Gawker owned site, I probably just created a new account because I forgot I had an old one.

So, can we stop doing ultra-security analysis on what is probably a bogus set? Next I'm going to see an analysis on how insecure Masterlock combination locks are because the users don't use uppercase letters and punctuation.

Re:

[Lije Baley]

The most sensible post here. Please mod up.

really long passwords

[theshowmecanuck]

Hang on, I have to look at my post-it note on the side of my monitor so I can remember all the 20 character complicated passwords for each web site I visit and secure application I use. Especially since I can't remember them as well since I started changing them every six weeks.

Passwords become pointless when you can't remember them and can no longer access the site/service/program that they were put there for to protect. Passwords are pointless when you have to keep cheatsheets in order to 'remember' them (cheatsheets that can be stolen, copied, or lost; making it impossible to for access what you need and possible for others to...).

Either some other method than passwords like those time based random PIN generator fob watchama-call-its we get to log into VPNs at some companies, or we just learn to deal with it.

Re:really long passwords

[mlts]

Having the Web browser handle passwords is one way to address this. For a new site, I make a password in KeePass, store it in that database, as well as have my Web browser store it. This way, I don't have to bother typing it in, it will be of a decent character length (20 chars), and of random characters, and a blackhat that gets that password won't have access anywhere else I go.

Since my KeePass database syncs with my phone, if I'm using another computer somewhere else, I still have access to sites I go to.

This isn't the best of all worlds solution, but it does work.

Security Questions Are The Weakest Link

[rolfwind]

And I would say that it's even worse when you can't type your question. Too many people know my mother's maiden name, my first car, my high school -- and I assume much of this information can be had publicly as well. If I were to imagine trying to get this information on someone, I'd just call them or their family, pretend to be some High School Reunion Committee, and say "We are celebrating the class of 1987 at Shrub High" and they'd probably go "Oh no, I'm graduated in 1992 at Rose Garden High". Then reply "Oh really? I guess you're the wrong Joe Blow, I'm sorry for your trouble, thanks bye."

Multiple attack vectors over one secure password, ridiculous. I think GMail at least does the semi-sane thing and instead of security questions, uses a phone number to verify you if you would ever lose your password.

And that's what is needed, identity verification if the password fails. Not a cheap way to do that in an automated and very dumb way.

There was, also for years, really dumb advice such as to never write a password down. That is unrealistic given the number of passwords someone needs to know today and leads to using the same password again and again. Now, you don't have to write it unencrypted, you could use Rot13 or, even better, some other code of your devising -- but it's better than keeping all this in your head in this day and age.

Re:

[Speare]

And I would say that it's even worse when you can't type your question. Too many people know my mother's maiden name, my first car, my high school -- and I assume much of this information can be had publicly as well.

While I expect there are many dunderheads out there who set up naively truthful answers to the canned security questions, there's no reason you should. If forced to set them up, I generally give untruthful answers. Don't go too far, as some sites give the challenges in "multiple choice" format

Re:

[muckracer]

> some sites give the challenges in "multiple choice" format. What's your hometown?
> (A) Peoria, (B) Detroit, (C) London, (D) The Fifth Inner Plane of Lord Zgothos' Realms.

That's why I always pick: (E) None of the above.

Ha!

Re:

[Monkeedude1212]

The problem is that I often have trouble remembering my ridiculous answer to security questions. If I ever need to use the password recovery tool and they ask where I grew up, I'll try 50 different ways to spell where I live and forget that I put "Earth" or something silly.

Re:

[DrXym]

It sounds like you're saying the person was the weakest link for telling a complete stranger the answer to their personal question.

Most sites allow you to choose from more than one question or even write one yourself. If you must choose one, memorise an answer which is deliberately wrong. For example the site asks your mother's maiden name so choose McGonagall, Peshwari, Boondoggle or something memorable but not guessable even to those who know your personal history. If you are allowed to make up a questi

Re:

[e4g4]

Agreed - a password manager like Password Safe, or my personal favorite 1Password [agilewebsolutions.com] is the answer to the password problem. Knowing only how to get a password, rather than the password itself, is also less vulnerable to a certain class of social engineering attacks (noticing that your password manager is suddenly unable to autofill the password on a site that looks just like your bank's site might clue in even the dullest people on the internet).

Not me. I'm cheerfully paranoid.

[Whumpsnatz]

Every time I need a password, I either beat out a spastic smattering of letters and numbers, or dream up a weird phrase, and use the first letters, with a few of them converted to numbers.

I'm fine, as long as no one gets to my written log of all those passwords. If that happens, I'm screwed.

I refuse to create any password that has the vaguest connection to anything. Which seems apt for today's disjointed world.

Re:

[John Hasler]

Every time I need a password, I either beat out a spastic smattering of letters and numbers, or dream up a weird phrase, and use the first letters, with a few of them converted to numbers.

I use pwgen. It is much better at generating truly random strings than I am.

I'm fine, as long as no one gets to my written log of all those passwords. If that happens, I'm screwed.

Keep it with your credit cards and cash.

3 factor authentication

[Iphtashu Fitz]

When I've worked in for companies whose equipment is housed in commercial datacenters, most of them required three factor authentication to gain access:

• something you know (a password)
• something you are (biometrics)
• something you have (a key, security token, etc)

To gain entry into the last datacenter I worked at I needed a cardkey to get through the first door (something I have). I then had to have my hand scanned at the entrance to a man-trap (something I am). Once inside the man-trap with the door clos

Re:

[Sponge Bath]

I have no idea how something like biometrics could be applied to the web...

A phone or laptop camera could take naked pictures of you and send the images to a remote security worker for "analysis". Hey, if it's good enough for air travel, it's good enough for online shopping.

Re:

[fuzzyfuzzyfungus]

Biometrics are pretty dubious for widespread use. They sure do add that "just like the movies" flavor to flashy secure facilities(and, as long as their use is rare, they are likely to be stolen only in the most targeted of attacks); but the majority of them are dangerously weak(and impossible to change).

Were they to be used widely, it would be a matter of months before huge numbers of people had their biometric data skimmed with enough resolution that fakes could be constructed with relative ease(imagine

Re:

[0123456]

Were they to be used widely, it would be a matter of months before huge numbers of people had their biometric data skimmed with enough resolution that fakes could be constructed with relative ease(imagine the problem of ATM card skimmer devices, already cheap and common, spreading to biometric verification systems: is that "broken" biometric verification setup on the door/atm/whatever actually broken, or transmitting high resolution scans of your fingerprints to some gang even now?) If you do get skimmed, what are you going to do about it?

Don't forget that the US government now has a database of millions of travellers' fingerprints, so they can trivially break online fingerprint biometrics for those people.

As you say, the rush to 'biometric ID' is making 'biometric ID' useless.

Expecting a user to use 100s of passwords idiotic

[syousef]

I don't have the best memory in the world, but I'm no moron either. I've resorted to using a password safe program because between work and personal life I'm expected to remember literally hundreds of passwords (now they're in a password manager i can count them). Guess what? Even with the safe I continue to use a couple of "low security" passwords for certain activities. That means most things at home I can work out remembering only about a dozen passwords. Work's a different story...

Important accounts?

[Bogtha]

important accounts such as email, banking or shopping and social networking sites

Okay, a vulnerable email account can lead to compromising other accounts, banking and shopping sites can cost you money... since when is Twitter or Facebook an "important" account in the same category as your bank account!?

Re:

[Monkeedude1212]

Well for starters your Facebook will have almost all your personal info, possibly where you live, your phone number, and even if you adjusted privacy settings, some embarassing pictures. Next thing you know you know you're on /b/ being asked hot or not.

Actually I've noticed a few people on 4chan who will hack Facebook accounts for you if you get them the victim's Hotmail Address. I wonder if it's just common to use your HM for FB or if they've found a vulnerability in hotmail that leads to compromising the

Personal info

[jwietelmann]

You mean the Facebook info and pictures that I can get you to voluntarily give me by:

1. Creating a fake Facebook account.
2. Using a picture of an attractive female in your age range.
3. Locating your friends.
4. Carpet-bombing them with friend requests. (Surely someone will bite.)
5. Sending you a friend request. (I'm a friend of a friend, so we've probably met, and you've just forgotten.)
6. Reading everything about you.

It doesn't matter what your privacy settings are. I would bet money that you could get access to 99% o

Re:

[Monkeedude1212]

ummm. No.

You can get THAT Facebook info you described often by just GOOGLING the name.

I was talking about login credentials. To do some real damage.

The "detailed analysis" needs to be ditched.

[dreemernj]

That "detailed analysis" of the Gawker breach needs to be stricken from the web. The passwords that were decrypted were the easiest passwords in the set for the most part. That's why they were able to decrypt them. They were in dictionaries or their hashes were already on lookup tables. Then some joker takes those decrypted passwords and acts as if they are in any way representative of the rest of the passwords that could not be decrypted.

Idiotic.

Re:

[stretch0611]

That "detailed analysis" of the Gawker breach needs to be stricken from the web.

You are absolutely right. It was gawker... While I did not have a gawker account, I use the same password among multiple sites on the web and I still feel secure. For blog, news aggregate, and log-in-just-to-view sites, I use a relatively weak password. For email accounts, I use a much stronger individual password. For my home banking site, I use another unique and strong password.

Seriously, How will my life be affected if someone stole my slashdot account? Wow, I would need to post more to get excellent ka

4ny1K1n L34rn 2 Sp311 'L337'

[tunapez]

I give my clients a swap list(1=i, 3=E, 4=A, 5=S, etc...) and ask them to swap at least 2 alphas for numerals of their fav passwords, add a random cap and make it 9+ characters. We do a couple examples with words/phrases of their choosing. Most actually catch on quickly when they feel involved in the process...and a little L337. Changing passwords doesn't have to be like pulling teeth.
 
  Goodbye '57 chevy', hello 'Ch3vy83l41R'.

I'm skeptical.

[jwietelmann]

If you're using real, common words and phrases and just transcribing them to 1337, I'm pretty sure there are password cracking tools out there to account for that.

Re:

[mackil]

I believe Sherlock Holmes already showed that a substitution cipher [wikipedia.org] isn't that secure.

Most users consider passwords a hindrance

[petes_PoV]

They get between a person and their goals, they are too easily forgotten and once you have to keep track of more than a few they become unreliable and burdensome. Add on to that, most of the "information" that these passwords protect is not really worth protecting, anyway.

So, since they are an annoyance and don't give users any tangible benefits, you shouldn't be surprised when users choose their passwords so they require the least amount of effort: either to remember or to enter. As for enforcing rules t

This has been discused and nothing gets done

[markdj]

We have discussed this ad nauseum - still nothing gets done. We have way to many passwords to remember. We have way too many different password policies to follow. What is a valid password on one site is not at another. It takes too much time to look up a password you have "written" down and you need a separate password to get into the list!. That supposes you have the list with you when you need it. Today the internet is mobile and not just used at home or at the office. Additionally, there are sites whose

So what?

[RKThoadan]

Passwords may be the weakest link, but they are not the most common attack vector because what they are protecting is of minimal worth. The most common attack vector is exactly what we have seen here: someone uses CSS/default password/other vulnerability and grabs the whole database. It's certainly sensible to keep good passwords on e-mail and financial accounts, but even there I'm much more worried about the backend being hacked than someone trying to brute force my password.

And, did you know that the sky is blue?

[sitarlo]

This isn't news. It's common sense. Of course people and their passwords are the weakest link. Same thing in physical space. You can have the best lock in the world, but if you make copies of the key and are careless with them you'll get robbed.

It is safe to say that

[gotpoetry]

combination codes are the weakest link in bank vaults.

Re:

[account_deleted]

Comment removed based on user account deletion

Comment removed

[account_deleted]

Comment removed based on user account deletion

Security that prevents use fails.

[rickb928]

I'm facing more restrictive password policies at work every day. Some expire every 14 days. Some require that they start AND end with an alphanumeric character, include a symbol from a short list of acceptable symbols, upper and lower case characters, and be 8-11 characters long. These restrictions broke my normal conventions. I'm pretty much forced to keep a cheat sheet of hints to my passwords. Today I have 11 unique passwords shared among 22 different systems comprising 32 different hosts and servic

how to be safe(r) online

[drew30319]

How to be safe(r) online

Here's an excerpt from an article I wrote for my law school's paper about online security w/ some suggestions about passwords. (I doubt there's any interest in the whole article but here's the link if you are for some reason: http://law.gsu.edu/thedocket/node/519 [gsu.edu] )
-----

1) Stop using the same password for everything. At a minimum come up with a base password and then append (or prepend) it with something unique for each application. If your base password is "fido" then for Twi

And in OTHER ground breaking NEWS!

[mrnick]

It was recently reported that the sky is BLUE and the Earth is NOT FLAT!!! File this under "DUH!"

WoW authenticator - But for everything.

[Gorkamecha]

Why not a universal authenticator? At the very least, I could see a common system setup by the banks here in North America allow the use of any debit card to work on almost every debit machine.

I'm not sure why my video game character is the most secure bit of digital data I have.

It is possible where others fear to tread...

[selil]

My students using 300 nodes of a computing cluster were able to crack 57K DOD spec passwords (7 characters, upper, lower, symbol, number) in a few hours (Windows 2003 enterprise server). The goal was to crack 450K passwords in 24 hours but we had to call off the last run due to finals. Nothing about this project was hard. Using F/OSS and a lot of computing cycles cracking them was a piece of cake. Simple two-factor authentication is horrible. Especially when you give up the userid as an email address, or us

The right responsible thing to do

[CKW]

The right responsible thing for website and application developers/owners to do is NOT allow users to create their own passwords. Generate one for them.

But that doesn't mean the passwords have to be hard to remember. Four randomly chosen 3-5 character words from the standard 25k word dictionary on Solaris is identical in strength to an 8 character purely random password that that uses all possible keyboard characters (26 lower case, 26 uppper case, 10 numbers, 12 special characters). Three of those is id

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[muckracer]

> Who cares about their password security on Gawker's sites and other like them.
> I personally use the crappiest password I can remember for stuff like that.

Please read the story of the guy using his neighbor's wireless and sent e-mails in 'his' name to threaten various high-profile people, sent childporn etc.. While you might get cleared eventually, when somebody used YOUR oh so unimportant account for such purposes, good luck in the meantime until it gets to that point. And hopefully your boss is OK

Re:

[John Hasler]

> I personally use the crappiest password I can remember for stuff like that.

Thereby enabling comment spammers.

Re:

[stonewallred]

That is why I add a 6 and a 7 to my passwords to make them unbreakable.

Re:

[Daengbo]

This is why we should be having real discussions about standardizing on better authentication methods (OAuth, etc.) and multi-step auth instead passwords. I personally think password + hardware (phone / SD / etc.) + retina scan would be a good base to run an auth server off of. I also think identity should be in the browser (see sig).

Re:

[sean.peters]

It would help if Slashdot didn't limit the subject line to something ludicrously short. I've often had to result to continuing the subject line in the body, because I couldn't come up with something sufficiently pithy for Slashdot's subject line policies. I have to admit, though, that breaking a word between the subject line and body is a crime against nature.