The average Brit maintains 26 online accounts but only uses five different passwords to keep them secure. A poll of 2,000 by Experian found that one in four people uses a single password for the majority of profiles, and one in 25 stick with the same one for ALL their accounts. In addition to chronic password reuse, failing to …
"....other security experts argue that the survey illustrates the growing problems with using passwords as a security defence."
This is surely the core to the problem. Passwords are far too easy to harvest and, if they're short enough to be memorable, far too easy to crack, Essentially they're an obsolete authentication method. And, given upteen sites requiring passwords, then of course the average person will re-use passwords. I dont think that there's a realistic expectation that they'd do anything else, is there?
We need a different solution for identity management on the net.
Unfortunately, I havnt the foggiest idea what it is.
How about letting punters maintain a single online identity with a chosen agency, and let other websites obtain authorisation via that agency? OpenID does that. See http://openid.net/
I honestly believe that online identity could be a solved problem, were it not for greed and ignorance. Most sites either don't realise they can do authentication via a third party such as OpenID, or else they have motives (usually financial/marketing/NIH) for insisting on maintaining their own user databases.
Can you say "Single Point of Failure"?
I can indeed say "single point of failure", and I can also maintain two, three, four or more OpenIDs, with different providers, to mitigate any failure of my primary authentication provider. It's still a far cry from having a separate ID on every site I'm registered with (and sharing passwords because it's too hard to keep them separate).
Hash your passwords, select a decent* base password and memorise that, then hash it with the domain of the web site. As long as your consistent it'll be easy to remember.
* Yes, I know, "correct horse battery staple" has more entropy than "Tr0ub4dor", but a lot of sites whinge about not having number.
** A decent password, don't do a a friend of mine did when I suggested this to here. I noticed that she selected a dictionary word as the base password, after specifically telling her not to. <sigh>
I far prefer indecent passwords.. which a lot of mine end up being.. things like "notanothernewbloodypassword" or "ohforfuckssake"
I'll bet I'm not unusual on here for having three different levels of password: stuff I don't care about all share the same password; stuff I do care about being hacked uses a similar algorithmically-derived password that is unique for each site but probably guessable by a human if one gets uncovered; and financial stuff that's unique, unguessable and fairly cryptic.
Good luck when you are forced to hand over your encryption password by the authority du jour and it turns out to be littlegirls or similar.
Use equations which are wrong. They have numbers letters and funny characters like > < = != ( )
@Yet Another Commentard
I have had to pass on a password over the phone to get something from my PC when working in a prison, and it was something like "ShitPancakes" - got some odd looks from the prison officers. They may be indecent and frequently scatological, but never incriminating. Passwords, I mean, not prison officers.
Having the same password is only a problem if:
1. You use the same username
2. A company doesn't adequately secure your username and password.
You can't have 26 different password without having some password manager (electronic or paper-based) which then itself becomes extremely valuable to hackers, but completely useless to you if you're using a different PC (or jacket). Or you use short passwords related to the site so they're memorable, but then that leaves it easy to crack.
The 'solution' is to have a single online provider where you store all your passwords and trust them to a) not peek and b) not lose your data. I wonder if any company would like to have that position, perhaps with a single browser product that could store all your info across multiple platforms and provide a single, seamless computing experience. Perhaps they could use that info to let their non-human bots check all your accounts to offer you more targeted information when browsing...
congratulations, you've just described LastPass
which is really too good to be free. Does all of what you said, plus it tends to detect when you are signing up and can fill out forms with your details. It can also generate secure passwords using a template (in fact it usually offers to do this, if it sees a password field). And the killer punch is you can setup payment card details, with additional security (needing a password every time it's accessed) with a notes field, for that sodding "verified by VISA" code (which I got LastPass to generate).
Plug ins for IE/FF/Chrome.
Re: Username - KeepassX
KeepassX (which I always read as keep-ass, xkcd style). Runs on everything - I use it on Linux, Windows, and Samsung Bada (Java version).
I have a password database which I store somewhere cloudy, with a very strong but memorable password. I can update it at work or at home, and then put the latest version on my online storage and my phone (Samsung Wave). It really is the answer to your points above, and it's 100% under your control.
Re: if you use the same username
In my experience, nearly all sites insist on using a valid email address as the username.
Re: Username - KeepassX
Wow, someone actually uses Bada?
Re: if you use the same username
10minutemail.com is your friend.
the problem is not that my id has been stolen, but that experian are running round telling lies about me - to wit, that i've taken credit when in fact it was given to someone else. so the banks lousy system becomes my problem.
Conflict of Interest
Corporate entities enforce strict password policies, 3 level complexity, rapid expiration, non use of previous passwords etc..... This is obviously a step ion the right direction.
On-line sites know that enforcing such policies would become catastrophic in terms of Development, Implementation and Service Desk ( helpline) calls. Here starts the conflict of interest, making the site safer for the public at the risk of losing them through complexity.
People also need to stop writing their life stories/histories/credit card details all over the bloody web. Limit the number of on-line sites they use and take responsibility for their actions. Ignorance is not an excuse.......
There are numerous little programs, Keepass being a very popular one, which help with the creation and storage of passwords. Might not be perfect but it is very simple to use and allows anyone to create and use complex passwords and thereby, hopefully, help alleviate potential risk..
Re: Conflict of Interest
>This is obviously a step ion the right direction.
Not really - it protects against one risk while making writing down ones password inevitable. I've worked in a Cat-A prison where the head of security (who for physical security was verging on the psychotic side of paranoid) had his username and password on a post-it note on his monitor.
There isn't one strategy that is appropriate for all passwords - forcing people to have passwords so complicated & regularly-changed they need third-party software to remember them or use a pen and paper protect against one threat, yet may facilitate others.
Rapid expiration + no previous passwords = ...
... passwords are written on post-it notes stuck to the monitor.
Remove rapid expiration, previous passwords become irrelevant and people stand a chance of remembering a difficult password.
Give up and use a password manager
Stop pretending that you can remember dozens of website / username / password combinations. Use Keepass on your computer (or dropbox / your webserver) or Lastpass in the cloud and the headache will go away. The latter probably means that the US authorities might get hold of your password file if they really, really want to, but by then you'll sit in a Swedish prison and have other things to worry about.
Re: Give up and use a password manager
Pen and paper?
It probably still won't stop a suitably motivated government from stealing all your passwords, but at least you won't be at the mercy of some keylogger virus or cloud-based cockup.
Oh, and don't forget
*Not* to use mothers maiden name as the answer to that question. As that can be fairly easily harvested, in these days of Facebook. Use some other easily remembered name.
Re: Oh, and don't forget
My mother's maiden name was $5tnM3!#j@6k+e
Re: Oh, and don't forget
She was probably quite relieved to change it when she married, then.
Re: Oh, and don't forget
Yes - she became Mrs. !Zq5N%#~gJQ*o
1Password and DropBox works for me
1Password on the two different computers (and one smartphone) that I own, with the encrypted password repository stored on DropBox. Easy synchronisation of password info on all computers, and all of my web accounts have secure, random passwords.
Until there is low-cost, universal multi-factor authentication available, we are stuck with passwords :(
In other news...
...people found to keep house, car office and shed keys on the same keyring.
Re: In other news...
I don't... Now, where the hell is that shed key?!?
Corporates typically have very weak password policies...
They don't check for dictionary words (Password1 and $COMPANYNAME1 are VERY common)...
They might not let you reuse the exact same password twice, but Password1 -> Password2 is allowed so thats exactly what a lot of people do.
They also tend to store passwords in a plain text equivalent form, so if you get the hash you can simply use it without having to crack the password, and the hash will typically be stored on the client for single sign on purposes.
As for passwords on websites, well every site you sign up to thinks its so important, and yet don't provide any kind of guarantee that they store your password in a sensible way. Because of that i reuse a set of trivial passwords, and sign up under an alias on each site. If you want me to put any real information into your site you had better prove to me that you're taking sensible steps to protect it!
None worse than Experian themselves. I did some work for them a while back and the password on some of their systems was.............
Others used the really hard to guess password, "password". I kid you not.
I advised them to select something a little more secure.
And a depressingly no. of sites still won't let you use a password with non-alphanumeric characters, or more than 8 or 16 or some low amount in between.
I use PasswordSafe with one long password to access it, and that password being in a text file in an encrypted zip accessed by a reasonably difficult password committed to memory. For those sites that let me I use as a password the 63 character phrase generated by WiFiGen in the WPA mode. I carry copies of the safe and the zip on write-protected thumb drives (and PasswordSafe in portable format). For only slightly extra effort so far it works great! But it pisses me off monumentally when sites say a password has to be 8 - 16 alphanumeric characters only (especially when the site is one holding credit card details!).
security via obscurity
That's what it boils down to - a numbers game for most people.
Thing is, everyone *knows* someone who has had their security compromised, or may have had it happen to them.
So it boils down to security via obscurity isn't secure - you will eventually get hit if you persist in poor security practices.
Heaven forbid as service like Gmail has a major security breach - their policy (not sure if it still stands) of "never delete an email again" is just wide open for identity theft, assuming your using your gmail account to store account details.
A secure password is only worthwhile if the service itself is secure - and as we repeatedly see in the media, this is often not the case.
Your best bet is to practice obscurity WITH security. Don't use free email accounts to receive sensitive data.
Once you've received login details for an account, store them securely using a decent password protected account manager and *delete the email*
ANY email which is any way useful for identity fraudsters should never be kept on a server for longer than it takes you to note the details and delete the email.
I only have different passwords for the important sites, i.e. email, paypal, amazon, ebay, basically anything that could house my card/payment details. Then for all the other junk I just use one or two other passwords. Is that intelligent or dumb, I can't decide.
I do the same, i have a trash password for stuff that does not matter that much (can't loose money or harm my employment / reputation). But its really important to have a unqiue email password, once someone can login to your email they can reset all your other passwords that use that email account.
I think it is intelligent. You have a limited budget (in terms of effort and patience) for security and you've chosen to spend most of it on risks that could lose you money. But I'm rather biased, since I do the same.
I do the same.
I have a couple of trash passwords for my numerous forum accounts across the internet and seperate ones for my banking, social networking, email and other accounts that are generally more important.
Email is important. I have come to the conclusion its best to have a separate "secure" email address that accounts can use for password resets. Ordinary email can be read on my phone, but if my phone gets stolen I don't want it to give access to all my other accounts.
Google/Android are especially bad(*) in this regard. They won't let you logout of email. They expect you to password-protect the entire phone. I'm not entering a password every time I need to make a call or play Angry Birds. Therefore my phone is not locked down, and I can't safely use it to read security emails.
I like Google's two-factor authentication for gmail, but again, you need to be careful it doesn't create more weaknesses if your phone gets stolen. Sending a text message to your phone should add extra security; a password should still be required to login, and you shouldn't be able to reset the password with just the phone.
(*) I don't own an Apple device and I'm not comparing Google with them.
If you don't have a password/PIN on your phone it is also wide open to drunken antics such as your mates switching your girlfriend's and mum's names around.
Oh I just love these things. Want to buy something from our website? Then you'll need to create an account. The problem is that once you've made your purchase and received the goods there is usually no way of deleting the account you were forced to create.
Re: Shopping Accounts
What's worse is when they force you to create an account just to see what the postage is going to cost. Fuck that. I'll just go with Amazon. You've lost a customer.
Re: Shopping Accounts
> What's worse is when they force you to create an account just to see what the postage is going to cost. Fuck that. I'll just go with Amazon. You've lost a customer.
Do let us know what happens the first time Amazon dispatch a purchase to you via Yodel / HDNL...
@Captain Hogwash - Re: Shopping Accounts
Even worse than that, I have found sales websites that will not even let you look at their content without registering. Idiots.
Two classes of password
I have two totally distinct classes of password.
A single one that is used on almost every low security account - like The Register - and a series of highly secure and unique passwords used for any accounts that involve money.
The secure ones are recorded on my imap email account using high grade encryption. I access them using client-side sercurity certificates. My major risk point is that the client certificates are stolen. This is extremely unlikely to be tried by normal compromises and is certainly unlikely to succede.
I share the risk of keyboard sniffers - pretty much the same as any other access systems. I also use Centos/selinux as my workstation environment so that is unlikely.
Any compromise of my email account requires an intelligent agent to break my imap account (relatively easy) then to break my client security (hard) and then to intelligently locate my client-side certificates and use them correctly - probably impossible unless the attack is specifically targeted at me and my environment.
I'm also one of those that has classes of passwords - I have 4.
Don't care about.
Could cause an annoyance if hacked, but not the end of the world.
Shopping / Social Networking type sites
Ultra Secure - this must not get hacked type sites.
I will however point out I have been a victim of identity fraud - despite being the kind of person who shreds receipts and letters :/ I was rather shocked to receive an Argos card through the door followed by a JJB sports card - I phoned both companies and was informed that I had signed up for both cards in a retail park some 600 miles away. CIFAS (or however you spell it - sounds like sy fas) got involved - and any further attempts to open accounts in my name would result in me getting a phone call to confirm it really is me.
Now - the surprising thing was the way it works - you seriously would not believe how easy it is.
Having recently been registered with companies house as a director of a business - they got my details from the publicly available data (which they pay for) which companies house publish online. Next because they had an existing credit or debit card with the same initial and surname as me - they went on a shopping spree to specific shops - this is where the situation gets stupid.....
They go into Argos - purchase £500 worth of items, when they go to pay - Argos say "if you take out an Argos store card - we can transfer the balance of this transaction to the card" so they get a card using my details, they have a credit/debit card that has the same details as me as proof. The transaction gets transferred to the card that doesn't even physically exist yet and that they will never see. They walk out of the shop with their items and haven't paid a penny for them. Next they go into JJB and repeat the process etc.
Moral of the story - even if you have ultra ultra secure completely uncrackable passwords - the gov publishes enough information about you online that if someone wants to steal your identify - they can.
Change your details at Companies House...
... I would just point out that you can change your address details held at Companies House to be that of the company address. Useful I guess as long as your company isn't registered at your home address!
Can all be done online (if you're registered - securely of course!) and pretty much instantaneously.
Or how about...
We start using some kind of biometric data instead?
'Course there's the logistics and cost issue of getting readers available for personal devices...
Still, if someone wants to go to the trouble of getting into your online accounts, then you know they really think its worth the effort when they pluck out your eyeballs.