Feeds

back to article Ofcom to UK: Really - you're using the same password for everything?

Brits are taking serious security risks by continuing to use the same password for multiple websites, communications watchdog Ofcom warned today. Worse still, the regulator - which published a report today based on a survey of 1,805 people aged 16 and over - found that a staggering one in four (26 per cent) UK adults used …

COMMENTS

This topic is closed for new posts.

Page:

Silver badge

True but misleading

For example, I only have six or seven online passwords, and most websites have the same one.

That's because they are ****y little websites where I don't care in the slightest if somebody uses my login, because the websites shouldn't even have one in the first place - and I'm guessing that most store them plaintext anyway.

I'd happily use the same login as everybody else on El Reg for many of them!

I'm sure everybody can think of several examples.

The other passwords are for places like this very forum where I do care about people impersonating me, and my online banking/payment where I very much care.

36
0
Silver badge
Thumb Up

Re: True but misleading

Ditto.

You are required to register for so many sites that it is completely impractical to have a separate password for each.

I, too, have "graded" passwords ranging from the one I use for crappy forums through to the one I use for online banking.

The passwords themselves should be robust, but having a different password for each and every site is stupid.

19
0
Silver badge
Meh

Re: True but misleading

Same here. Three main passwords for me rated for security - unimportant, important, very important.

1
0
Bronze badge

Re: True but misleading

Mine are rated by risk of somebody getting the password.

1) Could impersonate me on a random forum such as elreg.

2) Could commit me to financial expenditure eg. eBay etc

3) Could directly access money (eg. paypal, bank etc)

1 has shared passwords for virtually everything. 2 & 3 have unique passwords for every single account. If more or less everybody doesn't do this, i'd be quite surprised.

2
0
Bronze badge

Re: True but misleading

Here too. I have a couple of password roots I use for middling grade websites which can be readily split into very easy or very complex depending on the site requirements but I care not a jot if they are compromised. For the real stuff I have some equally easy to remember but apparently complex passwords which relate to some role-playing scenarios I created in my youth which only four people ever played.

When advising people on password strength I always point them at silly information they would never forget like inserting their shoe size as the second character (2nd and 3rd for the sasquatches) or suchlike so they can run with more easily remembered passwords.

0
0
Bronze badge
Alien

Re: True but misleading

There's no point in using secure passwords, when many of these ****y sites immediately email you (in plain text of course) confirmation of your user name and password.

Anyone who is stupid enough to use a weak password for their on-line banking, deserves to be deprived of their money.

2
4
Stop

Re: True but misleading

I agree entirely. It took 7 attempts to remember the correct pass for El Reg just now!

very much blame 'the victim'.

I have low sec for stuff i dont care about and then about 4 or 5 others as they get more important (ebay, paypal etc).

What happened to openID etc?

0
0
Thumb Up

Re: True but misleading

Exactly, easy one for forums, some decent, secure ones for online shopping, Gmail and Facebook get their own passwords totally different to anything else & online banking get's the super secure ones....

As you say, half of the sites shouldn't have logins anyway!!

E.D.

0
0

Re: True but misleading

"because the websites shouldn't even have one in the first place"

So. Much. This.

Far, far too many websites now are demanding e-mail addresses and passwords for the most basic of transactions and one-off purchases. "Create an account to complete your purchase of this little bauble when you'll never buy from us again but we'll keep your email and password in perpetuity". Those kind of sites need to die.

17
0
Thumb Up

Re: True but misleading

Another ditto. Having a unique password for every single website is overkill.

Anything that matters gets a strong password, the login for some website forum I posted to once gets the same password as every other website forum...

I'm more concerned that only 62% have a password on their wifi router.

0
0

Re: True but misleading

@Alan Edwards: "I'm more concerned that only 62% have a password on their wifi router."

True, though I wonder how many of the remaining 38% just have no idea. Most routers that have shipped in the last 5 years at least have shipped with a secure setup by default. Many people will have just entered the password once and then forgot all about it (or even used the push-button secure config that many have) and so may have incorrectly assumed they don't have security turned on.

0
0
Silver badge

Re: True but misleading

>far too many websites now are demanding e-mail addresses and passwords for the most basic of transactions and one-off purchases.

And lo he created mailinator.com and saw that it was good

2
0
Anonymous Coward

55 percent?

Clearly, a lot of the rest were telling porkies. In my experience you can explain the what and why till you're blue in the face to most non-techies, and they'll still think fido282 recycled everywhere will keep their privates out of reach, usually protesting they don't have anything worth nicking. Family are by far the worst; delighted when you get their email working, but just glaze over when you suggest that the kids birthday probably isn't up to scratch, and the party trick of guessing their passwords always seems to simultaneously amaze and fail to make the point.

Sites are getting better at mandating tougher passwords, it's just that not enough of them are doing it.

0
0
Anonymous Coward

Re: 55 percent?

Sites are getting better at mandating tougher passwords, it's just that not enough of them are doing it.

But this can cause more problems as they all have different rules on what is a tough password so you find a carefully crafted scheme to cope with multiple or different grades of passwords falls apart when the password you want to use (because given the site its the one you will remember as being applicable) isn't accepted. Then when you come back your initial login fails and you have to start thinik "was this the site that required numbers and captials but didn't allow underscores or was it the one that needed a symbol and a password of 8-12 characters"?

15
0
Thumb Up

Re: 55 percent?

Reminds me of this: http://xkcd.com/936/

2
0

Re: 55 percent?

It doesn't matter how tougher sites are at password mandating, I'll use the same strong one for all of the bastards. The more sites feck about with passwords the more likely it is that we'll stick them in the plain text file. And there is nothing wrong with fido282 for most of the useless websites we access.

0
0
Anonymous Coward

Re: ...was this the site...

Then there are the really, really irritating ones that only accept passwords of say max 12 characters, but don't bother to tell you on the page. So when you've entered 16 characters assuming its OK, they neither warn you nor discard the extra characters even though they're not used. Go back and try to login and it fails, because at this point apparently the extra characters do matter, and it'll probably take 10 minutes to figure out what the problem is and take multiple swipes at truncating the password till it works. What are these people on??

4
0
Anonymous Coward

Re: ...was this the site...

I only have three levels of password now, standard, for forums and the like, secure, for anything I do not wish to be impersonated on and can buy online with, and totally unique passwords for banking. The secure layer passwords as it happens turn out to be unique as well, but I use supergenpass for it. I can quite happily say I literally do not know any of my passwords for that level, only roughly if they are the right or not. Only problem is if one online system is compromised, due to how supergenpass works it makes altering individual passwords difficult.

I find banking systems quite annoying as all of them have differing ideas on what is acceptable. My bank won't accept special characters in the password field.

I figure with one time pass and supergenpass my email account should not worth the trouble to bother with attacking.

0
0
Anonymous Coward

Re: 55 percent?

Sites are getting better at mandating tougher passwords

Which can bring its own problems. I recall some years ago being sat in a meeting discussing the recently introduced password policy. This was; must be at least 8 long, must contain at least one capital letter and at least one number. It also had to be changed regularly and reuse was not permitted.

I opined that as we were a mixed environment, a lot of the legacy stuff was stuck with 8 as a maximum and that users were lazy SOBs who would try to stick with the one, most would be a 7 letter dictionary word, with the first capitalised and with a number on the end. Probably either zero or one. I then pointed out that any decent password cracking tool given that much of a hint shouldn't even break step coming up with the answer.

The number of red faces around the table that produced was very scary indeed.

3
0

Re: 55 percent?

There was a spoof corporate directive circulating in IBM about 20 years ago on the subject of password standards. It started out OK, then degenerated into a series of ever more ridiculous requirements and restrictions. The punchline was something like this: "Compliance with these rules means that there is only one possible password. Employees should see their manager to be issued with it."

0
0
Gav
Megaphone

Re: ...was this the site...

What of the ones that have very particular and specific password requirements, for no obvious reason, that make your usual default one impossible to use?

Not that they tell you what the very particular and specific password requirements are. No. They wait until you have failed to meet the secret requirements, then they tell you off for not meeting them. And then again for the next one when you try again. And again. And again. And oops, you forgot about the first requirement, didn't you? Try again. Until you are screaming at the screen "NO-ONE IS GOING TO HACK YOUR WEBSITE TO ORDER TAKE-AWAY IN MY NAME! YOU DO NOT NEED THIS LEVEL OF SECURITY!"

0
1
Anonymous Coward

CORPORATE DIRECTIVE NUMBER 88-570471

CORPORATE DIRECTIVE NUMBER 88-570471

In order to increase the security of all company computing facilities, and to avoid the possibility of unauthorized use of these facilities, new rules are being put into effect concerning the selection of passwords. All users of computing facilities are instructed to change their passwords to conform to these rules immediately.

RULES FOR THE SELECTION OF PASSWORDS:

1. A password must be at least six characters long, and must not contain two occurrences of a character in a row, or a sequence of two or more characters from the alphabet in forward or reverse order. Example: HGQQXP is an invalid password. GFEDCB is an invalid password.

2. A password may not contain two or more letters in the same position as any previous password. Example: If a previous password was GKPWTZ, then NRPWHS would be invalid because PW occurs in the same position in both passwords.

3. A password may not contain the name of a month or an abbreviation for a month. Example: MARCHBC is an invalid password. VWMARBC is an invalid password.

4. A password may not contain the numeric representation of a month. Therefore, a password containing any number except zero is invalid. Example: WKBH3LG is invalid because it contains the numeric representation for the month of March.

5. A password may not contain any words from any language. Thus, a password may not contain the letters A, or I, or sequences such as AT, ME, or TO because these are all words.

6. A password may not contain sequences of two or more characters which are adjacent to each other on a keyboard in a horizontal, vertical, or diagonal direction. Example: QWERTY is an invalid password. GHNLWT is an invalid password because G and H are horizontally adjacent to each other. HUKWVM is an invalid password because H and U are diagonally adjacent to each other.

7. A password may not contain the name of a person, place, or thing. Example: JOHNBOY is an invalid password.

Because of the complexity of the password selection rules, there is actually only one password which passes all the tests. To make the selection of this password simpler for the user, it will be distributed to all supervisors. All users are instructed to obtain this password from his or her supervisor and begin using it immediately.

2
0
Silver badge
FAIL

Very tempting to name and shame them.

Last week I signed up to a site who's product is a multi-platform code creator.

The confirmation email had the password in plain text.

I did not bother to continue evaluating their product.

4
0
Bronze badge
Joke

Re: Very tempting to name and shame them.

You may like to try a password of the form ***HIDDEN*** so that it looks like it is hidden.

0
0
Anonymous Coward

Well...

..if I didn't have to use a password to get a bloody postcode, or order a few nuts on bolt online, or look up the slightest bit of info, then I wouldn't.

I have the same password across about 50 sites.

Then more secure for emails (2 different ones)

then unique ones for banking (always nice to use a combo of Welsh, Swiss and German and a dash of Spanish thrown in I found, especially on UK English websites)

2
0
Bronze badge

Email account password probably "very important"

My partner tries to follow good practise and create interesting passwords for the various sites that demand them for whatever reason. The only problem is that she doesn't tend to remember them and so most of the time she just press'es the "forgot your password?" and acts on the update email... so effectively she only has one password - the password to her main email account ...

But then since this inbox is accessible on her iPad ...

2
0

Re: Email account password probably "very important"

In the sense you mean you always only have a single password. Even if your partner had eidetic memory, that wouldn't stop a crook from using the password reset feature.

3
0
Silver badge

Re: Email account password probably "very important"

... it means that like everyone else, her entire online life is secured by a 4 digit PIN.

1
0
Bronze badge

Re: Email account password probably "very important"

>... it means that like everyone else

I thought only those who's iPad is controlled by IT and geeks actually knew of and used the PIN feature ...

0
0
Facepalm

No mention if 2-step verification?

This is a brilliant tool and one i use wherever it is available. I have a monster password for my Gmail but i don't worry about unauthorised access attempts anyway because i get a text message/email every time someone tries to login from an unknown source. If more people knew about this feature there would be a lot less email break-ins, but then as AC above noted, people generally can't be fucked spending an extra five minutes tightening up their security

1
0

Re: No mention if 2-step verification?

The only problem with that, and granted, it may not be a problem for many, is what you do if you lose your mobile / get mugged / are abroad / don't have coverage / ran out of battery.

Don't get me wrong, great feature, but in some ways, my email account is more reliable and important than my mobile to me... maybe i'm weird.

2
0
Silver badge

Re: No mention if 2-step verification?

You fall back on the 10, printed, once-time emergency codes you put with your stash of other physical treasures. It's a good system, it works.

2
0
Thumb Up

Re: No mention if 2-step verification?

"what you do if you lose your mobile / get mugged / are abroad / don't have coverage / ran out of battery"

Gmail at least has a set of emergency codes which they recommend you print out and put in your wallet. Sorted.

1
0
FAIL

Password length

It would help if some sites didn't limit the length of password to, for example, 10 characters. Why take security seriously when some companies so obviously don't?

3
0
Bronze badge

Bug Me Not

Just use something like bugmenot.com for all those sites that want you to have a password, but where you coudn't give two shits.

eg. http://www.bugmenot.com/view/theregister.co.uk

4
0
Bronze badge
Thumb Down

Re: Bug Me Not

BugMeNot used to more useful, but they started caving in too easily to pressure from sites to put them on the no-bugmenot list.

0
0
Anonymous Coward

Re: Bug Me Not

Just tried bugmenot .... my corporate firewall refuses to allow me to go there on the basis that its a "copyright infringement" site!

1
0
Anonymous Coward

Re: Bug Me Not

Hmm that seems much easier than just harvesting clear text passwords off the corporate network.

Yes I'm still looking at you reg!

2
0
Silver badge

Low hanging fruit

As long as most people still use abc123 or password1, you don't need staggeringly complex pass phrases. If you are in a field with a hungry carnivore you don't need to run fastest, just faster than somebody else. With enough low hanging fruit, you don't need to worry so much about the top branches. You get the metaphors.

0
1
Anonymous Coward

Re: Low hanging fruit

"With enough low hanging fruit, you don't need to worry so much about the top branches. "

Up to a point, and certainly true for sh*** web sites. But the "low hanging fruit" doesn't apply to much else, and particularly for people round here. If you're a coder, you are working on nice, juicy intellectual property, well worth putting some special attention into thieving. If you're a sysadmin, then you're the gatekeeper for your companies' systems, enabling all manner of wickedness if your work accounts get hacked. If you're a research scientist, then your research may be worth grubbing up (some fields more than others, admittedly). My own particular (if rather dull) line of business could make me of particular interest to a some people.

Spammers looking to harvest a few Gmail accounts don't care and won't try very hard, but you only need to look at the reports of systems intrusion at big, technically sophisticated corporations to see that the "low hanging fruit" defence isn't the best of ideas.

0
0
Bronze badge
Alert

crackdown on silly logins

I shouldn't have to set up an account to use the "free" wifi at the leisure centre or Asda.

6
0
Happy

WPAD

If you have 'Windows Proxy Autodetection' enabled (which it now is, by default, in Windows/IE) your choice of password is perhaps the least of your worries.

Because the Brazilian operating wpad.co.uk has your proxy config by the short and curlies.

0
1

Paid LastPass, with unique passwords except for some low-sensitivity sites.

SIM and screen lock.

Google Authenticator where possible.

Linux at home.

ABP and NoScript.

0
0
Facepalm

Password management

I use the open-source KeePass to manage my passwords and a quick count reveals 79 accounts which require passwords. Am I supposed to remember 79 different complex passwords to keep Ofcom happy? Yes, I use the same password many times over in different circumstances but all my important accounts use complex passwords and some use other methods of identification. I have several webmail accounts that use similar passwords and all these forums & shopping sites that want you to login all get the same password as they are way less critical. Looks to me like someone at Ofcom has too much time on their hands. No surprise there as it is a "government" body and therefore by definition inefficient and full of seat warmers and appointees who constantly feel the need to justify their employment. People reuse passwords. Live with it. Better yet, come up with a better way rather than bitching at people,.... for being people.

2
0
Bronze badge

Re: Password management

>Am I supposed to remember 79 different complex passwords to keep Ofcom happy?

No, the Ofcom report (section 6.19 "Attitudes towards online passwords") was only interested in the actual passwords (but not usernames?) being used by a single user across multiple websites, the report didn't investigate the methods by which users managed/remembered their passwords.

Yes password managers can be great, but they do have their own problems particularly when your machine decides to throw a wobbly. I came across this problem when my Thinkpad hiccuped a few months back and corrupted my normal user profile. Whilst I was able to create a new profile etc. etc. accessing the ThinkVantage Password Manager vault (owned by my normal user account) was challenging... My need to recover the vault wasn't just about recovering passwords, but with recovering the various usernames I had used over the years.

1
0

Re: Password management

Your mistake was to use "ThinkVantage Password Manager". You've entrusted your vital secrets to a piece of proprietary, Windows-only code whose quality and fitness for purpose you can never know, and which runs only on your ThinkPad, i.e. one of the systems you should have a password to access. A bit like storing your house key in a locked box inside your locked house.

You'd do much better to use an open-source, free, cross-platform password manager such as KeePass. Even better if you use cloud storage such as Dropbox to keep the strongly-encrypted KeePass database in sync across all your machines.

Just a bit of friendly advice.

2
0
Bronze badge

Re: Password management

>Your mistake was to use "ThinkVantage Password Manager".

Agree, however with more systems containing security chips (which lock the vault to the machine) and coming with various 'useful' tools including pre-installed password managers, this is certainly something that will trip the unwary, plus as you point out tools such as KeePass do need to be set up 'corrrectly' (ie. use a cloud service of some description) for the information they contain to be fully recoverable.

Aside: I paid a second time for my mistake, entries can only be accessed one at a time through the TVPM user interface; it took a long time to extract them...

0
0

I used to have graded passwords, ranging from throwaway level to secure for online shops and such. I got caught in the Gawker hack from a few years ago. The problem with signing up with those throwaway passwords as account will only have one comment is that over the years you build up more comments, at some point the account goes from being throwaway to actually having a value. After the tedious slog through all my accounts and updating passwords I now use different passwords for every login. I then use a password manager to store them all.

0
0
Bronze badge

I like the Formula idea - you use the same password but it changes in some way depending on the URL or name of the site

0
0

@mark63: The trouble with a formula type approach, is that if the formula is too obvious (e.g. prefixing it with ebay, paypal, google, etc) then there is no real difference to having the same password everywhere. And if it's not obvious, then, well it's not going to help when it comes to remembering things.

Like many people here, I have a bunch of "I don't really care so I'll share the password" type of sites, where a compromised password probably isn't the end of the world. There is always the danger with that though, because somebody might find a route to exploiting it further that you hadn't considered.

0
0

Page:

This topic is closed for new posts.