It's goes to 11, see?
Most of my company mobe users were utter, utter, idiots.
Complex passwords are rocket surgery to them. No exaggeration.
Business people using mobile devices are securing them with easy-to-crack PINs rather than more difficult passwords, a survey has found. The survey of mobile device password usage by mobile device management firm Fiberlink found that 93 per cent of corporate users applied a simple PIN password to their smartphone or tablet in …
@Alistair Dodd 1
What's the point of a PIN at all if it is easy to remember? It makes it easier to guess too. Asking someone to choose a pin on the spot and they're likely to go with a year - or a PIN they're already using somewhere else (say their bank) which is worse. Alternatively they'll come up with something random that means nothing to them and they'll forget it. Give them a PIN and they'll try to remember it - being given a PIN on a piece of paper that they read and then dispose of properly is a memory aid.
Actually, 4 digit pins are so useless you might as well say "your PIN is 1234" and be done with it.
Switch to longer alpha numeric or pass phrases and your users will remember them.
I just have a problem with numbers, and that includes memorising them. Debit card, credit card ...phone? Oh no! not another one!
So, if it for work, just give me phone that makes/receives calls and sms. I wouldn't want any more. You don't think I'm going to use the thing for work out of hours, do you?
Complex alphanumeric passwords (especially with symbols) are a pain to enter on nearly every mobile device I have. There's no way I'd lock my phone with one as it'd take me too long to get the typing right on the tiny on-screen keyboard. Maybe phones with physical keyboards would be better for that
Even on my tablet I stick with a numeric only PIN.
Although I tend to do better than the people surveyed here, as none of my devices are locked with 4 digit PINs, they're all longer than that.
i am starting to think that having a pin on my iPad or Iphone is a bad thing. If the thief cant get access to the device, then they will simply shut it off and wipe it. Never see it again. Even with iOS 7 activation lock, if that appears, then it will get tossed in the river or used for parts.
However, if they get the phone and its useable, then they might make the mistake of leaving it on, make a quick sale, or connecting to wifi, and then i can locate it.
Simply use the restrictions in the device to stop things like deleting accounts, app purchases, etc. if the phone is robbed, cancel the sim.
I would love it though if apps could be protected individually with a pin, so , for example, launching the Mail App would need a pin.
I used to use one, but got bored of spending half my day unlocking my phone, so changed it to something much quicker, all be it less secure.
What's needed is something simple to use, but very secure, not persuading everybody that they need 10+ random character alphanumeric passwords on their phones.
Prior to coming to work for a corporation, I was able to get away with probably around 5 core passwords (with plenty of merging and munging between them) around the internet, each of varying security, and very few being uniquely used, except for things like forum logins where I couldn't care less if I was compromised.
Cue the god-awful password requirements for the tens of systems I now use, that all have different requirements, all change at random intervals (some 30 says, some 1 month, some 3 months, some 6 months) and of varying degrees of forced control. Is it any wonder that I now actually store some of my passwords on my desktop in plaintext, simply because it is completely unnecessary to have to have a password with a complexity requirement more stringent that the release mechanism for a trident nuclear missle for a flippin "corporate HS&E e-learning tool." I mean, the only thing an attacker could do there is complete the annual "how to sit at your desk without becoming a paraplegic" refresher for me, which I would actually welcome.
I will use necessary security where it is needed, I studied cryptography at university, and people who think that security is enhanced by having the most draconian requirements really ought to learn about human psychology when it comes to security - as there comes a point where you end up compromising security very easily if you make things difficult for the end user. This is exactly why I store my password in plaintext on my desktop for aforementioned HS&E program.
I don't have a business mobile phone, but really - do the majority of users really have anything worth stealing on there? I mean usually it's just emails with the circular about the new cover sheet on the TPS reports... a 4 digit pin ought to keep someone out long enough for the user to realise they've lost it and security to remote wipe the device. Anything more is quite simply unnecessary, and more hassle (and cost) than the security is worth.
@Brenda - spot on. What really grates me in the corporate environment is they spend a boat-load on single-sign-on solutions, that work for about a week before some berk in HR buys a new external web tool that lives outside the domain.
What I find incredible however, is that it's these 3rd party systems/services that require the Trident-level of secure passwords while the main AD log-on requires less detail.
One example - at a company I worked at, password was required to be 6 chars, at least one letter and number, to be changed once every 2 months. The HR "performance" systems (externally hosted, but with IP filtering) required 8 chars, mixed case alphanumeric with at least one special character to be changed monthly. On a system that was accessed once every 3-6 months.
The kicker was that if you clicked the "forgot my password", it would email you password in plaintext.
What annoys me is the 8-digit voice mail password they insist that you change every couple of months. And you find out about this usually when walking down the street/standing in a station/etc. when you're picking up that important VM before that meeting you're rushing to and are already late for.
It won't let you pick up the VM because the password's expired and you must change it there and then. So you're forced to pick 12345678 or 96321478 or something daft because you've nothing to write it down on, are never ever going to use it yourself as you don't need it when picking up your VM from your phone and you have to enter the damn thing twice.
Then there's the work email password, which won't let you do <password>1, <password>2 etc. but you can get away fine with 1<password>, 2<password> etc. And it will force you to change it even if nobody's tried to guess it. Why?
don't get me started on work passwords!!! I used to have a non-expiring password - it was 9 characters long, random alpha, numeric, some shifted symbols and capitalisation - pretty un guessable... now its a 30day rolling update and none of your last 6 passwords... my passwords are now just the month and year...
If the PIN is easily guessed, and depending on who it is maybe. If the CEO loses his cell phone, how useful might his list of Contacts be?
But I generally concur about the lack of measured response.
Full diclosure: I lost a government issued cell phone a couple months ago. I think it fell into the garbage at home. I KNOW I didn't lose it in public. It had a to me memorable PIN, yes a year, yes a PIN I use elsewhere. At this point I expect they've spent more than three times the retail cost of the phone trying to figure out how to handle this security breach. I expect I ought to have to pay for the phone (not cheap) and I do have to make a better effort to keep track of it. For some reason they believe that someone with access to the phone can use IP information contained on the phone to breach the network.
why is it that the probability that a 'strong' password is enforced seems to be in direct inverse relation too how important the site is.
the government portal for searching for a job needs a 12 digit user id, and a 11 character password, and the web pages are set so that the info can not be saved in your browser,
whilst paypal which could loose me money if hacked needs a simple email address, and a 8 digit pasword, that the site allows one to cach !
what is the answer to pasword ?
So hacking your PayPal might cost you money. It might even cost you a few hundred, or perhaps into the low thousands.
Having your identity stolen will cost you your life (OK, not literally, as in death, but it will be "life changing")
It takes years to re-establish yourself as a trustworthy individual. Don't worry about that mortgage that got revoked, you won't even be able to get a mobile phone account and its PAYG from now on. No credit for a car or washing machine. No credit for fuel - pre-pay meter coming your way soon. And don't try and get a job in financial services, they check your credit score too.
It's YOUR information - its up to you to decide just how much to protect it.
>Yes,yes xkcd, but can't be arsed to get the link...
Hmm, it was quite easy in fact, I feel like downvoting you.
why don't you just use your browser's remember password function? for these low priority sites? or a password vault app on your phone. lots of easy ways to remember passwords these days without giving your security manager apoplexy :)
In any case, maybe your systems have some exploitable link between the H&S site and the nuclear warheads, once in the weak system a North Korean hacker could build access to more trusted sites and ultimately end western civilisation as we know it.
It's time that we tossed the password concept onto the trash heap and found something, anything, better to replace it.
It's ludicrous to have dozens of passwords for dozens of services, which is why so few people actually bother. Aside from stuff like banking and taxes, which actually matter, I recycle the same easy password for most sites.
It's ludicrous to expect people to generate complex alphanumerical with a hashtag passwords - which is why few people actually bother. Again, The Register doesn't get a super secure password because - well, who cares?
And of course, again this week, despite what I might do, another site that I visit now and then got hacked (a local municipal government), so it's again time to replace my password there, my actually very strong password because I used a credit card there, and on any other sites that use a variation on it.
Passwords are 80s technology that should have been retired a decade ago.
"How about the android screen pattern lock"
The pattern unlock is demon in disguise. It gives the impression of being secure, but if you think about it, it's actually less secure than a PIN. The point ed2020 makes is valid, for simple patterns, the grease mark shows the order, especially if you cross paths.
But also pattern unlock has less "characters" than a PIN (9 instead of 10) and it prevents using the same point sequentially, dramatically reducing the possibilities. i.e. the sequence 1223 cannot be used on pattern unlock as you'd have to move from the 2 to another number before you can come back to it.
Just like the studies which tell us the large proportion of people who use easy-to-guess PINs, I would be interested to find out what proportion of people using swipe unlocks are using simple easy-to-guess swipes (like a straight line in some direction, or an L shape or something). Although there are lots of potential swipe shapes, I wonder how many are almost never used because people favour a simple across-and-up pattern.
mobile = 5 character none dictionary word that is easy to type and remember with 10 attempt phone wipe
tablet = 10 character nonsense word that is easy to type with 10 attempt wipe
neither cause me any problems and I'm old with a really crap memory.
It really is not that difficult, ofc getting a director to see this point of view is :(
It just don't find it practical entering a complex password on a mobile device that locks frequently (as many corporate-issued ones do, per pushed policy). I have to do this on my corporate Blackberry, and that's barely tolerable because I still have one with actual keys and because my employer doesn't enforce very onerous password requirements and has a low-frequency change policy for such phones. Entering a complex password on a phone with a screen keyboard, given how often a good password requires mixed case and punctuation (and how most soft keyboards implement this), would be a nightmare for me. I would come close to spending as much time unlocking the phone as I did actually using it to reply to mails and text messages.
What idiot programmed the devices to accept password after password after password?
Trashing or locking the device after 3 wrong attempts is not a good idea but if it refuses to accept another password for 5 minutes after 3 wrong guesses then that 19 hours to iterate each permutation suddenly is nearer to 19 years.
It's really an idiotically simple security feature that should be standard - no device should accept more than 3 wrong passwords without at the very least introducing a delay.
Certainly passwords should be stronger than "1234" or "pa55w0rd" but the device makers could and should make brute force attacks impractical if not impossible.
Agreed, I've never understood why when setting the PIN, a strong alpha-numeric password isn't required as a backup unlock code. So after X failed logins with the PIN, the alpha-numeric password is required to re-enable the PIN access (so you still need the PIN).
That would give you 3-5 attempts at brute forcing the PIN, then you've got to brute force a 8+ character alpha-numeric (symbols if you like too) password before trying the next 3-5 PINs. If you wanted to take it to the extreme, since these are smartphones after all, the next 3-5 failed PINs could send a challenge/response to your e-mail.
Assuming your device is encrypted, you'd be fairly safe using this method.
I have a simple passcode on my iOS device but I also have the erase data option enabled so that those who may try and break into my device only have 10 tries. I honestly don't think iOS should allow a user to enable a simple passcode without also enabling the erase data option. It can be annoying when an intoxicated friend or small child grab your device and accidentally wipe it but to me that's just the compromise I've chosen to allow for quick passcode entry, and a reason to keep good backups.
Also -- speaking of password security -- what's with the The Register not using https for encrypting credentials during transit from browser to server?
What it comes down to, really, is your data security vs. their convenience. Not hard to see how that one's going to stack up. In the end, the amount your average user cares about the security of the data on their phone is pretty damn small, and any security inconvenience that's higher than that little barrier is going to be worked-around. Whether by using shorter, easier passwords, post-it notes stuck to the back of the phone or whatever, there's no shortage of creativity in avoiding additional inconvenience where it isn't seen as providing commensurate benefits.
So, if you can't come up with a low-enough overhead that you still consider sufficient protection for your data, then you can't allow access to your data from that device. But do consider first how much protection you actually require. Is your super-secret confidential information really that interesting to anyone else? Perhaps there are only certain secret bits, and you could allow normal day-to-day access under less strict policies.
If you want a complex password, ask us to set a password. If you ask me to set a Personal Identification Number I'm not likely to use alphabetic characters or symbols in it.
Also, let us know how many characters it can be. I've been trained to expect 4. Not that I think that's secure, but it has too frequently been the limit so it is now my default.