Current Editorials: The Weakest Link in IT Security
Posted by spatula on Apr. 20, 2004
(39 comments from readers)
Those who would give up chocolate to purchase a little temporary safety deserve neither chocolate nor safety...
A recent survey in Britain revealed that more than 70% of the people questioned would hand over their passwords in exchange for a bar of chocolate. 34% of those asked would give away a password for no bribe at all. Another survey found that 79% would indirectly give away their password by revealing how they chose it. The password survey was commissioned by Infosecurity Europe, a security trade show.
Unsurprisingly, even those people who wouldn't turn over their passwords were making bad choices for passwords; that is, those that can be easily guessed. These were things like the names of pets, sports teams, names of relatives, etc. Two-thirds of people use the same password on every site they visit. On average, people had to remember about 4 passwords and often wrote them down somewhere in order to remember them.
Also unsurprisingly, 80% of people found passwords frustrating and wanted some other way to log on to systems. I find this notion completely understandable, as I have to remember about 10 passwords for sites and systems that I commonly use myself. And in my advanced age with my buggy short-term memory, I find this difficult and frustrating indeed.
While some clever engineers have proposed interesting solutions to the problem of remembering passwords and to password security over the years, to this day we're still using this same arcane system for verification of identity.
It would be great to see a group of engineers and psychologists tackle the problem together, looking for some means to make identity verification easier for people while still maintaining security. Biometrics would be a great way to go, but we can't expect everyone to attach a thumbprint readers to their computers or turn over a DNA sample for each login prompt (ala Gattaca).
Unfortunately, they'd find it difficult to overcome the hard problem of the chocolate bar.
---Nick
Search for articles like 'The Weakest Link in IT Security'
Next older: Morons in the News: AFA and Walgreens Destroy Memories
Next newer: Random: Stories we missed on Apr. 17, 2004
Email this article to a friend
Would you recommend this article for our weekly mailing?
Not really Yes, definitely
Reader Comments
By posting, you agree to our posting policy. If you don't agree with the posting policy, do not post.
Want to reserve your posting alias? Create an account!
Want notification when people reply to you? Try the notices system!
Posting Alias
If you're registered user, enter your password here
Enter your comment. Allowed HTML: <strong>, <em> and properly-formatted links ( <a href="http://...">link text</a> )
Press to submit
Full Expand >>>
Posted by Striking Scorpion ® on Apr 20 2004 15:52:42 UTC from Hell, erm, Denver
I have approximately 5 passwords, all relating to the same subject, but with variations in spelling, punctuation, etc. The password itself is not hard to guess for anyone who knows me, but figuring out how it is spelled, and punctuated makes it slightly more difficult. The downside is that I have to try two or three times to get in.
I personally would not be against having a thumbprint scanner.
reply
Posted by h_ank ® on Apr 20 2004 16:05:58 UTC from Portland, Oregon, USA
If only I could get a subdural implant in my forehead which could facilitate transactions...
> >> reply
>Prime: That's silly. Between the shoulderblades is a much better place for it,...
>PrincessBethany: Not if the scanner was imbedded in your computer chair.
Posted by Hizzow ® on Apr 20 2004 16:45:26 UTC
Currently At my job, I have over 25 passwords that I have to remeber and they change every 90 days. Our users have 3-8. Somehow. I have no sympathy for them.
But I am In favor for a biometric/password combination type system, Not DNA.
reply
Posted by Doozer ® on Apr 20 2004 16:45:30 UTC from Fair Oaks, CA
Voice recognition is getting pretty good, these days...
> >> reply
>Striking Scorpion: I don't know much about voice recognition, but what about those people who can...
>Prime: In theory, there's a lot of variation outside the range of human hearing that...
>Striking Scorpion: Or sing them!
>gnad: yeah, I would assume how advanced the voice recognition is depends on what it...
>starfall: I personally would like to see some backup to go along with voice recognition;...
>PrincessBethany: Ditto. My grandmother can barely tell the difference between me and my mother's...
>SatanMAT: There is a clasic T-Shirt-- "I helped Apple wreck a nice beach" recognize...
>spatula: what was the phrase supposed to be?
>Striking Scorpion: Something Something recognize speech. Still working on the first part.
>Striking Scorpion: I think it's supposed to be "I helped Apple recognize speech." I can't make...
>Peter: Wouldn't that be "My Apple can wreck a nice beach?" Makes more sense for a...
>tecknow: Voice recognition and speech recognition have about as much in common as a...
Posted by Robguy ® on Apr 20 2004 16:47:13 UTC from Madison, WI
I alternate between skipping the site if it wants me to register, using the same simple password for nonsenstitive uses, always asking them to send me my password again, registering with a new account everytime, or rotating thru a list of complex passwords for the accounts that actually give me elevated privileges. I also have a stash of postit notes with passwords on them, but I trust myself to remember which account the password goes with. Yes - passwords suck.
reply
Posted by hgf on Apr 20 2004 17:10:23 UTC
aaa
> >> reply
>Barf-Eater-Yum!: Well that was well thought out! I would hope your passwords are more than just...
Posted by BluJayLax ® on Apr 20 2004 17:38:58 UTC from Columbia, MD
Doesn't it tend to be that prices for an tech item drop the more and more it is used? Dell, Apple, HP, Gateway, etc., should all start offering a fingerprint scanner and/or voice recognition device and software. Initially this will be a higher price, but in a year, maybe two the price for adding these objects will be neglible. Software to recognize voice and prints will also go down and become more compatible with systems.
If the companies that make the comps push those items and since letting a scanner grab my print is a lot easier then remembering my password, this should take off.
SHIT! I can't log on, I've forgotten my fingerprints.
TOokie ToOkie
BJL! 14-10 IHF ABBA'04 Regime change starts at home
> >> reply
>TecKnow: When you stick your finger on a finger print scanner, it reduces the scan down...
>spatula: There are other problems as well; what about people who don't have use of their...
>PrincessBethany: I have a friend who has no arm past his elbows, but still uses a computer (and...
>Random Guest: What genre?
>tecknow: You can't actually defeat voice recognition with a normal tape recorder, the...
>Robguy: lol, yah the recording quality isn't high enuf... yet. If it were important, it...
>Brie: Just put the cut-off body part in a microwave for a couple of seconds. Instant "...
>JT: The best way around that on cheap scanners involves an unspeakable use for warm...
>JT: Oh come on, Nick - you'd give up that password for a piece of pie. Not all...
>Vulpin: I understand that several handprint security devices actually check for...
Posted by Eagon ® on Apr 20 2004 19:12:23 UTC from Minnesota
I can assure you that most people would hand over their passwords to any semi-official IT person, no questions asked. I started working at my county courthouse when I was about 16. I find that if you say you are from IT and ask to look at ANYONE's computer, 90% of the time people will hand it over. And THIS IS THE GOVERNMENT. Because of poor inter-department security, I could access any number of government files. Not to mention the piss-poor security that the higher-ups don't even bother to enforce. I don't even need anyone else's computer or passwords anymore, I have network adminstrator passwords (which are never changed) and access to EACH AND EVERY USER'S PASSWORD. And I can't imagine any other government organization does it differently.
> >> reply
>Robguy: We just never ask for passwords. If they aren't available to log themselves in...
Posted by mlcastle ® on Apr 20 2004 19:41:25 UTC from New York, NY
In exchange for a bar of chocolate, I would give you a random string of characters and tell you it was my password.
> >> reply
>PrincessBethany: Yep, or tell you that it was my pet's name and then tell you my pet was named...
>mlcastle: Ah, there's the difference between you and I: even when lying in exchange for...
Posted by Tigerhawk71 ® on Apr 21 2004 10:39:25 UTC from Planet Earth
how about a full-body scan, that also checks for bullet holes/knife wounds and blood stains incase you decide to kill somebody and prop them infront of the scanner. and if you happen to have a crappy fashion sense, it will remind you to buy new clothes.
[/sarcasm]
reply
Posted by aeduna ® on Apr 21 2004 23:49:46 UTC from Australia
I encourage people to think of a phrase they find easy to remember, or lyrics to a fave song, and use the first letter from each word:
my dog has fleas -> mdhf
Often produces gibberish, really hard to guess, unless they are visibly singing the song is comes out of. The only downside is you often get repeated letters.
reply
web.morons.org
steve |
