Nicklas Johnson · morons.org - The Weakest Link in IT Security

Editorial: The Weakest Link in IT Security

Please Support our Featured Partners!

YouHaveBO.com: The Internet's Premier Anonymous BO Notification Service
Overheard in SF: Heard inbetween the rabbit squeezing and the carrot munching
Want Your Link Here?: Find out how to get free advertising with our partnership program!

Those who would give up chocolate to purchase a little temporary safety deserve neither chocolate nor safety...
Posted by spatula on Apr. 20, 2004 08:48 UTC
40 comments from readers. Join the discussion!

A recent survey in Britain revealed that more than 70% of the people questioned would hand over their passwords in exchange for a bar of chocolate. 34% of those asked would give away a password for no bribe at all. Another survey found that 79% would indirectly give away their password by revealing how they chose it. The password survey was commissioned by Infosecurity Europe, a security trade show.

Unsurprisingly, even those people who wouldn't turn over their passwords were making bad choices for passwords; that is, those that can be easily guessed. These were things like the names of pets, sports teams, names of relatives, etc. Two-thirds of people use the same password on every site they visit. On average, people had to remember about 4 passwords and often wrote them down somewhere in order to remember them.

Also unsurprisingly, 80% of people found passwords frustrating and wanted some other way to log on to systems. I find this notion completely understandable, as I have to remember about 10 passwords for sites and systems that I commonly use myself. And in my advanced age with my buggy short-term memory, I find this difficult and frustrating indeed.

While some clever engineers have proposed interesting solutions to the problem of remembering passwords and to password security over the years, to this day we're still using this same arcane system for verification of identity.

It would be great to see a group of engineers and psychologists tackle the problem together, looking for some means to make identity verification easier for people while still maintaining security. Biometrics would be a great way to go, but we can't expect everyone to attach a thumbprint readers to their computers or turn over a DNA sample for each login prompt (ala Gattaca).

Unfortunately, they'd find it difficult to overcome the hard problem of the chocolate bar.

---Nick

Find similar articles

You must wait 7 minutes, 30 seconds before posting is permitted (5 minutes, 15 seconds remain).

Posted by Striking Scorpion from Hell, erm, Denver on Apr. 20, 2004 08:52

I have approximately 5 passwords, all relating to the same subject, but with variations in spelling, punctuation, etc. The password itself is not hard to guess for anyone who knows me, but figuring out how it is spelled, and punctuated makes it slightly more difficult. The downside is that I have to try two or three times to get in.

I personally would not be against having a thumbprint scanner.

Posted by h_ank from Portland, Oregon, USA on Apr. 20, 2004 09:05

If only I could get a subdural implant in my forehead which could facilitate transactions...

Prime: That's silly. Between the shoulderblades is a much better place for it,...

PrincessBethany: Not if the scanner was imbedded in your computer chair.

Posted by Hizzow on Apr. 20, 2004 09:45

Currently At my job, I have over 25 passwords that I have to remeber and they change every 90 days. Our users have 3-8. Somehow. I have no sympathy for them.

But I am In favor for a biometric/password combination type system, Not DNA.

Posted by Doozer from Fair Oaks, CA on Apr. 20, 2004 09:45

Voice recognition is getting pretty good, these days...

Striking Scorpion: I don't know much about voice recognition, but what about those people who can...

Prime: In theory, there's a lot of variation outside the range of human hearing that...

Striking Scorpion: Or sing them!

gnad: yeah, I would assume how advanced the voice recognition is depends on what it...

starfall: I personally would like to see some backup to go along with voice recognition;...

PrincessBethany: Ditto. My grandmother can barely tell the difference between me and my mother's...

SatanMAT: There is a clasic T-Shirt-- "I helped Apple wreck a nice beach" recognize...

spatula: what was the phrase supposed to be?

Striking Scorpion: Something Something recognize speech. Still working on the first part.

Striking Scorpion: I think it's supposed to be "I helped Apple recognize speech." I can't make...

Peter: Wouldn't that be "My Apple can wreck a nice beach?" Makes more sense for a...

tecknow: Voice recognition and speech recognition have about as much in common as a...

Posted by Robguy from Madison, WI on Apr. 20, 2004 09:47

I alternate between skipping the site if it wants me to register, using the same simple password for nonsenstitive uses, always asking them to send me my password again, registering with a new account everytime, or rotating thru a list of complex passwords for the accounts that actually give me elevated privileges. I also have a stash of postit notes with passwords on them, but I trust myself to remember which account the password goes with. Yes - passwords suck.

Posted by hgf on Apr. 20, 2004 10:10

aaa

Barf-Eater-Yum!: Well that was well thought out! I would hope your passwords are more than just...

Posted by BluJayLax from Columbia, MD on Apr. 20, 2004 10:38

Doesn't it tend to be that prices for an tech item drop the more and more it is used? Dell, Apple, HP, Gateway, etc., should all start offering a fingerprint scanner and/or voice recognition device and software. Initially this will be a higher price, but in a year, maybe two the price for adding these objects will be neglible. Software to recognize voice and prints will also go down and become more compatible with systems.

If the companies that make the comps push those items and since letting a scanner grab my print is a lot easier then remembering my password, this should take off.

SHIT! I can't log on, I've forgotten my fingerprints.

TOokie ToOkie

BJL! 14-10 IHF ABBA'04 Regime change starts at home

TecKnow: When you stick your finger on a finger print scanner, it reduces the scan down...

spatula: There are other problems as well; what about people who don't have use of their...

PrincessBethany: I have a friend who has no arm past his elbows, but still uses a computer (and...

Random Guest: What genre?

tecknow: You can't actually defeat voice recognition with a normal tape recorder, the...

Robguy: lol, yah the recording quality isn't high enuf... yet. If it were important, it...

Brie: Just put the cut-off body part in a microwave for a couple of seconds. Instant...

JT: The best way around that on cheap scanners involves an unspeakable use for warm...

JT: Oh come on, Nick - you'd give up that password for a piece of pie. Not all...

Vulpin: I understand that several handprint security devices actually check for...

Posted by Eagon from Minnesota on Apr. 20, 2004 12:12

I can assure you that most people would hand over their passwords to any semi-official IT person, no questions asked. I started working at my county courthouse when I was about 16. I find that if you say you are from IT and ask to look at ANYONE's computer, 90% of the time people will hand it over. And THIS IS THE GOVERNMENT. Because of poor inter-department security, I could access any number of government files. Not to mention the piss-poor security that the higher-ups don't even bother to enforce. I don't even need anyone else's computer or passwords anymore, I have network adminstrator passwords (which are never changed) and access to EACH AND EVERY USER'S PASSWORD. And I can't imagine any other government organization does it differently.

Robguy: We just never ask for passwords. If they aren't available to log themselves in...

Posted by mlcastle from New York, NY on Apr. 20, 2004 12:41

In exchange for a bar of chocolate, I would give you a random string of characters and tell you it was my password.

PrincessBethany: Yep, or tell you that it was my pet's name and then tell you my pet was named...

mlcastle: Ah, there's the difference between you and I: even when lying in exchange for...

Posted by Tigerhawk71 from Planet Earth on Apr. 21, 2004 03:39

how about a full-body scan, that also checks for bullet holes/knife wounds and blood stains incase you decide to kill somebody and prop them infront of the scanner. and if you happen to have a crappy fashion sense, it will remind you to buy new clothes.

[/sarcasm]

Posted by aeduna from Australia on Apr. 21, 2004 16:49

I encourage people to think of a phrase they find easy to remember, or lyrics to a fave song, and use the first letter from each word:

my dog has fleas -> mdhf

Often produces gibberish, really hard to guess, unless they are visibly singing the song is comes out of. The only downside is you often get repeated letters.

Posted by GWTPict from A Small Dark Place on Apr. 22, 2004 08:05

I work in IT so I'd demand at least oral sex before handing my password over. I generate passwords by using song lyrics I like, eg Orgasmotron by Motorhead has the line 'my name is called religion, sadistic, sacred whore' which with a little munging gives me the password,

Mn1cr,55W

Memorable, incudes upper and lower case, numerics and punctuation. Crack that with a dictionary attack.