Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

75% Use Same Password For Social Media & Email

CmdrTaco posted about 4 years ago | from the my-password-is-trustno1 dept.

Privacy 278

wiredmikey writes "Over 250,000 user names, email addresses, and passwords used for social networking sites can easily be found online. A study of the data collected showed that 75 percent of social networking username and password samples collected online were identical to those used for email accounts. The password data was gathered from blogs, torrents, online collaboration services and other sources. It was found that 43 percent of the data was leaked from online collaboration tools while 21 percent of data was leaked from blog postings. Meanwhile, torrents and users of other social hubs were responsible for leaking 10 percent and 18 percent of user data respectively...."

cancel ×

278 comments

Sorry! There are no comments related to the filter you selected.

Passwords (4, Insightful)

geek (5680) | about 4 years ago | (#33265472)

As long as passwords remain the central method of authentication, this will continue.

Re:Passwords (5, Funny)

Anonymous Coward | about 4 years ago | (#33265490)

My password is IAMGAY. That way, even if it got found out I can be confident no one will want to use it, because that would mean they are gay.

Re:Passwords (5, Funny)

Captain Splendid (673276) | about 4 years ago | (#33265612)

Shame this isn't ten years ago. You coulda got some VC funding for that idea.

Re:Passwords (1)

ConceptJunkie (24823) | about 4 years ago | (#33265672)

As it is, this was pushed in a Microsoft security Hotfix for Vista a couple years ago...

Re:Passwords (0)

Anonymous Coward | about 4 years ago | (#33266062)

As it is, this was pushed in a Apple security Hotfix for OS X a couple years ago...

FTFY

Re:Passwords (0)

Anonymous Coward | about 4 years ago | (#33265678)

That's funny... I have the same combination on my luggage.

Re:Passwords (4, Insightful)

Abstrackt (609015) | about 4 years ago | (#33265750)

My password is IAMGAY. That way, even if it got found out I can be confident no one will want to use it, because that would mean they are gay.

What if they are gay? ;)

Your comment reminds me of the best password policy I've ever heard: offensive gibberish. If someone's password is suitably embarrassing odds are quite good that they won't share it with anyone.

Re:Passwords (3, Insightful)

jDeepbeep (913892) | about 4 years ago | (#33265870)

So... being gay is both offensive and embarrassing?

Re:Passwords (0)

Anonymous Coward | about 4 years ago | (#33265922)

To an AC, yes. TO this AC, no. Though I'm not gay, I don't find it offensive or embarrassing.

Now having the gay guy show off his ripping abs in front of all the straight girls is a bit embarrassing. For me that is.

Re:Passwords (0)

Anonymous Coward | about 4 years ago | (#33266010)

Normally not... but then again ask Jet Blue.

Re:Passwords (1)

Abstrackt (609015) | about 4 years ago | (#33266146)

So... being gay is both offensive and embarrassing?

The AC's comment just reminded me of that policy. If my comment came across as me thinking that being gay is offensive and/or embarrassing, I sincerely apologize as that was not my intention.

Re:Passwords (1)

Cro Magnon (467622) | about 4 years ago | (#33266012)

If someone's password is suitably embarrassing odds are quite good that they won't share it with anyone

One of my passwords awhile back had very nit-picky rules for passwords. After about a dozen attempts, I finally found one it accepted. I can guarantee I would never repeat THAT password.

Re:Passwords (0)

Anonymous Coward | about 4 years ago | (#33266064)

Unless your a Mac user

"Leaked"? (4, Interesting)

Pojut (1027544) | about 4 years ago | (#33265476)

So wait...how exactly did they get hold of passwords?

Re:"Leaked"? (1, Funny)

Anonymous Coward | about 4 years ago | (#33265518)

Hax0red sites!

Re:"Leaked"? (5, Interesting)

KnightBlade (1074408) | about 4 years ago | (#33265590)

While I was studying Info. Sec. at my univ, my professor at the time told the class about this research they had about passwords. They were going around gathering statistics by asking random people questions about their passwords- length, number of special characters, if they used the same passwords, the number of times they changed them and so on. He said what amazed him was that one in every 5-6 people would just tell them their password and ask is that good enough?

Re:"Leaked"? (3, Insightful)

BergZ (1680594) | about 4 years ago | (#33265628)

It's pretty amazing just how much of the world is based on trust isn't it?

Re:"Leaked"? (5, Insightful)

ConceptJunkie (24823) | about 4 years ago | (#33265796)

It's pretty amazing just how much of the world is based on trust isn't it?

And it's equally tragic that it can't.

I don't think it's so much that people automatically trust each other, although that's certainly the case sometimes, it's more like it never occurs to too many people, unfortunately, that what they divulge could cause problems in the wrong hands.

For many years now, when someone asks me for information, my first thought is not to give the information, but to consider why I don't want to give it to that person. And I don't consider myself particularly paranoid with respect to what I share.

It gets tiring after awhile. Modern life in the 21st century requires a level of vigilance regarding information that probably never existed outside of the military, national security apparatus, law enforcement or some elements of business before a couple decades ago.

"Loose lips sink ships" was a common saying during World War II, but nowadays everyone must practice that level of vigilance over their own information all the time merely to be safe from criminals.

Re:"Leaked"? (2, Interesting)

fishbowl (7759) | about 4 years ago | (#33265928)

>"Loose lips sink ships" was a common saying during World War II

And today we know *way* too much, in way too much detail, about the location and movement of troops, their morale, reports of their actions, etc.

Re:"Leaked"? (3, Insightful)

socz (1057222) | about 4 years ago | (#33266198)

And today we know *way* too much, in way too much detail, ...

That sounds like an argument for why porn should NOT be put on bluray and in HD!

Re:"Leaked"? (2, Insightful)

e065c8515d206cb0e190 (1785896) | about 4 years ago | (#33265948)

I think the whole driving/road system is based on trust and it works quite well. It's potentially a very dangerous environment where the penalties for being reckless are not as bad as the potential damage you can cause. And yet it somehow works.

Btw I have to agree with one of the posts above, having your password be very offensive usually prevents you from sharing it at all. I do have such a password somewhere, and was horrified when a friend of mine cracked it.

Re:"Leaked"? (4, Informative)

plover (150551) | about 4 years ago | (#33266044)

It's not so much about trusting a person. Although that's an exploitable component for social engineers, social engineering is fairly rare, and it doesn't scale well. It's really about the machines in which we place that trust, and how those machines can be hacked. That's the easy part to scale up.

Hackers (specifically criminal types) operate on statistics. They don't care so much "which" websites they break open, they care about breaking into "some" sites and harvesting what can be found there. They also harvest the easy stuff: cleartext passwords, cleartext account numbers, etc. They won't run a deep password cracker on a million accounts, but they might run a simple /usr/dict/words kind of scan.

Of course once you've broken a thousand passwords on socialsite.com, you can try correlating those to majorbank.com and amazon.com and all the other potential sources of money. Again, you don't care if 900 out of a thousand fail, because you can still effectively steal from the 100 that remain.

Re:"Leaked"? (2, Insightful)

aGuyNamedJoe (317081) | about 4 years ago | (#33265882)

It's pretty amazing just how much of the world is based on trust isn't it?

Especially since, at least in the US, we seem to have been making crime stories the prime entertainment for decades, and there's a lot of money made from fear mongering.

Re:"Leaked"? (1)

alphax45 (675119) | about 4 years ago | (#33265658)

I'm not surprised. A lot of people seem to fail at basic directions once a computer/technology is involved. Don't know why but it seems the brain goes into OFF mode.

Re:"Leaked"? (1)

John Hasler (414242) | about 4 years ago | (#33265936)

He said what amazed him was that one in every 5-6 people would just tell them their password and ask is that good enough?

How many of those were their real passowrds?`

Re:"Leaked"? (1)

Securityemo (1407943) | about 4 years ago | (#33265670)

Scraping sites, using keywords to locate interesting data presumably. It says right there, "blogs, torrents, online collaboration services and other sources".
As in, people posted their passwords there and said something like "this is my password", right there in the open. As for verification, my best guess is they got the providers to agree to check the scraped list against their accounts. I don't think they'd try to log in to the accounts to verify them, as they're a reputable company and such an action would open them up for liability.

Re:"Leaked"? (0)

Anonymous Coward | about 4 years ago | (#33265774)

My exact question as well. I could see them maybe getting information from a flaw in facebook, twitter etc, but then to get matching email passwords from gmail, yahoo, hotmail, your local ISP, etc?? This sounds fishy

Use Password Hasher (5, Informative)

mbuimbui (1130065) | about 4 years ago | (#33265510)

Use firefox extension's password hasher (http://wijjo.com/PasswordHasher). Then you only need to remember one password but can use it for a variety of sites. If any one site's passwords get leaked, you dont have to go around an update your password for all other sites.

Re:Use Password Hasher (5, Insightful)

Anonymous Coward | about 4 years ago | (#33265552)

And if you ever need to sign in from a computer that doesn't have firefox, and that extension, installed.....you are stuck.

Re:Use Password Hasher (0)

Anonymous Coward | about 4 years ago | (#33265720)

And if you ever need to sign in from a computer that doesn't have firefox, and that extension, installed.....you are stuck.

But that would require us not being near our personal computing rigs, and THAT would require us leaving our geek caves, now, wouldn't it? Didn't think about THAT, now, did you, smart guy?

Re:Use Password Hasher (0)

Anonymous Coward | about 4 years ago | (#33265732)

I think using last pass (https://lastpass.com/) is prob the best option, i believe it works on IE, FireFox, Chrome, even the iPhone and possibly even android and passwords are encrypted 2 times, just a thought :)

Re:Use Password Hasher (1)

The MAZZTer (911996) | about 4 years ago | (#33265762)

Unless you have [url=http://portableapps.com/apps/internet/firefox_portable]Firefox Portable[/url].

Re:Use Password Hasher (0)

Anonymous Coward | about 4 years ago | (#33265920)

Any public computer that allows you to run firefox portable from USB probably has enough malware already installed on it to make anything you do futile.

Re:Use Password Hasher (1)

The MAZZTer (911996) | about 4 years ago | (#33266036)

Er.... whatever.

Re:Use Password Hasher (3, Insightful)

tool462 (677306) | about 4 years ago | (#33265772)

In Tinfoil Hat Land, if you don't have FF installed, then it's likely not a computer you control*, and if it's a computer you don't control, then should you really be entering your password**?

* It must be a machine at work, friend or family member's house, public terminal like a coffee shop, public library, etc.
** If it's not your computer, you don't know who that computer has "been with". There could be key-loggers, cookie-trackers, syphilis. Who knows!?

Re:Use Password Hasher (3, Interesting)

BJ_Covert_Action (1499847) | about 4 years ago | (#33265884)

So I guess Chrome, Opera, Iron, Seamonkey, and dozens of other web browsers are completely insecure?

I know IE6 is a nightmare. I don't really pay attention to IE7 or IE8 because I don't use them. I know Chrome involves some privacy issues, and I suppose there is something that has to do with selective script management. From what I hear, however, Opera and Iron are supposed to be pretty damn secure. Also, SeaMonkey is supposed to be pretty decent. I can't talk about Safari because, like IE, I really don't care about it at all.

Of course, you prefixed your post with "In Tinfoil Hat Land..." so I suppose you were being somewhat sarcastic. But I am curious, do you really think FF is the only secure browser out there?

Re:Use Password Hasher (1)

Cro Magnon (467622) | about 4 years ago | (#33266090)

The impression I got is, it's not so much the browser. It's the fact that the user doesn't control the computer. At work, I use IE7, but even if I used FF (or Opera, Iron, Lead, or whatever), I wouldn't do anything regarding important passwords (my /. pw doesn't count) on it.

Re:Use Password Hasher (0)

Anonymous Coward | about 4 years ago | (#33265824)

And if you ever need to sign in from a computer that doesn't have firefox, and that extension, installed.....you are stuck.

Not quite, they have a website with a javascript generator so you don't need to be using firefox/that site. I guess you could even write a phone app to do the hashing and tell your password. See http://wijjo.com/passhash/passhash.html

Re:Use Password Hasher (1)

Seth Kriticos (1227934) | about 4 years ago | (#33265930)

I use a password manager for password storage and generation. Stores them nicely with AES. New password for all important stuff. I also upload it to my online storage, as no-one can do anything with it without the master password (which is also long, and computer generated.. it's fascinating what you can remember when you enter it a bunch of times on a daily basis).

Now as for the time I'm on the way: well, I don't trust Joe random PC. I'd never unlock my password DB on a machine that's not at least reasonably under my control and/or very trustworthy (means I only use them at home and at work, both Linux machines). Otherwise I could as well don't bother in the first place.

Truth is, people don't want to concern with security. Then they get burned. Does not help. They get burned more. Maybe sometimes the education system catches up, a few generations from now. Until then, no cake for Fred Ignoramus.

Re:Use Password Hasher (1)

BrokenHalo (565198) | about 4 years ago | (#33265986)

If I'm not traveling with my laptop, I now make sure I carry a Linux LiveCD. This is a result of an ill-advised (but unavoidable) online transaction I made on a machine that had been pwned in December 2008 when I was on a trip with my wife and a couple of other ladies. My mistake resulted in a spurious transaction being made on my Visa card. In this case, the bank picked it up quickly enough, and no real harm was done, but I was without access to a credit card for 10 days while it was all fixed up.

Re:Use Password Hasher (2, Informative)

defaria (741527) | about 4 years ago | (#33266136)

Not necessarily. In a word - LastPass.

Re:Use Password Hasher (1)

0100010001010011 (652467) | about 4 years ago | (#33265558)

I use Password Composer [xs4all.nl] (runs as a grease monkey script, so will run under Chrome or GlimmerBlocker).

Re:Use Password Hasher (1)

Terrasque (796014) | about 4 years ago | (#33265688)

I prefer http://www.hashapass.com/ [hashapass.com] - even have a pretty well working bookmarklet, and it's 100% javascript. Which means that you can save the page to a local file :)

Re:Use Password Hasher (0)

Anonymous Coward | about 4 years ago | (#33265698)

I use the same word with various substitutions of letters for symbols (# for e, etc) and the same two symbols at the end in various order. So the passwords are all different, fairly strong, and if I don't remember them, there are only so many combinations.

Same password (2, Insightful)

stewbacca (1033764) | about 4 years ago | (#33265516)

I'd use the same password for everything if they all had the same basic requirements.

Re:Same password (1)

Abstrackt (609015) | about 4 years ago | (#33265598)

I'd use the same password for everything if they all had the same basic requirements.

Keepass [keepass.info] . You're welcome.

You can generate and store passwords to your heart's content and only ever have to type one when you open the database. It will also auto-type most forms.

Re:Same password (1)

stewbacca (1033764) | about 4 years ago | (#33265730)

I'll give it a look (for the house). I can't use that at work, which is where I have about 18 different accounts, each with seemingly different password requirements.

Re:Same password (1)

Abstrackt (609015) | about 4 years ago | (#33265778)

I'm not sure if this will help you then, but it's possible to run it portable as well. Of course, that's only if your workplace lets you run software off a stick.

The danger of too many password requirements (5, Insightful)

Kepesk (1093871) | about 4 years ago | (#33265740)

Hah, my worst enemy is a system where a password has to have:
- at least two uppercase letters
- at least two lowercase letters
- at least two numbers
- at least two symbols
- at least 12 characters
- no characters that repeat
- nothing that's in your personal records
- nothing from the dictionary that's over three characters
- nothing from a FOREIGN dictionary that's over three characters
- at least three characters different from your last 10 passwords

No joke, I used a system for years that had those exact password requirements. Worse yet, I had to SUPPORT this system. Sometimes it would take a half hour for me to help someone figure out a new password.

There is a danger in creating a password system with two many requirements, because I know very few people who used that system who didn't have their password on a sticky note on their monitor.

Re:The danger of too many password requirements (2, Insightful)

Anonymous Coward | about 4 years ago | (#33265836)

Aa1!Bb2@Cc3#

Next passwords:
a1!Bb2@Cc3#A
1!Bb2@Cc3#Aa
!Bb2@Cc3#Aa1
etc.

Or
Bb2@Cc3#Dd4$
Cc3#Dd4$Ee5%
Dd4$Ee5%Ff6^
etc.

Re:The danger of too many password requirements (1)

ToasterMonkey (467067) | about 4 years ago | (#33266164)

Yah, encourage users to use an obvious pattern, good one. Then if I get one of your passwords I have it forever.

It's already bad enough in less severe environments where people do password++number every iteration
What is the point of enforcing password changes and history checks if you're going to use an easily guessable pattern?

People need to realize that password policy has sharply diminishing returns, and two factor authentication is sooooooooooooooo much better than just one more character class.

Re:The danger of too many password requirements (1)

fishbowl (7759) | about 4 years ago | (#33265994)

> - at least three characters different from your last 10 passwords

I have a problem with that. Enforcing that requires a system to store your last 10 passwords in cleartext.

> I know very few people who used that system who didn't have their password on a sticky note on their monitor.

A system that tries to be as secure as what you describe, should include men with guns taking away anyone who puts a password on their monitor.

(Where I work, Men With Guns is literally a major part of our security infrastructure, which also includes RSA keys, strong password requirements, and awareness of individuals -- you can be in real trouble for not noticing something you should have noticed.)

Re:The danger of too many password requirements (1)

AndrewNeo (979708) | about 4 years ago | (#33266086)

Enforcing that requires a system to store your last 10 passwords in cleartext.

What? No it doesn't, you can still keep the hashed passwords and verify against that.

Re:The danger of too many password requirements (1)

TheLink (130905) | about 4 years ago | (#33266008)

And it's a waste of time and productivity.

There is little security gain (or even decreased security as you mentioned).

The users will just get compromised by malware (keyloggers etc), or phishing scams (what prevents them from entering that same password to the phishing site if they think it's a legit site?).

It's like having a super expensive security system for a building, but people hold/open the doors for the pizza delivery guy/guy carrying stuff with both arms. Or let random cleaning staff into the most secure areas.

Re:The danger of too many password requirements (1)

Kepesk (1093871) | about 4 years ago | (#33266150)

Hah, that's a great analogy. But a better one might be that it's like having a super expensive security system for a building, but making it so hard to use that people just cheat and leave their access card taped on the wall next to the door.

Re:The danger of too many password requirements (1)

RobertLTux (260313) | about 4 years ago | (#33266018)

the real joke is that this results in a smaller password "space" than could be possible
since without the stack of rules you have 12((26*2)+10 +10) possible passwords but you then lose

No repeats (which removes a swath of passwords)
2 upper case letters (which drops possible passwords by 36*2)
2 Lowercase letters (same deal)
2 symbols (which drops possible passwords by 10*2)
2 numbers (same deal)

say 20% possible passwords drop due to being dictionary words in some language
and i bet these passwords get changed like every week and are disallowed to repeat system wide

so in a good sized company will deplete the password space in say a year or so

Re:Same password (1)

BJ_Covert_Action (1499847) | about 4 years ago | (#33265926)

I'd use the same password for everything if they all "secured" shit that I didn't care about people knowing (read relationship status, hobbies/interests, favorite bands, and the latest gossip on my next door neighbor). Now, if this were a story about how 75% of the passwords used for social networking and e-mail accounts are the same ones used for bank accounts and logins associated with classified/proprietary information, then I think there would be something worth worrying about.

Problem is lack of importance (3, Insightful)

sarbonn (1796548) | about 4 years ago | (#33265562)

The problem is that a lot of people don't perceive email or social networking sites to be all that important, yet EVERYONE wants you to create a password for practically everything you do. I don't need a password to sign onto a site to look at stereo equipment, yet they force you to create one on some of those sites. On gaming sites where all I do is talk about games, I don't need 50,000 passwords for the different ones cause I don't care if someone steals my password there.

I don't care that I don't have all that much concern for facebook's password. If someone takes my account, it would be unfortunate, but is it really the end of the world?

Places where it might cause me economic misfortunate, well, those I care about, but everyone out there thinks that their site is so important for passwords.

Some places, it's important. Others, not so much.

Re:Problem is lack of importance (4, Insightful)

jim_v2000 (818799) | about 4 years ago | (#33265828)

That's why I use three different passwords. One is for sites I don't care about...like registering for a forum that I only need once. The second is for things that I'd like to be more secure, like forums I visit often, Facebook, my person blog, etc. The third is for critical things like email, online banking, shopping sites like Newegg and Amazon, etc.

Re:Problem is lack of importance (1)

rHBa (976986) | about 4 years ago | (#33265900)

Personally I use two repeated passwords which compare to your first two examples.

For banking, email and server logins I have unique passwords and an encrypted password manager to help me remember them.

Re:Problem is lack of importance (1)

Monkey-Man2000 (603495) | about 4 years ago | (#33265970)

LOL! That's just as bad. If you lose the third critical password, you could be royally 0wned. Better to use three passwords and mix and match each one of them among the critical/secure and insecure things. Then if you lose one, you might lose one critical thing but not all the critical things.

Re:Problem is lack of importance (1)

jim_v2000 (818799) | about 4 years ago | (#33266140)

That's not just as bad at all. If you didn't notice, people were getting their passwords stolen by using the same one everywhere, including the sketchy sites.

Re:Problem is lack of importance (1)

nschubach (922175) | about 4 years ago | (#33265978)

What bugs me is when you are trying to find a picture of some car part or something along that line and you find a forum where someone posted an attachment that requires login to download.

Also, the fact that XDA forums requires login to be able to get anything worth going there for.

Re:Problem is lack of importance (1)

theJML (911853) | about 4 years ago | (#33266058)

Seriously. There are some sites that I really don't give a crap if they're hacked and steal my password. They can have fun with it for all I care, e-mail accounts are easily created and in this day and age the only thing I use them for are 'forgotten password' requests and spam lists anyway. Hell, if these people can figure out my logins in half the places I have to sign up for just to see a picture or download a user manual or software update they can have it. I can't even remember them most of the time.

Yup, Probably true (3, Interesting)

IndustrialComplex (975015) | about 4 years ago | (#33265568)

I'll give a bit of a hint here, I do the same thing, just with a slight variation:

Mostly-Trusted media sites get the same password (obviously vastly different user names)
Slashdot, Fark, Broadband Reports, etc

Then I have my pseudo-trusted sites with their own password group:
Demonoid, imageshack, probably others.

Non-trusted sites get a random junk password each access = reset password
ie: low accountability not tied to a company name with 2-3 visits/year

My email gets its own password of 10+ characters

Work gets its own password of whatever the hell rules they implement this week. Tech support has to deal with LOTS of reset requests since I don't write it down, but they have a different password for every freaking service and every freaking service has a different password lifetime setting.

So aside from work, I really only have 3 passwords or so, but it helps break up the damage should one be compromised. Compartmentalized is probably the best description.

Re:Yup, Probably true (2, Interesting)

Captain Splendid (673276) | about 4 years ago | (#33265696)

See, this is why math is your friend. All I have to remember is a formula. I apply that formula to whatever it is I'm signing into, which produces a different (and alphanumeric) password for every instance. Complex, unique passwords without having to write anything down anywhere.

Re:Yup, Probably true (2, Interesting)

c-reus (852386) | about 4 years ago | (#33265872)

so if someone were to figure out that formula, he'd have access to every account you have created?

Re:Yup, Probably true (1)

nschubach (922175) | about 4 years ago | (#33266024)

Now there's an idea... have an app that generates a hash of the site domain and a common password and use that as the password for that site. Then all you have to do is put the domain name and your password in a box and poof, instant alphanumeric/non-dictionary password.

Hmm.

Re:Yup, Probably true (3, Insightful)

happyslayer (750738) | about 4 years ago | (#33266016)

Same basic process, though different criteria for me:

  • Junk sites (one-time login for news, quick downloads, register-to-see, tech mailing lists) get the same low-end password. If I can't foresee any information that I care about going to that site, then it gets a basic throwaway. (I also misspell registration details so i have an idea if advertisers are getting that info).
  • Slashdot, forums, etc: Also low-grade. Sorry, but if someone gets their rocks off posting crap as me, I can live with it. I've got enough First Life points to keep me busy.
  • Personal email: Since I don't trust the email systems that are in the hands of others, I don't put anything on there I care about. (If someone wants to know that I'm asking my prof how to fix some code, more power to them--it'll bore them to tears.) Hence, it gets a medium-grade password.
  • Online stores: Medium grade for one-time purchases, high-grade for repeat business.
  • Own email system, bank, etc: High grade password, randomized (at least to the rest of the world) that it passes the basic dictionary-attack. For example, I somehow remember old phone numbers and bank accounts from 20 years ago (none of which are in use); add a couple of 1337-speak letters and you're in business.

Like the parent, it's really a matter of compartmentalization and damage control. If you don't own the system, it's not completely trustworthy. If it's your system, it's only modestly trustworthy. If you're doing something criminal/embarassing/stupid, it's better to leave all notes at the bottom of the Marianas trench.

Paranoia (2, Insightful)

deathtopaulw (1032050) | about 4 years ago | (#33265614)

This password security paranoia drives me crazy. If someone wants your shit, they're going to get it. I'll tell you all right now, I have maybe 3 online handles that pop up everywhere. I use the same basic password for each (adding a 1 to the end on occasion where it's OMG REQUIRED). I'm sure if someone started googling me, they'd find out a lot. I wouldn't even be surprised if they could manage to dig up something years ago where I may have said something to someone and just given my password because they're a friend, or whatever. It's probably there, and it's probably there for you too. Failing that all they'd have to do is find all the places I exist, and try to find the least secure one/impersonate me/whatever.

I've lived this blasphemous insecure lifestyle on the internet for decades now, and have never once had an account compromised. Whether this is because I'm a worthless peon or because password security is bullshit is yet to be determined.

Moral of the story: be insignificant to the point that you're considered below the bad guys. Failing that, stop fucking worrying.

Re:Paranoia (0)

Anonymous Coward | about 4 years ago | (#33265974)

Moral of the story: be insignificant to the point that you're considered below the bad guys. Failing that, stop fucking worrying.

When the bad guys' business model is based on harvesting the information of insignificant people, your theory fails really bad.

Password Hashing (pwdhash) (4, Informative)

bradgoodman (964302) | about 4 years ago | (#33265624)

Password hashing let's you enter the same password for several sites, but changes it (i.e. hashes it) along with the domain name of different web sites - which means you are actually using a different password for every site

Furthermore, since the passwords are seemingly random characters (not words, or anything sensable) - they are generally quite strong.

"pwdhash" is the foremost system for doing this - there are several browser extensions and other tools for automating it

See: http://cynix.org/tools/superpwdhash [cynix.org]

As it turns out.... (4, Funny)

Abstrackt (609015) | about 4 years ago | (#33265636)

Apparently 75% of the passwords tested were hunter2.

Re:As it turns out.... (1)

SnarfQuest (469614) | about 4 years ago | (#33265810)

Actually, it was 123. And if they also checked suitcases...

Re:As it turns out.... (0)

Anonymous Coward | about 4 years ago | (#33266066)

What kind of a password is *******?

Re:As it turns out.... (1)

colesw (951825) | about 4 years ago | (#33266148)

All I see is *******, is it suppose to show your password?

The Minions (1)

dpolak (711584) | about 4 years ago | (#33265638)

The average Joe has no clue or concept of security or the capabilities of hackers. They usually set a really easy password and use it everywhere.

This will not stop until there are technologies that can determine that the link you are clicking on in the e-mail is not the site you are intending to go to. To ask a standard user to use Thunderbird or another product that shows the hyperlink when you put your mouse over it is naive.

As long as there is a lot of money to be made hacking into the minion's PCs it will continue on. Hopefully they will be educated in school and over time it diminishes, but they are quite resourceful, the hackers are.

I have often wondered that... (2, Insightful)

damn_registrars (1103043) | about 4 years ago | (#33265664)

I wondered how many people would see a registration form that requires an email address and a password, and interpret that to be asking them for their email password. Considering how many people fall for really atrociously bad phishing scams it wouldn't surprise me that a lot of people would give away their email passwords on registration forms either...

You wonder? I know it happens. (2, Informative)

N0Man74 (1620447) | about 4 years ago | (#33265988)

I've been involved with tech support, and have been asked for help from family and friends. Many non-computer savvy people see these registrations and think that they are *supposed* to use their email address password there. When people (including my mother) have asked me for help to setup for random online accounts where they give their Yahoo email address (for example), they frequently ask, "so I should put my yahoo password in here?"

Even if they realize it's a second password, they will often use the same one anyway, which is often something as simple as their own first name in all lowercase. I told one family member that this was a very bad idea, and that good passwords are a combination of letters and numbers, so she began adding 123 to the end of her passwords...

These people don't realize how some accounts *can* be abused. Sure, many of us take security for things like social media sites less seriously, but don't forget that having an insecure Facebook account opens the door for someone getting access to your account and bombarding everyone you know with things like porn spam, phishing schemes, links to infect people with malware, people posing as you to commit fraud (such as posing as you to ask people for financial assistance for some personal emergency), or social sabotage.

Passwords are a mess, in general. Only a small minority exercise proper password security practices, there are too many sites that require passwords, and even those that of us that want to practice good password security (and realize the importance of it) are burdened with the mess of having 30 different logins and passwords for different sites.

Dilbert (5, Funny)

KnightBlade (1074408) | about 4 years ago | (#33265686)

When it comes to passwords, this dilbert comic comes to mind- http://dilbert.com/strips/comic/2007-01-17/ [dilbert.com]

Re:Dilbert (1)

Stargoat (658863) | about 4 years ago | (#33265820)

That's the kind of thing an idiot would have on his luggage!

It gets even worse... even different passwords (5, Interesting)

rsborg (111459) | about 4 years ago | (#33265764)

... don't necessarily help.

Facebook's founder knows the importance [businessinsider.com] of social media:

Mark used his site, TheFacebook.com, to look up members of the site who identified themselves as members of the Crimson. Then he examined a log of failed logins to see if any of the Crimson members had ever entered an incorrect password into TheFacebook.com. If the cases in which they had entered failed logins, Mark tried to use them to access the Crimson members' Harvard email accounts. He successfully accessed two of them.

So in this case, the victims didn't even have the same password, but accidentally used the email password for Facebook. Combined with a malicious site (which Facebook was for them) this can lead to leaked passwords.

The best solution to this is to use a password manager like 1password, roboform or KeepassX. I find 1password useful because it matches my password with the domain, preventing inadvertent entries. It's also a boon if you are developing with dozens of test and staging sites which change passwords often.

Re:It gets even worse... even different passwords (1)

The MAZZTer (911996) | about 4 years ago | (#33266014)

So long ago Facebook used to keep permanent logs of entered passwords (at least, failed or off-by-one-letter ones). I wonder what they do now.

Re:It gets even worse... even different passwords (1)

SleazyRidr (1563649) | about 4 years ago | (#33266202)

That's awesome on one hand, and scary on the other. I think I'll be a little more careful when I enter passwords from now on...

Potential Solution (0)

Anonymous Coward | about 4 years ago | (#33265770)

When you try to sign up for a site, it could try to login to the email you give it using the password you provide, assuming it supports a standard protocol or is a well-known site. If it succeeds, it can reject the chosen password.

OpenID? (0)

Anonymous Coward | about 4 years ago | (#33265784)

Lots of comments talk about password hashing, but where's the discussion on OpenID? You decide who proves that you are you, and how. Facebook Connect really needs to die and give way to email-based authentication (such as using your gmail/ymail as an openID).

3 passwords (1)

JeanBaptiste (537955) | about 4 years ago | (#33265804)

thats all I care to remember. One for critical things (like work email, anything requiring a #CC), one for semi-important things (like gmail account), and one where I don't really care if it gets hax0rd (slashdot, reddit etc).

Yes I do have various different logins for work vpns and servers, this is more for personal type stuff.

Crap... (1)

PmanAce (1679902) | about 4 years ago | (#33265890)

Time to go add a '1' at the end of my email password, be right back...

Well lets just... (2, Interesting)

Rivalz (1431453) | about 4 years ago | (#33265912)

Password protect our bios
Then our Hard drive
Then our Operating System
Then our router
Then our ISP
Then our Email
Then our website
Then our credit / bank cards (pins and codes)

I'm all for it but the thing that bugs me is why cant we write a paragraph for our passwords or at the very least a full sentence.
usually 8-64 characters is the min max range for a acceptable password. But what If I want my password to be the gettysburg address. Or maybe just the lyrics to a song. Why cant we have insanely complex passwords if we want? So until my password can be pi to the 100th digit dont come complaining to me when my passwords are the same for everything.

Re:Well lets just... (2, Interesting)

Nadaka (224565) | about 4 years ago | (#33266206)

4#&7YagoR4fathers...

Internet security, nightmare mode (0)

Anonymous Coward | about 4 years ago | (#33265918)

* Generate a unique 63 random ASCII characters passwords with https://www.grc.com/passwords.htm for EVERYTHING

* Memorize them all. No writing down, no password keeping software, no re-rolling for easier passwords to memorize.

* 7 proxies, VPN, no items, fox only, final destination

SuperGenPass (1)

jridley (9305) | about 4 years ago | (#33265924)

I have the same password everywhere, but I use SuperGenPass so really I don't. I only have to REMEMBER one password, but what gets sent in to each site is different and looks like mWIfG7QG or something like that.

Re:SuperGenPass (0)

Anonymous Coward | about 4 years ago | (#33266096)

How certain are you that your password generating/remembering program isn't a trojan that is also sending the passwords it's generating and the domain they were generated for to it's creator?

The problem with security is that ANY short cut that makes it less tedious for the user also makes it less secure.

Password policy (1)

stanlyb (1839382) | about 4 years ago | (#33265954)

That's why i have my own password policy. For stupid things like social sites, garbage emails, "required" registrations for something, etc, i use WEAK password generator. (my slashdot accoint has weak password too, lol). For company accounts, i use INTERMEDIATE. And finally, for my own computer, emails, and other private accounts, i use very STRONG password policy. Btw, the best password you could imagine of is some sentence, or even a poem, but written in some specific way, or even language... Can you guess my 100 characters long password in the neat future, keeping in mind that there is no written note of it?

firefox has that hash function (3, Insightful)

circletimessquare (444983) | about 4 years ago | (#33265980)

but there's no reason why you can't have your own hash function in your head

take a root password, say "penguin"

say you are creating a password for slashdot

so your password for slashdot is "penguinslashdot"

but for gmail its "penguingmail"

this is an extremely simplistic algorithm. i'm just using it as an example to show you: remember a PASSWORD GENERATING ALGORITHM, not a password. then you have a unique password for every site, but you don't have to remember 500 different passwords

a REAL algorithm could be something like "the first letter of my root password plus the third letter of the website name's ascii character value plus 3 divided by my home phone number as a kid plus the second letter of my root password plus... etc"

or whatever

the actual password used for each site can be quite variable and the algorithm can still be hard to guess even with a hacker who knows three or four such passwords

the point is: you don't need to remember a password, you need to remember a password creating ALGORITHM, in your head, that only you know, which is infinitely more secure, but no harder to remember

So many passwords... (1)

rickb928 (945187) | about 4 years ago | (#33266118)

...so little hope.

I use now 11 different combinations of 13 different passwords at work. A unique situation, yes.

But for personal, recreational access, I have only 16 different passwords for 22 different systems, from banking to email to social networks to my online servers. What a lot of fun. I have a list which is almost always obsolete, and keeping it in a PGP file is a nuisance. Teaching my wife how and where to open the file and get a password she hasn't used in months is no fun. She keeps a list of hers in the house. If they get into that, they got everything anyways.

I've been trying to use OpenID more, but it's not universal.

Oh, and when my eBay password got compromised a few years ago, I sat right down and change a BUNCH of other passwords... Just to be sure.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>