Passwords and Convenience
Off the Beat: Bruce Byfield's Blog
The cracking of at least six million passwords from LinkedIn this week (http://www.bbc.co.uk/news/technology-18338956) had me scrambling to change my own password. It also has me considering whether LinkedIn is a social media site I could do without. But mainly, it has me thinking how predictable -- and, in many ways, how useless -- the response has been.
The problem is not that LinkedIn hasn't handled the situation well by the usual standards. The company responded quickly, and posted blogs telling users what was happening, what would happen, and how to set a strong a password (http://blog.linkedin.com/2012/06/06/updating-your-password-on-linkedin-and-other-account-security-best-practices/).
Probably, most users are unaware of the blog, but that wasn't the real problem. The problem was that the blog dished out the usual advice -- things like make your password a mixture of characters, don't write it down, don't use the same password for every site, and change it every few months.
All this is sound advice, in keeping with the best security practices. Unfortunately, though, most users are going to ignore some or all of the points. Security requires care and thought, and the majority of users are going to choose short-term convenience or care and thought every time.
Unclear on the concept
If you have any doubts, consider the surveys of the leaked password. All the passwords that security experts tell you not to use, such as "qwerty," "password," and "123456" are among those that were cracked. Others, such as "linkedinpassword" and "ihatemyjob" would be easy to guess in the context of the LinkedIn site (http://www.geek.com/articles/news/linkedin-passwords-cracked-here-are-the-worst-2012067/#).
What these passwords suggest to me is that many users are unaware of what a password is for. At the most, they must see passwords as simply a way to make sure they open their own data. The idea that the password might protect their data doesn't seem to have occurred to them, or they would pay more attention to choosing a good one. If they are aware of security, then I suspect that they have concluded that the chances of anyone wanting to crack their accounts is so remote that they can ignore it.
Either way, many people seem to act like the Facebook users who chatter away about their private concerns, unaware that anyone who comes along can read what they are saying -- an attitude so prevalent that, charges were brought against a number of participants in last year's Stanley Cup riots in Vancouver based on their boasting online.
Mind you, I can't say I'm surprised. When friends and neighbors ask me for computer help, I almost never find them using passwords. If I add even a simple one -- let alone a strong one -- invariably, I find it's been removed the next time I help out. Apparently, it's not inconvenient to haul computers into the shops to get viruses and trojans removed every six months or so, but it's unacceptably inconvenient to spend ten seconds entering a password. Very likely, the only reason their wireless routers have passwords is because the setup programs insist on one these days.
This attitude is hardly unique. A few years ago, a small business was even offering notebooks for recording your passwords (http://web.archive.org/web/20080516004343/http://www.analogonbook.com/). The site emphasized the convenience of these notebooks compared to writing your passwords on scraps of paper. It also suggested that the notebook was more secure than storing passwords online, although to be any use, the notebook would presumably be left close to a computer.
But, for me, the strongest indication of how the average user regards passwords was a survey done in 2004 on the London subway. A man offered a chocolate bar in return for the office passwords of passersby -- and seventy percent made the exchange (http://www.nytimes.com/2004/04/25/weekinreview/ideas-trends-your-password-please-pssst-computer-users-want-some-candy.html?_r=1).
When the study was repeated three years later, the number who gave their password was sixty-four percent (http://www.theregister.co.uk/2007/04/17/chocolate_password_survey/). The number was only twenty-two percent at an IT conference, but when asked if the password was something like the name of their pet and engaged in conversation, another forty-two percent eventually revealed their passwords indirectly.
The list of weak LinkedIn passwords suggests that nothing has changed. Despite the efforts of security experts, many people still fail to understand why passwords matter and why they should choose a strong one.
In my experience, when taxed with not using a strong password, most users will give an embarrassed grin then go right on using a weak one -- assuming they use one at all.
Realistic security
Under these circumstances, no wonder alternatives like fingerprints or picture passwords (http://blogs.msdn.com/b/b8/archive/2011/12/16/signing-in-with-a-picture-password.aspx) are being considered. However, fingerprint authentication has failed to catch on, and I suspect that picture passwords will be too easy to crack. At any rate, for better or worse, conventional passwords are likely to predominate for some years to come.
So, what, if anything can be done to improve how passwords are used? The pessimist in me says very little. You can enforce strong passwords with packages that disallow weak ones, but that only means that users are more likely to write their passwords down. Close one security problem and another pops up to replace it.
However, I suspect that security experts may have been too uncompromising in their efforts to educate the average user. Instead of telling people not to use the same password on every site, maybe they should advocate setting up a list of four to six words that can be recombined to produce different passwords while still being easy to remember. Instead of repeating the characteristics of a strong password, maybe they should advocate using the initial letters of a line from a favorite song. Add a few numbers and special characters, and the result would be a strong password that users would actually remember.
Even if the result was not as strong as it could be, it would probably be good enough for average users -- besides having the added advantage that they might actually use it.
The point is, we know that security will never be as important to the average user as convenience. Perhaps it's time to stop delivering lectures that are going to be ignored and start developing on ones that have some chance of being listened to. The result might not be ideal security, but it could be considerably better than what we have now.
Comments
comments powered by DisqusSubscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
AlmaLinux 10.0 Beta Released
The AlmaLinux OS Foundation has announced the availability of AlmaLinux 10.0 Beta ("Purple Lion") for all supported devices with significant changes.
-
Gnome 47.2 Now Available
Gnome 47.2 is now available for general use but don't expect much in the way of newness, as this is all about improvements and bug fixes.
-
Latest Cinnamon Desktop Releases with a Bold New Look
Just in time for the holidays, the developer of the Cinnamon desktop has shipped a new release to help spice up your eggnog with new features and a new look.
-
Armbian 24.11 Released with Expanded Hardware Support
If you've been waiting for Armbian to support OrangePi 5 Max and Radxa ROCK 5B+, the wait is over.
-
SUSE Renames Several Products for Better Name Recognition
SUSE has been a very powerful player in the European market, but it knows it must branch out to gain serious traction. Will a name change do the trick?
-
ESET Discovers New Linux Malware
WolfsBane is an all-in-one malware that has hit the Linux operating system and includes a dropper, a launcher, and a backdoor.
-
New Linux Kernel Patch Allows Forcing a CPU Mitigation
Even when CPU mitigations can consume precious CPU cycles, it might not be a bad idea to allow users to enable them, even if your machine isn't vulnerable.
-
Red Hat Enterprise Linux 9.5 Released
Notify your friends, loved ones, and colleagues that the latest version of RHEL is available with plenty of enhancements.
-
Linux Sees Massive Performance Increase from a Single Line of Code
With one line of code, Intel was able to increase the performance of the Linux kernel by 4,000 percent.
-
Fedora KDE Approved as an Official Spin
If you prefer the Plasma desktop environment and the Fedora distribution, you're in luck because there's now an official spin that is listed on the same level as the Fedora Workstation edition.
Password managers
I use a popular password manager with Linux and Windows versions - including portable - that keeps the info in a database file which I store in an encrypted online location. I can get at my passwords from anywhere (risky yes but protected twice with strong passwords). The inconvenience of using a password to get at the database file, and using another password to open it, is outweighed by the convenience of having a different strong password for every online site I use and not needing to remember them all.
LastPass
Passwords and Convenience
Numeric substitution is very old news and yes there are already dictionary attacks that know this and try the variations.
As for putting the month in the password, you might as well not bother, again its a standard attempt for the password cracking algorithms.
Any password that uses Dictionary words ( with or without the standard numeric substitutions ) is fairly easy pickings for these scammers, again given the stupidity of a lot of users you've got away with it for now but if the standard users knowledge increases even by a small extent, you may find your accounts being compromised ( I hope they don't )
I now use random 32 char Mixed case Alpha, Numeric, and punctuations marks for my important passwords.
( If the server/software allows that complexity, and if not I look for another service/site that will )
These scammers can have thousands of BotNet machines trying to crack your accounts, generally they aren't interested in getting your account cracked they just want to crack any account, they tend to pick the 'low hanging fruit' and yours so far has evaded that.
I strongly suggest a more rigorous password regime, I mean, better safe than sorry!
Passwords and Convenience
For example, I live in Osoyoos, BC, Canada. If I was stupid enough to use that as a password, (I'm not I could make it 0(Zero) 5 0(Zero) y 0(Zero) 0(Zero) 5. 050y005 is definitely harder to guess or do a dictionary search on.
Since I'm European and grew up with a basic grasp of German, French and Italian, taking a foreign language translation of your English word and then numerizing (is there such a word?) that makes me fairly confident that passwords I use aren't going to be cracked in a hurry.
Off course a quick a regex could be run on a standard dictionary to replace letters with numbers fairly quickly , making a dictionary attack using that new list possible as well, but it would add significantly to the time an attack would take to run. (but then there are the permutations, for example replace o with Zero, but don't replace if the first letter of word).
Finally for passwords I change monthly, I add the month as text to the pwd string, as a postscript in odd months, prescript in even months.
Once you have a rule for 'your' passwords, I think you'll be getting close to unbreakable for most attacks that are designed to find the obvious. Yet you will still have logical remember-able ones.
Passwords and Convenience
As for notebooks for passwords, recent opinion has flowed back towards storing a hard copy of your passwords in a secure place at home/work. As anyone trying to compromise your account(s) would really have to try hard and burgle your house to get the hard copy ( assuming they are not easily guessable ).
Remember no method is %100 secure, all you do is make your passwords or data harder to get at than most other peoples so that the casual scammer by-passes your info and goes for easier pickings.
It's very much like securing your car.
chocolate password
Not sure of the value of changing passwords - sooner or later people give up and resort to adding a digit to the end of a good (or bad one) every month.
Re: Password security mistake
But I agree that having to memorize another strong password every month is likely to discourage a lot of users. Unless thir sysadmin enforces the change, they won't do it.
Password security mistake
Passwords and Convenience
How are people supposed to learn good enough passwords? Ever heard of dictionary attacks etc? People should be using passwords good enough to defeat attacks, therefore they must write them down and then secure the paper.
Plenty of good computer security experts agree, the "don't write down your password" advice leads to poor passwords that are easy to defeat.