Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Security Communications Network Networking Privacy Programming Software The Internet News Science Technology

The Psychological Reasons Behind Risky Password Practices (helpnetsecurity.com) 210

Orome1 quotes a report from Help Net Security: Despite high-profile, large-scale data breaches dominating the news cycle -- and repeated recommendations from experts to use strong passwords -- consumers have yet to adjust their own behavior when it comes to password reuse. A global Lab42 survey, which polled consumers across the United States, Germany, France, New Zealand, Australia and the United Kingdom, highlights the psychology around why consumers develop poor password habits despite understanding the obvious risk, and suggests that there is a level of cognitive dissonance around our online habits. When it comes to online security, personality type does not inform behavior, but it does reveal how consumers rationalize poor password habits. My personal favorite: password paradox. "The survey revealed that the majority of respondents understand that their digital behavior puts them at risk, but do not make efforts to change it," reports Help Net Security. "Only five percent of respondents didn't know the characteristics of a secure password, with the majority of respondents understanding that passwords should contain uppercase and lowercase letters, numbers and symbols. Furthermore, 91 percent of respondents said that there is inherent risk associated with reusing passwords, yet 61 percent continue to use the same or similar passwords anyway, with more than half (55 percent) doing so while fully understanding the risk." The report also found that when attempting to create secure passwords, "47 percent of respondents included family names or initials," while "42 percent contain significant dates or numbers and 26 percent use the family pet."
This discussion has been archived. No new comments can be posted.

The Psychological Reasons Behind Risky Password Practices

Comments Filter:
  • Passwords exist (Score:2, Informative)

    by Anonymous Coward

    That's the reason.

    • Re:Passwords exist (Score:4, Informative)

      by thsths ( 31372 ) on Friday September 30, 2016 @04:16AM (#52987561)

      Passwords suck. Even with SSO, even with a password manager, even with salting and hashing, passwords suck, and will always suck.

      You need an authentication token. *One* authentication token. Microsoft can do it, Google can do it, Facebook can do it (but of course they are not compatible).

      Millions of little websites still use passwords.

      • Re:Passwords exist (Score:5, Insightful)

        by johannesg ( 664142 ) on Friday September 30, 2016 @06:29AM (#52987855)

        Passwords suck. Even with SSO, even with a password manager, even with salting and hashing, passwords suck, and will always suck.

        You need an authentication token. *One* authentication token. Microsoft can do it, Google can do it, Facebook can do it (but of course they are not compatible).

        Millions of little websites still use passwords.

        And then Microsoft makes use of Windows 10 (or compatible Windows Phone devices) mandatory for their SSO. Google randomly decides to just drop the whole SSO business. Facebook suspends your account because some asshole from Brazil has complained about one of your holiday snaps. What now? Will you just rebuild your whole online identity? Or forget about the dozens of sites you were participating in?

        • by chihowa ( 366380 )

          He's talking about an authentication token, not SSO. A real cryptographic token with take a challenge from the website and sign it with your key (possibly after entering a PIN) to prove that you are in possession of the token (and know the PIN). There's no way that this is tied to any one provider, because it's not SSO. (See PIV, OpenPGP card or any number of similar approaches.)

          The tokens in use now are all TOTP or HOTP-type tokens where you generate a hash that proves that you and the authentication serve

      • Re:Passwords exist (Score:4, Insightful)

        by Opportunist ( 166417 ) on Friday September 30, 2016 @06:44AM (#52987907)

        There's three possible kinds of security factors. Something you know, something you have and something you are (or, more cynically, something you can forget, something you can lose and something that can be chopped off). They all have their advantages and disadvantages, but saying that one is superior to the others is simply and plainly wrong.

        And the key reason, btw, why pages don't do it is simple: When people forget their password, resetting that is easy (plus they get your email address so you can reset it in the first place), but if you lose the token...

      • Re: (Score:3, Insightful)

        Centralized authentication and entropy sources for encryption keys is certainly the wet dream of all law enforcement and intelligence services of the world, but it makes zero sense from a security perspective. Zero.
      • SQRL!

  • Reality is... (Score:2, Interesting)

    by Anonymous Coward

    ... corporations are the ones making the world insecure by forcing things online and to have online accounts to track everything. They create massive attack surface in their mad quest for transparent user/customer data and profit.

  • Cognitive Load (Score:5, Insightful)

    by Jarik C-Bol ( 894741 ) on Thursday September 29, 2016 @09:05PM (#52986785)
    The way I see it, password reuse is a matter of cognitive load. Most people are unable or unwilling to attempt to remember the umpteen dozen unique passwords they would need on a daily basis, if they where to attempt to use unique secure passwords on every service/device they use. This results in password reuse, more or less out of sheer laziness. It is probable that among this group, there is a cognitive bias against using password keychain services and tools, because it 'feels' like putting all your eggs in one basket. (somewhat flawed) Logic dictates that if someone breaches the master password to your keychain, and they have all of them, which is no different than using the same password everywhere. (of course, this is not entirely the case, but like I said, cognitive bias)

    Now, as for using 'good' passwords, it follows a similar pattern, with most people unwilling to dedicate the time and effort to memorize what amounts to a 'good' password, when they can remember their spouses birthday and their first pet's name just fine.
    Of course, we have seen time and time again articles arguing both sides of the court, that long random passwords are either effective or not, and correct horse battery staple passwords are effective or not, so this portion of the discussion is going to be long, stupid and frustrating for evangelists on both sides.

    Honestly, I've reached a point where I use 'good' passwords where it matters, (main email, financial items, Amazon etc) and just sort of hope for the best when I re-use the same 'decent' password everywhere else (forums, etc)

    I say 'good' because we're at a point there have been enough breaches that we're all probably fucked anyways.
    • For big brute force attacks like the Yahoo breach, it's all about length (assuming you don't choose something in a wordlist). Correct horse battery staple passwords are ok but they need a bit of punctuation. A random char password is never getting cracked unless it's too short.
      • I remember a long time ago (probably like 20 years ago now) doing a password audit using l0phtcrack. Us IT guys got our passwords cracked in about a day of it running. We were using 6 - 8 character passwords with upper/lower/numbers/symbols.

        The password that took the longest (actually, it ran for a week and never got cracked) turned out to be 2 dictionary words concatenated together with a number in between them. No upper case, no symbols. It just turned out that it was all about length.

        That made me a belie

    • The sane fix would be to push web standards that require all passwords be hashed with server-provided salt on the user's side prior to being sent over an HTTPS connection to the server.

      Websites meeting this standard could have fancy little badges of honor to display on their homepage.

      Websites failing to meet this standard should be regularly listed in security advisories, companies could discourage or forbid their employees from using these websites, your web browser should warn you that your password
      • To clarify, what this would do is allow people to reuse a quality password with all websites and apps that adhered to this standard. If any one site was subject to a data breach, this would only give the attackers access to the hash and the salt; they wouldn't be able to reconstruct your password (as long as it was a good password), thus they wouldn't be able to log in to any other website you used the same password with as long as the hashing algorithm remained secure (e.g. as long as collisions couldn't b
      • All that does is prevent an attacker from intercepting the plaintext password at the server, as it is received and decrypted by the server. The Yahoo breach compromised the hashed passwords, so whether they were hashed by the server or hashed by the client makes no difference.
    • I agree. Maintaining many passwords and changing them regularly is demanding . It's no use to exhort people to try harder(it only shows the person doing the exhorting does not understand the situation). Some people devise clever strategies but in general it's better to ask people to use a password manager so they don't even have to memorize the password.

    • Comment removed based on user account deletion
    • by AmiMoJo ( 196126 )

      If the company cares even slightly about security, they offer 2 factor authentication.

    • Comment removed based on user account deletion
  • Encrypt all data on their own end? If staff walk away with data or someone enters the network, nothing useful can be fully recovered?
    The site works with the username and weak password on creation to ensure better server side protection against plain text walk outs, usable network data loss or buying into cheap "standard" reversible cryto?
    Could an extra layer of security be added to data on an network, during storage and real time use be added?
    Expecting users to change habits and still enjoy a site is a
    • Go through your text, and everywhere where it says "password" change it to say "passphrase."

      The password-setting step, where you have the user initialize their password, should also say "don't re-use the same passphrase that you use somewhere else." Just say it. (If users want to ignore it, fine. You can't help people who don't want to be helped.)

      This doesn't fix all the problems, but it fixes the most, in the smallest amount of time/effort. One of your interns can do all this in a single morning.

      ...

      After t

  • by darkain ( 749283 ) on Thursday September 29, 2016 @09:14PM (#52986813) Homepage

    Or maybe the complex passwords *ARE* the problem. Who the hell can remember 100 different complex passwords?

    Repeat after me: TWO FACTOR AUTHENTICATION!

    Use a simple password and an authenticator that produces a one-time password.

    • two factor authentication is great when done correctly, worse than useless when done poorly.

      "security questions" are not 2 factor authentication. They are just low entropy passwords.

      If 2 factor includes a device, then there needs to be some way to authenticate if that device is stolen when you are in a remote location. That of course also breaks the concept - but what is the alternative?

      Bio-metrics can work if they can be made sufficiently reliable,

      • by Zumbs ( 1241138 )

        If 2 factor includes a device, then there needs to be some way to authenticate if that device is stolen when you are in a remote location.

        Another horrible version of 2 factor authentication is when the device is a smart phone that you are using to log onto the service in question.

        • Like, say, text message transaction codes sent to a smartphone used to do online banking.

          And please don't think nobody would be stupid enough to do that.

        • by AmiMoJo ( 196126 )

          Smart phones are at least somewhat secure, if you bother to set a good password.

          Even fingerprints with enough to defeat most thieves, not that many of them will be bothering to log in to your email on the off chance there is something useful there. They will try to wipe and dispose of the phone as quickly as possible.

    • by d0ran$ ( 844234 )

      This works for me:
      1. Don't bother to remember or write down password.
      2. Get the application to send me a password reset.
      3. Change the password to some long random thing.
      4. Login do my stuff
      5. Logout, rinse, repeat.

      Pros:
      Don't need to remember password.
      Password can be long and complex.
      Kind of like 2 factor auth.

      Cons:
      Works only for places that provide password reset (who doesn't?)

      • That's pretty much what someone did at an office I worked before.

        They had a system where someone could call IT to say they forgot their password, which resulted in their account being locked and a new password was generated. What this person did was to call IT as the last thing before he went home, said he forgot his PW, had his account locked, then next morning he would show up, pick up his password "for the day", enter it, shredder the paper it was printed on, do his stuff, call IT at noon with a lost pas

  • Password fatigue (Score:2, Interesting)

    by Anonymous Coward

    Look no further than the simple explanation: Password fatigue.

    It's not uncommon in a large employer to have 6-10 passwords to different systems, all with different rules. And they change every 30-60 days.

    Naturally, this causes users to write them down, sometimes on stickies under their keyboard (agh), sometimes on the stickies program on their frickin desktop (ARGH).

    Rather than lamenting this obvious fact, it's time we change standards to recognize what REALLY happens, instead of what SHOULD happen. (Refe

    • going to do a quick count of how many pwds I deal with at work: ...
      49.
      I have 49 separate pwds I need to know to do my job.
      of those *several* are in a one-note file that is on a secure server so others with the same need to know can remain synchronized.
      Three or four of these also require a SecurID or similar token.
      Only two are committed to memory.

      nb

  • I often come up with nice long passwords that would take decades to crack, but the system wont let me, so I end up with some sort of keyboard pattern that *gasp* shockingly get repeated with shift held down to double the characters and this allows the minimum number and symbol count. If they removed the stupid rules, we could use good passwords.
    • Paypal, the assholes, only allow 20 characters max. Apparently they were running out of bits and have to save money somewhere. Anyway, that's not the aggravating part. The aggravating part is when you enter the password, it just truncates to 20 without telling you. Then you go to log in with the password you just set and find it doesn't work. It doesn't work because you've entered to many characters, but it lets you enter them when setting the password...it just throws the extras away and performs the set!

  • by FeelGood314 ( 2516288 ) on Thursday September 29, 2016 @09:37PM (#52986875)
    A good password is hard for a computer to guess and easy for a human to remember and enter. That is the only metric we should be using for passwords. Screw the 100 different sites and work logins that expect me to have a different password for each. I have a couple of sites that I value enough to use secure passwords on, the rest Password1! is good enough.

    Work policies that require 8 characters, 1 upper, 1 lower, a number, a symbol and change every 3 months are guaranteed to result in everyone eventually adopting Common1! where Common is any common 6 letter word and the number 1 increments every 3 months.
    • I have seen argued by experienced security professionals that any password that can be remembered is probably easy to crack with current CPU based systems.

      • Not to mention current GPU-based systems. Add 2 characters. Now, how is able to remember a 14 digits random passwords ? No-one. So let's giveup on brute force and just implement attack detection on web interface. The rest is futile.
  • by Brett Buck ( 811747 ) on Thursday September 29, 2016 @09:39PM (#52986881)

    A password is intended to ALLOW access. If I come up with random "complex" passwords, I will either have to write them down, or use some sort of passwords safe, because they are intrinsically not "mnemonic". For many things I just don't care very mush, and I have to have dozens to hundreds of new passwords a year.

          There has to be a compromise between security and functionality, and people are making that compromise.

  • by Gravis Zero ( 934156 ) on Thursday September 29, 2016 @09:41PM (#52986889)

    It's quite simple, remembering passwords is a mental burden that you rarely find anywhere else in life. For our possessions, we have physical keys that provide weak security and we expect law enforcement to ensure a violation of that weak security and our insurance companies to replace our losses. The closest thing in real life is remembering people's names and there is a common set of names people have that are phonetic as well. If you want to solve the password issue, people need a physical object (a key) that will authenticate them. We will all carry a key like this and once again rely on our weak physical security which requires physical proximity to undermine.

    • by AmiMoJo ( 196126 )

      Phones make good keys. They have multiple layers of security (physical, then an unlock code or fingerprint), the good ones are encrypted by default and everyone carries them anyway.

      Computers should have NFC pads so they can do a secure challenge/response kind of thing when logging in to sites, like how mobile payments work.

  • by Shane_Optima ( 4414539 ) on Thursday September 29, 2016 @09:46PM (#52986903) Journal
    I recently lost an email account I've had since I was twelve apparently due to one of the eBay breeches. Yes, I used the same password for both (never got around to changing them after I made the transition to randomized passwords) so it's my fault, right?

    How about great big "fuck you" instead? How about a wall of shame for every website that does not hash passwords, with salt, prior to transmission over the internet? This is kiddy level shit here. The slowest smartphone in the world should be able to do this in its sleep.

    And the majority of sites still have incredibly stupid password policies, almost all forcing you to use special characters and numbers instead of long passphrases which, if properly constructed (such as via dicewords), can be considerably more secure than the average "unicorn16!" type password. Some sites even impose a ridiculous maximum length policy, and some sites also forbid certain special characters, probably for some horribly depressing reason like they can't be bothered to make sure the password field can't be used for SQL injection or overflow attacks.

    Work passwords aren't much better. The constant changing is completely pointless; everyone either uses a very simple incrementing number system (often tied to the current month) or they use Post-Its. A sane alternative would be to track logins and alert the user and/or security admins of unusual times or locations and to use keyfiles on smartcards or regular USB drives.

    I've checked the literature and these ridiculous practices are still being taught to people studying for CompTIA certifications. Can't someone please... I don't know, do something about this? Can't we have some industry leaders say that they're no longer recognizing CompTIA Security+ or Network+ certifications as worth anything? This shit has been going on for far too long, and in an effort to made up for their shitty password infrastructure many places are adopting painfully annoying supplementary security systems.
    • I forgot to include the obligatory xkcd on dicewords: https://xkcd.com/936/ [xkcd.com]
    • *breaches. In before the pantaloons wisecrack.
  • Because the biggest single problem my customers have is remembering passwords, the first thing I tell them is write them all down in a safe place. Everyone has a good place they can hide a sheet of paper.

    I'm fully aware that a significant fraction of the password cheat sheets will end up taped to the monitor, but in my customer demographic the online threat and the physical breakin threat are totally disjoint. Even their laptops seldom leave the house.

  • by Antique Geekmeister ( 740220 ) on Thursday September 29, 2016 @11:22PM (#52987125)

    > Only five percent of respondents didn't know the characteristics of a secure password, with the majority of respondents understanding that passwords should contain uppercase and lowercase letters, numbers and symbols.

    These requirements profoundly _discourage_ secure passwords. The difficulty of remembering them, and typing them well at a hidden password field, strongly encourage storage of passwords locally in cut&paste text windows or in local plaintext password storage. The current champion application for this security failure is AWS, which stores complex randomized alphanumeric strings which _no one_ can remember, forcing their default inclusion in plaintext local user fules or even hardcoded in saved wrapper scripts.

    I'm afraid that robust password generation was much better explained and documented in an old XKCD cartoon, https://xkcd.com/936/ [xkcd.com]

  • by Cochonou ( 576531 ) on Friday September 30, 2016 @12:02AM (#52987197) Homepage
    As written in the summary:

    My personal favorite: password paradox. "The survey revealed that the majority of respondents understand that their digital behavior puts them at risk, but do not make efforts to change it," reports Help Net Security.

    But among all the accounts that people have, how many of them are really worth of effort to reduce the hacking risk? I'd think a lot of people reuse the same passwords on many sites, because they do not really care if they are hacked on most of their accounts. Actually, this is kind of hinted at in TFA:

    Additionally, consumers prioritize their password strength based on which accounts they believe need to be the most secure. Respondents indicated that they create the strongest passwords for financial (69 percent), followed by retail (43 percent), social media (31 percent) and entertainment (20 percent).

    That would seem to indicate that if people reuse many passwords, they still don't use the same one for their bank and for facebook... It is strange the TFA asked people if they thought their accounts had values to hackers, but didn't go as far as asking the surveyed people what value they perceived themselves in their accounts.
    • When I read "doing so while fully understanding the risk" I thought, where is the paradox? We make decisions like this all the time. There risk in simply getting up in the morning.
  • If servers would just be smart about always requiring a captcha for each additional login attempt, and limit amount of login attempts, email on failed login attempts, have timeouts between login attempts...
    Well, then passwords don't have to be strong. This doesn't fix password reuse though :)
    • Most password cracking is done by stealing the database with the password hashes and then using some GPU based system to crunch those against known rainbow tables and some well known tricks people use to create passwords.

      None of what you suggest would make any difference.

      • by Junta ( 36770 )

        crunch those against known rainbow tables

        Note that this *also* would be a sign of an incompetent site. Password databases should be impervious to rainbow tables. Also, a GPU would not really be that useful for a rainbow table. A rainbow table is a precomputed table of hashes, meaning it's a straight lookup rather than actually having to perform the hash calculation. A competent site would have a sufficiently long random salt incorporated to render rainbow table impossible.

        Of course, dictionary attacks against offline database are still a probl

  • Long story short (Score:3, Informative)

    by wonkey_monkey ( 2592601 ) on Friday September 30, 2016 @02:44AM (#52987451) Homepage

    Begin article.

    Passwords are a chore to remember. People are lazy.

    End article.

  • The reason people re-use passwords is overwhelmingly because so many sites require them. A vanishingly small percentage of the population could realistically expect to remember what may be 100 or more passwords to manage all their online activities. The variations in password acceptance across all those sites is equally irritating ("Do not use special characters" "You must use at least one special character" "Password must be at least 8 characters" "Password must be exactly six characters" etc etc).

  • passwords should contain uppercase and lowercase letters, numbers and symbols

    No, far more effective would be minimum password (phrase) length. People thinking 8 characters are fine as long as it is leet-speak is a problem. The way most people use uppercase, numbers, and symbols make the dictionaries a little more tedious, but not *that* much more so.

    Sure, the most secure approach is totally random, but if people insist on it being human friendly, number of characters is the key point to emphasize.

  • It's not about understanding the risks. It's about considering the dangers to be significant. I reuse passwords all over the place, and most of my passwords are very simple. And I understand that because of my behaviour, it'd be very easy to hack into my slashdot account. There's no paradox there. I don't consider my slashdot account to be vital. If someone wants to hack into my slashdot account, I could care less. I'll get another slashdot account. It was free the first time. It'll be free the sec

  • The issue is that GPU scaling has exceeded the functional life of passwords. So we make longer more complex passwords and next year or the next some GPU breakthrough will enable those to be broken in reasonable time. It's just a delaying action against the inevitable death of passwords as a valid authentication option.

Keep up the good work! But please don't ask me to help.

Working...