Do you have adblock enabled?
 
If you can read this, either the style sheet didn't load or you have an older browser that doesn't support style sheets. Try clearing your browser cache and refreshing the page.

(SeattlePI)   38 percent of adults would rather scrub a toilet than come up with a new online password, which explains why so many accounts get hacked and so many more toilets go unscrubbed   (blog.seattlepi.com ) divider line
    More: Stupid, Harris Interactive, online banking  
•       •       •

1790 clicks; posted to Main » on 24 Aug 2012 at 12:31 PM (3 years ago)   |   Favorite    |   share:  Share on Twitter share via Email Share on Facebook   more»



75 Comments   (+0 »)
   
View Voting Results: Smartest and Funniest

Archived thread

First | « | 1 | 2 | » | Last | Show all
 
2012-08-24 03:09:41 PM  
It is easiest for the incompetent IT departments to make the user do hard stupid stuff. They could just have a 15 second delay to re-try your PW. And 3 strikes, you have to wait 15 minutes, then 5 characters would be over-kill. When I was working with classified stuff, they made us change every 60 days, AND the computer generated random strings for your password. iRFg6^8kQ~ Remember THAT sucker! The problem is not password strength, it is IT weakness. And it is my bank sending me an "important email", saying "Since email is not secure, please click HERE, and log on to your secure account for access to this important message." Honest to Google, it is really from the bank. They are training us to be stupid.
 
2012-08-24 03:18:32 PM  
This story reminds me of my old IT manager who told me he would rather be buttfarked in the arse by an elephant over a table of broken glass than fix a got-damm printer. Only his was dirtier.
 
2012-08-24 03:26:02 PM  
When I used to work on the help desk, we would ask people their passwords when we worked on their PCs. One guy had 'f*ckyouselena' with a number after it. I think he was up to 30 something. Every time I saw him I feel like asking how Selena was doing.
 
2012-08-24 03:29:46 PM  
My foolproof method, haven't had to reset a password for years:

blog.securityactive.co.uk
 
2012-08-24 03:32:31 PM  
Mine is the number/letter combos for a couple of my favorite songs on the jukebox at my favorite dive. Its easy for me to remember, and its total monkey type for someone that doesn't know what songs or what jukebox
 
2012-08-24 03:34:26 PM  

periboob: And it is my bank sending me an "important email", saying "Since email is not secure, please click HERE, and log on to your secure account for access to this important message." Honest to Google, it is really from the bank. They are training us to be stupid.


That sounds almost too stupid to be to be believed. That just sets their customers up to be phished. I'd change banks. If they are that stupid with something so obvious, you may get a visit from the FBI one day so that they can talk to you about why you are transferring money to al Qaeda. My CU sometimes sends me an email to tell me to go to their site and check my messages for an important, confidential one. But that is all it says. There is no link to the site.
 
2012-08-24 03:35:57 PM  

R66YRobo: Most password policies are asinine and counter-productive. Want your employees to make a 10 character alpha-numeric case sensitive password with inclusion of at least one symbol with a 3 month expiration? Awesome, I guarantee every password in your freaking company is written down somewhere near the computer it's used on, making all of that worthless by creating an even larger security risk than the one you were addressing. And about the only thing they are good against are brute force attacks that focus on dictionary words, hardly the most common or easiest form of system penetration. Your security is far more likely to get penetrated through other less obvious weakness, an employee downloading something (like a keylogger), or just good old fashioned social engineering. In the meantime, you've reduced company efficiency and created a headache for employees in a policy worthy of Dilbert's PHB.

And don't get me started on websites. I have no problem with forums and such having passwords, but they don't need the same level of security as my farking bank, especially when most of them have no personal info. I love it when they tell me a password is too weak, when I couldn't care less if someone else logged in as me most places. Oh no, someone might post as me on Fark, heaven forfend!

/there have been plenty of websites with ridiculous password requirements I've didn't register with and just never went back to as a result


I used to intern at a government office where this was the case. Employees couldn't keep up with their password changes, so they were always written on sticky notes either in the drawer or sometimes in some clever secret place like under the keyboard. And the system itself wasn't any big deal, just a scheduling and document-transfer program for employee use only (because who else would want it).

The experience made me wonder how many of Anonymous's "amazing hack jobs" and such were done by initially just going around desks and finding passwords. Anyone can do it if you wear a janitorial-looking uniform and carry a bottle of 409 and now I've said too much.
 
2012-08-24 03:40:23 PM  
The problem is that every time you come up with a new password, you have to either memorize it, or write it down. You can only memorize so many passwords, and writing them down is insecure, what other options do you have? The real pisser? I finally came up with one a few years ago that was absolutely PERFECT. It made sense to me, looks like gobbledygook when people glance over at it, the clue is misleading, and anyone I give it to(like my wife) who gets confused about the spelling can look it up.

Then a website that had it stored got hacked. They killed my 'perfect' password. Those bastards.

I now have 2 regular ones, one I use for places where I need the security, such as online retailers and Google, then I have one for sites like this that might get hacked. Seems to be the best I can do without having to remember 4,283 passwords all at the same time.
 
2012-08-24 03:42:01 PM  

Gyrfalcon:
I used to intern at a government office where this was the case. Employees couldn't keep up with their password changes, so they were always written on sticky notes either in the drawer or sometimes in some clever secret place like under the keyboard. And the system itself wasn't any big deal, just a scheduling and document-transfer program for employee use only (because who else would want it).

The experience made me wonder how many of Anonymous's "amazing hack jobs" and such were done by initially just going around desks and find ...


I'd wager most of them. The lesson in all of this is that security is not a technology problem, it is a people problem. You start with people, and provide them technology tools to be secure. You do not start with technology and expect that people will conform to fit it's requirements.
 
2012-08-24 03:44:19 PM  

Gleeman: In before 'correct horse battery staple'.

When I was at university we had to change passwords every 90 days, and you couldn't re-use any password, plus all passwords had to be minimum of 8 characters including upper/lower case, at least one number and a special characters.

Yeah, mine was written down every time.


We have to do the same at my company, but we can reuse after 3 times, and we can go sequentially, so everyone just tacks a number to the end, and restarts after '9'.
 
2012-08-24 03:48:31 PM  

fracto: You should never have to tell someone in IT your password. Their should be an IT user on the machine for maintenance.


Sorry, we don't have issues here logging onto the local machine, it's when we have to log onto specific users' Citrix accounts, or log directly into their email. 'Local machine' was ok 5 years ago, but with all of the virtualization nowadays, the local machines are just a portal. I can't discover anyone's password, I can only reset it, so if someone is out, and I need to log onto their Citrix to make changes, which occasionally happens, or I have to log in with them, and their machine is down, they have to tell me their password, or else I have to change it and find some way to get it to them without using their account.
 
2012-08-24 03:51:23 PM  
I just stick my dick in the USB port, and they somehow figure out that it's me trying to log in, every time.
 
2012-08-24 04:04:14 PM  

Oldiron_79: Mine is the number/letter combos for a couple of my favorite songs on the jukebox at my favorite dive. Its easy for me to remember, and its total monkey type for someone that doesn't know what songs or what jukebox


now that's CORRECT horse BQ

(beats up a horse and calls the doctor)
 
2012-08-24 04:27:39 PM  
I usually either take a quote that I know by heart and use the first letter of each word, and combine it with proper capitalization and/or an associated date and/or some other related piece of info.

e.g.

"Space: the final frontier. These are the voyages of the starship Enterprise. Its five-year mission: to explore strange new worlds

StffTatvotsEIfymtesnwGR1966

Or, I'll use a phone number I know by heart but that's not personal enough for someone to guess, along with some related info.

e.g.

5882300ECwgn
 
2012-08-24 04:28:25 PM  
And for the record, neither of those are passwords that I actually use.
 
2012-08-24 04:33:41 PM  

JackieRabbit: periboob: And it is my bank sending me an "important email", saying "Since email is not secure, please click HERE, and log on to your secure account for access to this important message." Honest to Google, it is really from the bank. They are training us to be stupid.

That sounds almost too stupid to be to be believed. That just sets their customers up to be phished. I'd change banks. If they are that stupid with something so obvious, you may get a visit from the FBI one day so that they can talk to you about why you are transferring money to al Qaeda. My CU sometimes sends me an email to tell me to go to their site and check my messages for an important, confidential one. But that is all it says. There is no link to the site.


Indeed. It seems like US banks are notorious for being stupid when it comes to such things: I bank with USAA who is one of the more clueful banks around. They decided to "solve" the authentication issue by addressing mail to my full name as it appears on the account and by including the last four digits of my account number in the top-right corner of the message. Stupid, and trivially vulnerable to a replay attack. That, or bad guys could just type in random numbers and assume that nobody ever checks. Until recently, their "two-factor" authentication consisted of asking for my username, password, and a four-digit PIN. Now at least they have a VeriSign VIP one-time-password option which is nice (though I can't for the life of me understand why they don't just use Google Authenticator or a compatible system: it's free for them and the users).

Since I moved to Switzerland for grad school, I've been impressed. When I opened the account in person the bank gave me my login ID number and a little calculator-like device. A few days later I received the login PIN via registered mail. The next day I got my bank card (with a smartcard chip), also by registered mail. The following day they sent me a temporary password. To access my account I have to enter my login ID number and password, then their system presents me with a one-time, 8-digit "challenge" number. I insert my card into the calculator thing, type in the challenge on the site, hit enter, enter my pin, hit enter, and the device computes the appropriate response. I enter the response into the field on the site and I'm in. (The challenge/response digits are derived in part from my card number so only my card can compute the correct response.)

All email from the bank is digitally-signed using S/MIME, even their monthly newsletter. All documents produced by the bank (such as PDF bank statements, payment confirmations, etc.) are digitally signed and timestamped from a third-party, trusted timestamping service. The certificate authority and timestamping service are run by the Swiss post office. *Everything* can be verified to be legitimate and not tampered with.

Why the hell can't US banks have even the most rudimentary security?
 
2012-08-24 04:39:38 PM  

Gyrfalcon: R66YRobo: Most password policies are asinine and counter-productive. Want your employees to make a 10 character alpha-numeric case sensitive password with inclusion of at least one symbol with a 3 month expiration? Awesome, I guarantee every password in your freaking company is written down somewhere near the computer it's used on, making all of that worthless by creating an even larger security risk than the one you were addressing. And about the only thing they are good against are brute force attacks that focus on dictionary words, hardly the most common or easiest form of system penetration. Your security is far more likely to get penetrated through other less obvious weakness, an employee downloading something (like a keylogger), or just good old fashioned social engineering. In the meantime, you've reduced company efficiency and created a headache for employees in a policy worthy of Dilbert's PHB.

And don't get me started on websites. I have no problem with forums and such having passwords, but they don't need the same level of security as my farking bank, especially when most of them have no personal info. I love it when they tell me a password is too weak, when I couldn't care less if someone else logged in as me most places. Oh no, someone might post as me on Fark, heaven forfend!

/there have been plenty of websites with ridiculous password requirements I've didn't register with and just never went back to as a result

I used to intern at a government office where this was the case. Employees couldn't keep up with their password changes, so they were always written on sticky notes either in the drawer or sometimes in some clever secret place like under the keyboard. And the system itself wasn't any big deal, just a scheduling and document-transfer program for employee use only (because who else would want it).

The experience made me wonder how many of Anonymous's "amazing hack jobs" and such were done by initially just going around desks and find ...


I've read that several of them were social engineering more so than what most people think of as "hacking", but take that for what it's worth. I'd be willing to bet that most "hacks" are either exploiting know vulnerabilities that an IT dept. hasn't taken care of or are socially engineered. All that said, I'm hardly a computer security expert, so I could be grossly off base on my view of the threat.
 
2012-08-24 04:56:24 PM  
As someone who regularly sees errors that effectively mean "Password too complex", it's the alternate verification questions that kill me. The stock questions are usually bits of trivia known or easily guessed by half of anyone's facebook contacts. Some are easily guessed by anyone. I've seen "Where did you meet your spouse? (City name only)", so you are discouraged from using anything actually hard to guess like "A Molly Hatchet concert" or "#lonelypervs on irc". Of course you don't have to and absolutely should never use accurate/correct answers here, but many have character filtering that makes a password-strength value impossible.

My favorites at least let me write in my own question. Those are great when they're used on phone support. "So, OccamsWhiskers, you naughty, naughty boy, what are you wearing?" But I can't bring myself to answer with a real punchline, it's always an attempt at a secure answer like "The fish have tennis".
 
2012-08-24 06:09:14 PM  
For extra security, I always use hunter2
 
2012-08-24 06:40:38 PM  

Gleeman: In before 'correct horse battery staple'.

When I was at university we had to change passwords every 90 days, and you couldn't re-use any password, plus all passwords had to be minimum of 8 characters including upper/lower case, at least one number and a special characters.

Yeah, mine was written down every time.


Same here at work. Bonus is that we have passwords for:

OS #1
OS #2
The internal bloggy web site that marketing people put their perky shiate on.
A brand new internal bloggy web site because marketing people have a short attention span.
Bug Tracking Tool #1
Bug Tracking Tool #2
(repeat infinitely on bug tracking tools - engineers have short attention spans, too.)

Then, there is the little key fob with the RSA number.

Oh, yeah, they rolled out something to log into all the above with one password and scuttled it within 30 minutes because it was Epic Fail.
 
2012-08-24 06:45:21 PM  
Jon iz teh kewl: Oldiron_79: Mine is the number/letter combos for a couple of my favorite songs on the jukebox at my favorite dive. Its easy for me to remember, and its total monkey type for someone that doesn't know what songs or what jukebox

now that's CORRECT horse BQ

(beats up a horse and calls the doctor)


horse BQ? Whats that?
 
2012-08-24 07:21:29 PM  
Just goes to show how Farking little imagination most of the brain-dead masses have!
P.S. I ain't touchin' NO toilet!
 
2012-08-24 07:34:17 PM  

R66YRobo: I've read that several of them were social engineering more so than what most people think of as "hacking", but take that for what it's worth. I'd be willing to bet that most "hacks" are either exploiting know vulnerabilities that an IT dept. hasn't taken care of or are socially engineered. All that said, I'm hardly a computer security expert, so I could be grossly off base on my view of the threat.


No more am I; but it's just hard for me to imagine serious criminal hackers huddling over their computers and trying to find either known or unknown vulnerable spots when the stuff they need is usually out on people's desks for all to behold. Or at the very least, hanging around free wifi spots with a laptop and just intercepting all the transmissions as they go out, which is what I would do if I knew how. And was criminally inclined; but that's why I don't use wifi.
 
2012-08-24 07:50:35 PM  

Alonjar: I just cant stand that every website has completely different password rules. Oh, I need 3 letters and both upper and lower case with a symbol for this one..... fark


Came here to say this. Also: requiring special characters. Pfft. Then there are the accounts you use literally once a year, like to file taxes.
 
2012-08-24 08:37:39 PM  
I hate how 'insignificant' websites (blogs, coupon sites, etc.) always require the strictest and strangest of password combinations....uppercase, lowercase, numbers, special characters (I really hate that one), etc. Like come on, I don't care if someone really steals my password to save 50 cents on Cheerios.
 
Displayed 25 of 75 comments

First | « | 1 | 2 | » | Last | Show all

View Voting Results: Smartest and Funniest


This thread is archived, and closed to new comments.

Continue Farking
Submit a Link »
On Twitter






In Other Media


  1. Links are submitted by members of the Fark community.

  2. When community members submit a link, they also write a custom headline for the story.

  3. Other Farkers comment on the links. This is the number of comments. Click here to read them.

  4. Click here to submit a link.

Report