Comments on: Password handling: challenges, costs, and current behavior (now with infographic) http://www.welivesecurity.com/2012/12/04/password-handling-challenges-costs-current-behavior-infographic/ News, Views, and Insight from the ESET Security Community Mon, 03 Feb 2014 08:49:00 +0000 hourly 1 http://wordpress.org/?v=3.7 By: Janina http://www.welivesecurity.com/2012/12/04/password-handling-challenges-costs-current-behavior-infographic/#comment-3791 Mon, 10 Dec 2012 18:46:07 +0000 http://blog.eset.com/?p=15733#comment-3791 I have to admit, my main reason for not using password management applications is that I have no idea which ones may be trustworthy.  I have a small number of passwords that I use across a variety of sites.  I use the same low-security password (dictionary word plus a two-digit number) for virtually all low-security sites.  Those are sites that require registration but do not have anything but publicly available information about me.  I have 4-5 higher security passwords that I use for more important websites.  I rarely change them, except for my work account.  The real trouble comes in remembering my user names.  For sites I care about, I write myself emails detailing the website name, the user name, and a cryptic note to myself about which password I used.

]]>
By: Curt Coker http://www.welivesecurity.com/2012/12/04/password-handling-challenges-costs-current-behavior-infographic/#comment-3790 Mon, 10 Dec 2012 04:30:33 +0000 http://blog.eset.com/?p=15733#comment-3790 I find it completely implausible that anyone memorizes all their online passwords, unless (uh-oh) they are all the same!  Most people who are active online should need dozens of passwords.  IMHO, we desperately need a secure way of using biometrics instead of passwords.

]]>
By: Stephen Cobb http://www.welivesecurity.com/2012/12/04/password-handling-challenges-costs-current-behavior-infographic/#comment-3789 Thu, 06 Dec 2012 18:22:03 +0000 http://blog.eset.com/?p=15733#comment-3789 Bill — Your points are well taken. I would love an opportunity to test answers against practice. For example, do the people who say they use complex passwords really use them.
Your point about bias toward "right" answers may explain the higher percentage of older people giving the right answer more often.
However, we have done two different surveys this year in which only 32% of people reported having had any kind of security training, ever. For my money, that's a big part of the problem, right there.
Stephen

]]>
By: David Harley http://www.welivesecurity.com/2012/12/04/password-handling-challenges-costs-current-behavior-infographic/#comment-3788 Thu, 06 Dec 2012 15:29:36 +0000 http://blog.eset.com/?p=15733#comment-3788 Bill, I have to agree. Good passwords are the ‘right’ answer to the wrong question. :(

]]>
By: Bill Cheswick http://www.welivesecurity.com/2012/12/04/password-handling-challenges-costs-current-behavior-infographic/#comment-3787 Thu, 06 Dec 2012 14:36:52 +0000 http://blog.eset.com/?p=15733#comment-3787 The results are suspect, in my opinion.  Many people have received enough security "training" to know the "right" answers to these questions, and I suspect they tend to bias the answers.  
Over the years I have had a steady stream of people confide in me that they are violating this password rule or that, perhaps seeking absolution. The fact is that most of these password rules aren't useful any more: the threats have changed.  We now have keystroke loggers, phishing sites, powerful dictionary attacks, and massive data spills from authentication systems.  The rules taken from 1980s timesharing passwords are only slightly relevant today, though still a pain in the neck.
ches

]]>