Jump to content

FYP / Dissertation Research - Computers and Passwords

Archmagus Micael

By Archmagus Micael
in General

 Share

Recommended Posts

Archmagus Micael
Well-Actually War Trall

Archmagus Micael

Posted
Posted

Hi all,

 

Some of you will probably remember me, the newer guys probably not so much - I've been mostly lurking the last few years now.

 

I'm currently working on my Final Year Project (essentially our Dissertation) for University, and was wondering if some of you guys wouldn't mind spending 5-10 minutes filling out a survey for my research. It's a quick survey trying to study password habits amongst Computer users. I took a wild stab in the dark and assume you guys all use computers of one sort or another ;).

 

If you have some time that would be very much appreciated, the survey can be found here :):

http://kwiksurveys.c...g0044318&refer=

 

Thanks!

 

- Archmagus Micael

Link to comment
Share on other sites
Aran
Magnificent Ornk

Aran

Posted
Posted
you guys all use computers of one sort or another

 

I don't, actually. I project my posts onto this forum by sheer force of will. But no worries; it's a common misconception. ;)

 

I use passwords on all devices, of course, and I make an effort to use secure ones too. But I have no illusions that my data would be protected against someone who had physical access to my devices for more than ten minutes (two minutes if they're one of my CS classmates). I'm not even particularly good at this, and just yesterday I taught my dad how to reset his root password using an unprotected bootloader in under a minute.

 

You can't plan for security until you know what kind of attacks you expect and want to prevent. Physical access is just about the hardest to protect from, and the only thing that can protect against that is drive encryption. A far more likely threat is malware or a remote attack (particularly of your accounts on web services). Those are the passwords that matter.

 

I use this method for my passwords.

Link to comment
Share on other sites
Aran
Magnificent Ornk

Aran

Posted
Posted (edited)

I can't help but feel nervous at some of these questions. I understand the intent, but it's the tech equivalent of: "Do you lock your doors at night?" "Where do you sleep?" "Do you keep a weapon by your bedside?"

 

So... Yes, No and No.

Edited by אראנכאיתאר
edit: I am a caffeinated CS student. I do not sleep.
Link to comment
Share on other sites
keira
Easygoing Eyebeast

keira

Posted
Posted (edited)

I don't put sensitive information in someone else's hands, that simple. Anything really sensitive is pgp-encrypted to myself, either by just using one key or using both my key and my IRL key.

 

As for keeping sensitive files on mobile devices, I used to keep an ssh key on it to log into my server to edit stuff, but no longer do so since I no longer need to edit stuff using my iPod.

 

I just checked, and the only thing I have on my iPod that is somewhat-protected (other than the OSes password-protection unlocking, which i use a text-password for (none of that 4-digit crap), and the 10-incorrect-guesses-wipe-thing), is a digit-protected Dropbox that contains Important Financial Documents i last looked at like two years ago. So yeah, not that big of a deal if that device gets compromised.

Edited by صيلي
for the sake of clarity i should mention that Important Financial Documents == porn
Link to comment
Share on other sites
Goldengirl
Easygoing Eyebeast

Goldengirl

Posted
Posted

I don't really do anything sensitive on my computer, nor do I have a lot of information stored here that couldn't be accessed on, say, my Facebook. That's my best form of digital security. The only thing I'd be worried about is my email address, and then only marginally.

 

That said, I do have a series of passwords, some individualized and some mass-used depending on how much I care about the particular security of that site and the information on it.

Link to comment
Share on other sites
Rowen
Well-Actually War Trall

Rowen

Posted
Posted

First thing that came to mind upon reading this thread was a NPR bit on pin numbers. As for me I have just over 10, longer than 16 digit passwords that I use. I also have them written down on a paper next to my computer. No where on the paper does it say where to use any of the passwords as I only keep that stored in my head.

 

Edit: The center tab of an Excel spreadsheet has never looked so fine before. I love a good set of numbers in a string of formulas.

Link to comment
Share on other sites
keira
Easygoing Eyebeast

keira

Posted
Posted (edited)

you know what pisses me off

 

when a site says your password is too long.

 

because that means either they are storing it in plaintext instead of hashing it, or they are incompetent morons.

Edited by صيلي
and course storing user passwords in plaintext makes you an incompetent moron, so really there's no way to not be an incompetent moron
Link to comment
Share on other sites
Lilith
Hatchling Cockatrice

Lilith

Posted
Posted

you know what pisses me off

 

when a site says your password is too long.

 

because that means either they are storing it in plaintext instead of hashing it, or they are incompetent morons.

 

my bank requires my internet banking password to be exactly 8 digits long. not letters, not symbols, digits

 

i think it's so that you can enter it on a phone keypad but why would you ever want to do that in tyool 2012

Link to comment
Share on other sites
Alorael at Large
Hatchling Cockatrice

Alorael at Large

Posted
Posted

My favorite experience was getting one of those regularly-scheduled "you must change your password (to something almost identical but with an incremented number somewhere)" emails, doing so, and losing access. I called support, support asked me if I was entering the right password... and read my password back to me. I confirmed it, and the support person asked what I'd like it changed to. I gave her a new password, verbally rattling off the random numbers and punctuation, and then it worked.

 

 

—Alorael, who didn't like the idea of plaintext passwords. He liked easily accessed plaintext even less. But the idea that he could have that password changed with a phone call and no authenticating credentials? That really makes the memory a treasured one.

Link to comment
Share on other sites
Archmagus Micael
Well-Actually War Trall

Archmagus Micael

Posted
  • Author
Posted

Oh, hey, it's you! Welcome back (even if it's only briefly)!

 

Thanks :). Don't seem to have time to play spidweb games as much anymore, so lurking suits me better.

 

You skipped a question on whether passwords are related to user (family pet, birthday, ...) or randomly generated to make it easier to remember.

 

I did- that was actually by omission rather than forgetting to do so. As anonymous as this is, I didn't want anyone to worry that I was asking them incredibly detailed questions on a site where its possible for me to find real identities. I mean, the chances are negligible for most people on here, but I'm also going to ask the same questions at work, where I do know everyone's names.

 

I don't, actually. I project my posts onto this forum by sheer force of will. But no worries; it's a common misconception. ;)

 

My bad, I guess that's what using the Geneforge does to a person :p.

I use passwords on all devices, of course, and I make an effort to use secure ones too. But I have no illusions that my data would be protected against someone who had physical access to my devices for more than ten minutes (two minutes if they're one of my CS classmates). I'm not even particularly good at this, and just yesterday I taught my dad how to reset his root password using an unprotected bootloader in under a minute.

 

You can say the same about locks and locksmiths though. Most people won't be CompSci / CompSec Students / Majors.

 

I can't help but feel nervous at some of these questions. I understand the intent, but it's the tech equivalent of: "Do you lock your doors at night?" "Where do you sleep?" "Do you keep a weapon by your bedside?"

 

I think it's more like "do you keep your valuables in a safe?" "what make and model safe is it?" and "Do you really think they're safe?" *cue evil laughter*.

 

But yes, in all seriousness its why I tried not to ask too personal questions.

 

...I only use three different passwords but all of them are at least twelve characters in length.

 

According to research then, if you were an average person you would only have 18 different sites to log in to (each person uses a password an average of 6 times).

 

—Alorael, who didn't like the idea of plaintext passwords. He liked easily accessed plaintext even less. But the idea that he could have that password changed with a phone call and no authenticating credentials? That really makes the memory a treasured one.

 

Sounds like a social engineer would have a field day at that company.

 

Thanks for all of the input so far guys, you've been great :). If a tad on the healthy paranoid side ;).

 

- Archmagus Micael

Link to comment
Share on other sites
keira
Easygoing Eyebeast

keira

Posted
Posted (edited)

You should opt to change that. like aran linked, good passwords aren't hard. Look, a generator if you aren't feeling creative

 

"describe mares spider twenty". that simple.

Edited by صيلي
the first thing i thought of was a weird pony-liking 20yo spider filling out his online dating profile.
Link to comment
Share on other sites
Alorael at Large
Hatchling Cockatrice

Alorael at Large

Posted
Posted

It's actually easier than that. As long as you aren't limited by length, you can make passwords memorable by linking them to the site. "Inside of a dog it's too dark to read." is a perfect password for any book- or literature-related site, for example. "[Company/Site Name] sells X" works for anyone selling just about anything. They're a little long to be entered frequently, but for rare use you'll remember them, they're very unlikely to be guessed unless you use favorite sayings, and it's hard to get more secure than full sentences except maybe by misspelling and throwing in that awful random punctuation.

 

—Alorael, who notes that the company that displayed utter failure to understand security also handles material covered by HIPAA. They're not just insecure, they're possible violating serious laws by failing to be secure.

Link to comment
Share on other sites
  • 3 weeks later...
The Mystic
Easygoing Eyebeast

The Mystic

Posted
Posted

you know what pisses me off

 

when a site says your password is too long.

 

because that means either they are storing it in plaintext instead of hashing it, or they are incompetent morons.

Or both, IMHO. I once went on to my bank's website to create an online account, but decided against it when I learned I had to create a password exactly 6 alphanumeric characters long. Needless to say, I didn't create the account.

 

I prefer long passwords, especially if the allowed length has both a high lower limit and no upper limit. My passwords tend to be around a dozen or so characters, but some have a length of 20 or more, if the site allows.

like aran linked, good passwords aren't hard. Look, a generator if you aren't feeling creative

 

"describe mares spider twenty". that simple.

Nice generator; and I like that it has multiple languages, so you can combine them to create some passwords that are possibly really tough to crack.

 

However, FYI: If you click "Generate another" enough times, words will begin to repeat. Keep clicking, and you'll get some weird phrases, like "herd society government slipped," "body tales raise three," or "carry branch stems too." Yes, those were actual results.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...