Previous stories along these lines have shown things like that most bank employees surveyed would trade their passwords to secure financial systems for a twinky or a chance to win an iPhone, serious idiocy. But almost nothing this showed is actually a big deal. I end up in the "stupid" category on almost every question according to him, and I don't for a minute believe it's a security problem.
Shared passwords?
Absolutely, I share passwords to things with my girlfriend all the time. If she needs to order from a company I usually order from and doesn't want to set up a new account, if she needs to log into the home router, use a forum I'm a member of... whatever. Am I concerned at all about this? No. She lives in my home, she has continuous access to all my stuff, my wallett, my checkbook. Of course we both know the logons to all of each other's computers. If I didn't trust her, having my password to crutchfield.com is the least of my worries.
Same password for multiple sites?
You've got to be kidding me. I use a password management program, and it says I have 199 password files right now. You think I'm going to use unique, strong passwords for every forum I want to post in? If someone gets my password and goes around trying to guess every site I have an account at and what my common username/password combos are, what are they going to do, post a bunch of stuff that makes me sound like a jerk or something? Whole ton of work, practically no payoff.
Special characters?
Again, you do not need special characters for a strong password. A password does not need to get very complex before the chances of anyone guessing it or running an attack against it become almost nil. Unless you're a billionaire or it's a nuclear launch code or something, if you have a 10-digit password that's not susceptible to dictionary attack or really common guessing (kids birthdays or such), no one's going to "guess" it anyway. I do things like pick two dictionary words I can remember and intersperse the characters, and then intersperse a number I can remember with extra characters to match the longer word. For example, say you go to the
random word generator and get "coloring" and "rash." Then throw in a number you remember, like the age you were when you first rode a ten-speed, in my case, 11. password:
croalsohr1i1ng
Incidentally, that's not actually what I do, my point is, a simply system like that will allow you to generate a bunch of somewhat memorable (if you can remember the root words and system) passwords that are arbitrarily strong for the average user. And if you never tell anyone what system you actually do use, the chances of anyone ever "guessing" a single password are so close to nil...
Using a significant date or pet's name?
Well, using one alone is not so great, but again, if it's a discussion forum where someone would have to know you use it to begin with, then guess both a username and password combination, and then the result is they get... nothing of value, then I still don't see it as a big deal. And even if you use the most obvious and important signifiers to plug into a "create a password" system like the above, but that you generate yourself, unless you're the president of a country, it's probably more secure than anyone would ever break.
sharing a password in a text message?
Again, he's not distinguishing between the importance of passwords. Doing that with a bank account password? Insane. Doing that with your password to break.com? Who cares?
password over public WiFi?
Same as above. Plus, what is the specific danger here? I usually assume anything online could be intercepted, and that that's what the encryption on secure sitesis for. I guess public wifi is especially vulnerable to man in the middle attacks? I wouldn't use public wifi for banking, but again, lots of things use passwords. I've certainly used Slashdot over public wifi, and have yet to have my account stolen. How much does a hacked Slashdot account go for on the black market?
check for a secure connection when accessing sensitive information when using unfamiliar computers?
OK, that's a real problem.
never change their banking password?
What's the theory on that, anyway? That between the time your password gets compromised and the time they exploit it, that you'll happen to change it? How exactly does changing your password improve security?
writing down passwords and hiding them somewhere like a desk drawer?
If the enemy has physical access to your home, computer, filing cabinets - honestly, you're pretty *$@!'ed. It's not ideal for high security passwords, but also not that insecure of a thing to do. Educating people about not downloading and installing malware is about 10,000 times more important than stopping people from writing down their passwords somewhere where the potential miscreant needs to physically break into your home to get them. If they can look through your desk drawer, they can probably install a keystroke logger.
passwords with more than 10 characters in length?
Again, for low security passwords for forums, etc, who cares? And even for more important passwords - how many people's accounts are being attacked by brute force? Most important accounts stop letting you try after a few failed attempts. As long as you password isn't really easily guessable or, again, a nuclear launch code, nobody is going to assume it's short and launch a successful brute force attack against your credit card login because it's 6 characters instead of 10.