Comment Okay...and? (Score 1) 427
This is probably more of an Ask Slashdot type of post, but I'm reading through the article, and I know anyone can agree on "LOL u texted me ur password via text its abc123" and its immediate idiocy scale.
Looking to the more proactive side of things, I have to question how we best fix this. Let's take a look at three of the suggestions:
"One site, one password"
Okay, this makes sense. Let's play this out, because I think this is a common one with solid foundations for why many of us do it. I have an awesome password. My password is "23mQi*f4". This is a secure password, and it works great for my online banking site.
I also pay my credit card bills online. Okay, no problem. "galacticpotato84%jfd(" is my password for that one.
3 more credit cards, 2 webforums, three news sites, one credit union, 5 gaming sites, 2 web email accounts, and an amazon account later I now have almost 20 passwords, all of which are unique, and you're telling me I can't save any of these credentials in my browser? And I shouldn't write them down, obviously.
So now I need to, in a perfect world, have a next-world memory, or some sort of security manager for all these passwords. As a technology professional, I'm not even sure the best answer (My closest guess is a password manager, but that's an all your eggs in one basket kind of deal) to this - certainly you can't expect regular joes to know how to handle this.
"Change your passwords often!"
Again, at face value, no one is questioning this. This makes sense. But when you get down to applying it - now I've got 18 passwords that need to be updated yearly/monthly/whatever. This is more an extension of the problems outlined above than a brand new set of problems, but it definitely complicates things.
"Make your password unique"
This seems to go in direct conflict with the first point. I need 20 different passwords for 20 different sites, and each with their own, unique, yet "memorable sentence" as the site says structure.
I'm not arguing any of these points, I think they make sense, and I think it's really easy to laugh at someone who's password is hunter2, and it is texted, emailed, and shared to everyone and their mom.
I think it's a lot harder to proactively fix this in a reasonable way, that the masses can consume. It's EASY to say "Change your password, idiot". But really, how do we get this assimilated into our culture? Futhermore - what is it really helping? In all these studies i've never seen anything that's to me, functionally useful, IE:
- Risks of using a shared but secure password (Not written down, committed solely to memory, shared with no outside persons or systems. 64 character string, alphanumericspecial)
- Risks of using unique, secure passwords that are stored in external media (Written on a piece of paper and stored in a safe, stored in a password manager)
- Risks of using semi-unique, secure passwords that are committed to memory using some sort of algorithm (IE: Amazon - i04&f_24amazon, Ebay - i04&f_24ebay, Slashdot - i04&f_24slashdot)
My problem with these articles is everyone knows the basics - and even those that don't know the basics can easily comprehend "This is bad, don't do this". What is never emphasized is how to easily transition to a better scheme, and what it actually offers you. Maybe I've been jaded and corrupted by the corporate world, but if you can't give me some idea of an ROI, all i'm going to do is look at your proposed plan or idea and then ignore it and move on to the more critical issues to me.