Results 1 to 7 of 7

Thread: IT Users In Password Hell

  1. #1
    Senior Member
    Join Date
    Oct 2002
    Posts
    4,055

    IT Users In Password Hell

    From news.zdnet.co.uk:

    The typical intensive IT user now has 21 passwords, and has two strategies to cope: Use common words as passwords or just write them down
    Heavy users of technology now employ nearly two dozen passwords to gain access to various IT systems and Web sites -- but are compromising security by writing them down.

    The 2002 NTA Monitor Password Survey found that the typical intensive IT user now has 21 passwords, and has two strategies to cope, neither of which are advisable from a security standpoint: they either use common words as passwords or keep written records of them.

    The survey found that some of these heavy users maintain up to 70 passwords. Forty-nine percent write their passwords down, or store them in a file on their PC.

    The research shows that 84 percent of computer users consider memorability as the most important attribute of a password, with 81 percent selecting a common word as a result.

    Furthermore, 67 percent of the entire universe of users polled by NTA Monitor rarely or never change their passwords, and 22 percent said they would only ever change one if forced to do so.

    One respondent said: "Memorability is more important as I assume it's secure. I remember passwords I've selected but if I've been assigned one I can't change I write it down on a 'post it' and stick it to my docking station."

    Roy Hills, technical director, NTA Monitor, said: "Users are effectively leaving their keys in the front door of their computer systems. A disciplined security approach must start with the user. As an industry, we need to help users address this issue. The fundamental problem is that users are forced to manage and maintain so many user names and passwords that they are inevitably using common phrases, or resort to writing passwords down."

    He added: "The IT industry is simply not taking it seriously enough -- losing a laptop, for example, with strictly confidential merger and acquisition documents on the hard disk is one thing but if it's got a 'post it' note with the password stuck to it you've only got yourself to blame."

    NTA Monitor surveyed 500 computer users at Victoria Station, London over a week-long period in November 2002.
    These are not good reports obviously. IT Users and Administrators need to know that passwords need to be guarded and need to be as strong as anything else. Using the password's limit, combining numbers/characters/letters, and using common sense can help people. It's stupid IMHO that people write their password on a 'post-it' note and leave it on their computer. That's just like leaving your front door to your house wide open in NYC while going to work, it's something you DON'T do. Anyone have any opinions on this article, or the stupidity of some IT users?
    Space For Rent.. =]

  2. #2
    It's a gas!
    Join Date
    Jul 2002
    Posts
    699
    This is a catch 22 situation. Theyve got a ton of passwords to remember already without them having to remember cryptic passwords at that.

    I feel for the users because the only way possible for them to remeber all passwords is to use an easy to remember word(s) and because theyre using easy to remember words theyre being criticised. So they then revert to storing the passwords in a secret file which theyre also criticised for.

    You just cant win unless you got fking excellent memory!

    Cheers

  3. #3
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    I was a victim of this phenomenon a few years ago so i decided to fix it...<s>

    I came up with 4 passwords for the four different levels I assigned to the apps etc. that required them. Then when I need to password something I simply decide on it's level. My 4 levels are as follows:-

    Really don't give a s**t: Easy password short and easily guessable. Used for web sites etc. where I have no intent of putting any info that might compromise myself or any systems I am responsible for.

    Sorta give a s**t: This one is longer and more complex tham the first. I use it for web sites etc. that may end up with info that may compromise myself or the systems.

    Really Give a s**t: This is the normal, somewhat complex password that I use for internal and home systems only. It has admin rights to the network.

    Holy S**t: This is coupled with a complex username and is very complex. It is used only for internal secure systems that are not members of the domains but require to be as secure as I can make them.

    With this system I can usually work out which password it was I used first time. Yes I do change the last two so if it is a long time since I used a system I may have to step back a bit to get into the system and then I change it right there.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  4. #4
    Senior Member tampabay420's Avatar
    Join Date
    Aug 2002
    Posts
    953

    PassWord Banks Work

    Here's an idea:

    invest in a small portable drive. Use a "password bank" to store your passwords on that portable drive. when you're done using the bank, take the drive out and your safe... The drive is not physically available to any hackers- this is the only way i would keep a password bank. although this may seem expensive- think about the alternatives listed above...

    <edit>
    I forgot to mention the bonus of using a password bank...

    you only need to remember one really strong password...

    this will allow you to easily have many,long,complicated passwords for all of your...

    http://www.google.com/search?hl=en&l...=Password+Bank
    </edit>
    yeah, I\'m gonna need that by friday...

  5. #5
    Senior Member
    Join Date
    Jun 2002
    Posts
    394
    thats a really good idea tampabay, you can get 16mb USB keyring-type storage real cheap. and it would be perfectly suited for storing a password file, encrypted of course, with a really strong password.
    http://www.thelaptopman.co.uk/periph...oduct.shtml?60
    i have seen smaller thought, for less.
    Hmm...theres something a little peculiar here. Oh i see what it is! the sentence is talking about itself! do you see that? what do you mean? sentences can\'t talk! No, but they REFER to things, and this one refers directly-unambigeously-unmistakably-to the very sentence which it is!

  6. #6
    Senior Member roswell1329's Avatar
    Join Date
    Jan 2002
    Posts
    670
    ThinkGeek already has a keychain password keeper:

    http://www.thinkgeek.com/gadgets/security/5a60/

    Another good way to maintain your personal passwords is to come up with a scheme for a password depending on the machine name. Many sites have naming schemes for their systems. Depending on this scheme, you should be able to come up with a phrase that relates to all of them except for one key difference. For example, if all your machine names were Star Trek characters:

    System name: troi
    Password: Tw0tnG

    The scheme being first letter and last letter capitalized, center letter "o" a zero, and the mnemonic was "Troi was on The Next Generation"

    Here's another one:

    System name: dax
    Password: Dw0dsN -- for "Dax was on Deep Space Nine"

    System name: spock
    Password: Sw0toS -- for "Spock was on The Original Series"

    It's a good way to keep several machines straight in your head. It even works if you have multiple schemes, because you'll only have to remember as many passwords as you have schemes.
    /* You are not expected to understand this. */

  7. #7
    I agree too Tampabay420, i recommend using a small usb password bank for people that like to use the "password safe" programs. Then they have one super tight password, and no worry of the program and it's contents on a mounted drive.
    Insert whitty tagline right here.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •