SoylentNews is people
SoylentNews
49% of workers, when forced to update their password, reuse the same one with just a minor change:
A survey of 200 people conducted by security outfit HYPR has some alarming findings.
For instance, not only did 72% of users admit that they reused the same passwords in their personal life, but also 49% admitted that when forced to update their passwords in the workplace they reused the same one with a minor change.
Furthermore, many users were clearly relying upon their puny human memory to remember passwords (42% in the office, 35% in their personal lives) rather than something more reliable. This, no doubt, feeds users' tendency to choose weak, easy-to-crack passwords as well as reusing old passwords or making minor changes to existing ones.
What is so bad about changing "Password1" to "Password2"?
(Score: 2, Disagree) by RS3 on Friday December 13 2019, @03:21PM (38 children)
Nothing at all if you want your account accessed by others.
What, pray tell, is that something? LogMeIn? Browser-based auto logins? Post-It notes?
A good friend of mine prints his passwords- the ones he doesn't care about like work-related- on bar-code and uses a bar-code scanner. It's pretty well hidden and few know he does it, and he's pretty cynical about his job so if someone figures it out he'll just enjoy the show.
(Score: 2, Insightful) by Runaway1956 on Friday December 13 2019, @03:33PM (24 children)
They need to just do away with passwords. And fingerprints, and retina scans, and all the rest. The computer should demand a semen sample, to compare DNA.
"No, seriously, I'm not the wanker you take me for, I'm just trying to get into my computer!"
"Dude, I've heard it called a lot of things, but I've never heard a vagina referred to as a computer."
Anyway, iterative passwords. The shared computer at work was set up with "Welcom01", and we're now six days away from changing the password to "Welcome22". A little social engineering reveals that all the other computers have the same password, plus or minus a couple iterations. If I'm around when it reaches 99, and due to change, I think I'll start over at "Welcome00" just to screw with people's minds.
(Score: 5, Funny) by PiMuNu on Friday December 13 2019, @03:39PM (13 children)
Works until you get a bone marrow transplant.
(Score: 2) by RS3 on Friday December 13 2019, @03:43PM
Or miniature CRISPR gene hacking tool for 007's next movie.
(Score: 3, Insightful) by Runaway1956 on Friday December 13 2019, @03:56PM (11 children)
I was expecting the obvious reply. "Where's a woman supposed to get a semen sample?" I suppose that women will have to buy samples, and keep them in a local sperm bank. Or, keep a guy around to get her in, or off, as the case may be.
(Score: 2) by Freeman on Friday December 13 2019, @04:13PM
Yeah, I was heading this direction first, before the other two went off on their less than 2% errors. Still, it's a very off the wall suggestion. The reason why we have passwords is, because there's no better solution.
Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
(Score: 3, Funny) by barbara hudson on Friday December 13 2019, @04:54PM (7 children)
Little boy to little girl: my dad says I have a penis and you don't.
Little girl: My mom says I have a vagina and I can get all the penis I want.
That's why there's no such thing as a female incel.
SoylentNews is social media. Says so right in the slogan. Soylentnews is people, not tech.
(Score: 2) by Coward, Anonymous on Saturday December 14 2019, @03:52AM (6 children)
This may be the exception that proves the rule, but I distinctly remember being approached by a desperate woman who wanted me to touch her boobies.
(Score: 2) by barbara hudson on Saturday December 14 2019, @04:07AM (5 children)
SoylentNews is social media. Says so right in the slogan. Soylentnews is people, not tech.
(Score: 2) by Coward, Anonymous on Saturday December 14 2019, @04:14AM (4 children)
Funny. I guess you don't know what it means to be propositioned.
(Score: 2) by barbara hudson on Saturday December 14 2019, @09:06PM (3 children)
SoylentNews is social media. Says so right in the slogan. Soylentnews is people, not tech.
(Score: 2) by Coward, Anonymous on Sunday December 15 2019, @03:36AM (2 children)
Oh well, guys who you call incels could probably find a crack whore to have sex with, at least in the US. They just don't want to. So the "involuntary" part of incel is not really true.
(Score: 2) by barbara hudson on Sunday December 15 2019, @03:44AM (1 child)
Many of these are afraid of approaching any woman - which is why when they finally do so, it's often with a gun or rifle or using a vehicle as a weapon to express their rage.
SoylentNews is social media. Says so right in the slogan. Soylentnews is people, not tech.
(Score: 2) by Coward, Anonymous on Sunday December 15 2019, @05:32AM
Probably they are intimidated by women they find attractive, I'll give you that. But probably not by women they find unattractive. They are choosing not to pursue the ones they might have better chances with, so their celibacy is in fact voluntary.
(Score: 0) by Anonymous Coward on Saturday December 14 2019, @10:27AM (1 child)
It would not be very safe to keep him chained to the table.. so where would one keep the semen container?
(Score: 2) by Runaway1956 on Saturday December 14 2019, @09:49PM
https://www.bravotv.com/sites/bravo/files/field_blog_image/2016/07/perosnal-space-national-get-out-of-the-doghouse-day.jpg [bravotv.com]
(Score: 2) by RS3 on Friday December 13 2019, @03:47PM (3 children)
Yeah, sometimes I think this stuff is overdone. If someone has physical access to a computer, they can rip out a hard disk pretty quickly. And you could argue in favor of disk encryption, but if the motherboard dies (which is rare) you lose everything. But hopefully it's all backed up, right?
I tend to keep passwords simple for low-privilege accounts, and fairly longish for admin/root stuff.
(Score: 0) by Anonymous Coward on Friday December 13 2019, @04:03PM
If you're counting on being able to get data off the disk when the computer fails, you've screwed up on so many levels.
You're supposed to have regular backups and if what you're doing is so hard to replicate that losing a few hours of work is a problem, then you should be running those backups more frequently. I'm sure there are a few areas where you can generate data too quickly for that, but in those cases, you have other considerations and you'll likely want to use something more advanced for data storage than a single computer.
(Score: 2) by barbara hudson on Friday December 13 2019, @04:49PM (1 child)
I wish. Hard disk physically soldered in place, dirty rotten built-in obsolescence bastards.
Want more storage? Buy a new machine because it's not worth unsoldering the old one and still having older hardware.
SoylentNews is social media. Says so right in the slogan. Soylentnews is people, not tech.
(Score: 2) by RS3 on Saturday December 14 2019, @12:01AM
Or plug in a USB stick or external drive.
(Score: 0) by Anonymous Coward on Friday December 13 2019, @04:28PM (4 children)
Best version of that I have seen is “Colors of the rainbow” for root. This worked well until fart keyed in “plaid”.
I do not like password stores. Dash lane and the like. 1 password to get them all. I prefer a catchy system like the names of the cats and sequence number. Rotate names and numbers and keep them synced. Also do to sign up to multiple forum or other systems. If they need a password to use. They are just another Facebook or google want a be. Flush them fast
(Score: 2) by barbara hudson on Friday December 13 2019, @04:44PM (3 children)
SoylentNews is social media. Says so right in the slogan. Soylentnews is people, not tech.
(Score: 2) by Osamabobama on Friday December 13 2019, @05:27PM (2 children)
So what password do you use, then?
Appended to the end of comments you post. Max: 120 chars.
(Score: 2) by barbara hudson on Friday December 13 2019, @05:37PM
SoylentNews is social media. Says so right in the slogan. Soylentnews is people, not tech.
(Score: 0) by Anonymous Coward on Friday December 13 2019, @06:41PM
dd if=/dev/urandom bs=1 count=12|base64
(Score: 4, Funny) by EvilSS on Friday December 13 2019, @04:44PM
SoylentNews story from 2025: "Honey pot attacks up 200,000%, victims not all that unhappy"
(Score: 5, Informative) by barbara hudson on Friday December 13 2019, @04:35PM
When you know the user needs to use at least 1 digit, and 1 special character, you've eliminated the need to check all alpha-only passwords.
Second, because so many people need password resets, it's easier to convince the keepers of the keys to reset a password via social engineering - hence the epidemic of identity theft.
Biometrics? Fingerprint readers don't actually compare fingerprints- they generate a number based on a small number of features of a fingerprint. Doesn't work if you don't have well defined features, like mine. We tried registering my fingerprint on a time clock for weeks. Never worked. I deleted my bank app when they needed fingerprint I'd because I don't want to get locked out by 10 failures of verification.
And we all know facial ID also can be easily compromised.
Only physical security can be trusted- anything else is smoke and mirrors.
SoylentNews is social media. Says so right in the slogan. Soylentnews is people, not tech.
(Score: 2) by barbara hudson on Friday December 13 2019, @04:56PM (2 children)
2. Watch the fun.
3. There is no 3
SoylentNews is social media. Says so right in the slogan. Soylentnews is people, not tech.
(Score: 2, Insightful) by DECbot on Friday December 13 2019, @11:15PM
Why go through all that trouble? Use a sharpie to embolden some of the lines.
cats~$ sudo chown -R us /home/base
(Score: 2) by RS3 on Saturday December 14 2019, @12:03AM
You're delightfully evil. I might just do that if I ever visit his place of employ again...
(Score: 3, Interesting) by Zinho on Friday December 13 2019, @05:03PM (4 children)
Defend this please. What is the vulnerability that we're defending against by requiring dissimilar passwords?
* attacker is able to guess your next password easily if they've already got your current/past one?
* hash function isn't giving distinct responses to passwords that are only one character different?
One of these seems like closing the barn door after the horse has escaped, and the other seems like a systemic error, not a user error.
What are we trying to say the users are making themselves vulnerable to?
"Space Exploration is not endless circles in low earth orbit." -Buzz Aldrin
(Score: 2) by Osamabobama on Friday December 13 2019, @05:38PM (2 children)
The most plausible scenario where this would help is a password breach, where unencrypted passwords are revealed. This could be from a different site, where the same password is reused, or a single site, where the password table is cracked or otherwise revealed. Then the data gets into the hackers' hands...
Now, hypothetically, they are targeting you specifically (not just going through the whole list--for whatever reason). They don't get in on your old password, but they see an identifiable pattern, and iterate through the logical next steps. Alternatively, an automated tool cycles through passwords based on the pattern.
This attack vector needs unencrypted passwords, which should be hard to get because of hashing and salting and so on, but not every site is using best practices. Also, there are other threat models that get ignored when people concentrate on this one.
Disclaimer: I'm stretching the limits of my understanding of this subject by explaining this, so don't use me as a reference if it's important.
Appended to the end of comments you post. Max: 120 chars.
(Score: 0) by Anonymous Coward on Friday December 13 2019, @06:11PM (1 child)
To see an identifiable pattern they'd need more than one old password.
(Score: 2) by stretch611 on Saturday December 14 2019, @12:54AM
Not necessarily...
It is possible at times to guess a pattern after seeing/knowing only one password.
I used to work somewhere that required monthly password resetting.
I used to take a single word and follow it with a 1 or 2 digit password. If someone sees password12, it does not take a rocket scientist to make an assumption that they will change it to password13 at the next reset, or another reasonable guess would be password01 if it is currently December. Back then we used to share passwords with our coworkers for various tasks... It was not unusual for people to use the same password followed by the numerical month.
After they banned passwords that only changed 1 or 2 digits/characters, I even topok the lazy step of changing my password from "March2007" to "April2007" to "May2007". I would truncate the longer months if necessary as well. Another case of easy to guess the identifiable pattern even if you only have one password.
Honestly, even then I knew how bad it was to use passwords like that... but I honestly didn't give a damn about the company I worked for then either. After I left, I didn't do the month/year passwords, but I still implemented the add 1 to the number or use the month as a number suffix to passwords.
I no longer am forced to change my password every month... and I have not had to do that in roughly 8 years. Since then, I use a offline password manager ( KeepassX [keepassx.org] ) I let it generate random passwords for me and I never change them. I never let the browser remember passwords or use a browser extension to fill them in for me simply because browsers are one of the biggest security risks on your computer.
Now with 5 covid vaccine shots/boosters altering my DNA :P
(Score: 1, Insightful) by Anonymous Coward on Friday December 13 2019, @07:19PM
The requirement for changing passwords is ALREADY about closing the barn door after the cows are out.
The ONLY attack case this fixes is the attacker that already has a credential. If the APT (advanced persistent threat) isn't in your attack profile, there is no reason for this requirement.
(Score: 2) by Rupert Pupnick on Friday December 13 2019, @05:35PM (3 children)
But if the password is already "strong" to begin with, what's wrong with a small incremental change as an update?
(Score: 2) by maxwell demon on Friday December 13 2019, @08:31PM
Exactly. I've long used a strong password, and a small variant part at the end. Until they started to test similarity with the previous password. Since it came unexpected, and I hadn't much time to think about and memorize it, my next password was considerably weaker.
And no, a password manager is no option for the login password.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by toddestan on Friday December 13 2019, @11:44PM
If the password is strong and secure, then there really is no reason to have to change it.
If the password has been compromised somehow - the malicious actor trying to get in might be able to guess/figure out your small change and still gain access. The whole point of these password change policies is to defend against scenarios where the password has been compromised somehow but that fact is not yet known. A small, easy to guess change completely defeats the purpose of that policy.
(Score: 2) by RS3 on Saturday December 14 2019, @12:08AM
This answer applies to the many comments I got, but don't want to pepper all the answers:
I was referring to the literal password "Password1". I'm pretty sure the hackorz try those exact things first.
Otherwise, I certainly agree- a 1 character change to an already "strong" password is a great option, resulting in an equally strong password.