You Want People To Have Strong Passwords? What Are You, Some Kind Of Communist?
from the rights-and-responsibilities dept
Passwords are a pain. If they are strong, they are hard to remember, and if you can remember them they probably aren't strong. Of course, there are all those excellent password managers out there, but using them requires an even stronger password.... No wonder, then, that time and again we hear of people giving up and using simple-to-guess passwords, and of the awful consequences that result.
Stefania Maurizi points us to an Italian journalist, Nicola Porro, who's also had enough. He's written a blog for the newspaper Il Giornale, in which he describes tech people who keep giving him a hard time over his weak passwords as the "new communists" (original in Italian):
So why do I say they are communists, and not just idiots? For the simple reason that they don't believe in free will, or in individual freedom. Can't I be free not to change my password every month? Can't I be free to use a simple password? Can't I be free to choose whatever the devil I like? Can't I be free to consider it irrelevant whether somebody steals my data? Isn't it an option that whenever I'm online they screw me over and steal precious information from yours truly and that I'm not at liberty to put myself intentionally in danger in order to have an convenient password?
He goes on to say:
and as for anyone who dares to say something about the risks of getting conned blah blah blah, I am quite happy to sign online once and for all that I accept full responsibility for any password theft.
I wonder if he's considered what might happen if his system were taken over as part of a botnet that took out a hospital's computer system, say, or were used to host and distribute child pornography: would he be happy about accepting responsibility for those too?
Maybe those sysadmins who keep bothering him to choose a decent password aren't "new communists", just concerned, responsible people who understand that every computer user connected to the Internet is necessarily part of an online community with responsibilities to everyone else there, just like in ordinary life. Choosing a good password is really no different from following the basic rules of the road: it's not a question of losing your personal freedom, but of showing consideration for your fellow human beings who may be harmed if you don't.
Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: communism, italy, nicola porro, passwords
Reader Comments
Subscribe: RSS
View by: Time | Thread
His childhood must have been a fun one...
'I'll play in traffic if I want to you commie'
'Make sure to look both ways before crossing the street.'
'If I want to get hit by a passing car because I'm too stupid to take basic precautions, that's my right you communist!'
'When driving, signal, look, and then move over.'
'If I want to ignore common sense and cause a car crash it's my freedom to do so!'
[ link to this | view in chronology ]
Re: His childhood must have been a fun one...
1. as mentioned numerous times, this idiotic practice of 'signing up' or making an 'account' for EVERY two-bit website in the universe is EXTREMELY tiresome...
(how many dozens/hundreds have i been forced to sign up for, and NEVER went there again ? )
2. when i got a disqus 'account', i was hoping it would alleviate this type of crap; but, evidently, i have to get a dozen disqus-like accounts, and STILL will be 'forced' to sign up at every site in the universe...
3. for non-critical sites/'accounts', i use a simple pattern: prefix + site/org name + suffix
e.g. 57techdirt89
i simply have to 'remember' the prefix/suffix (57/89), then insert the site/org name in the middle, and i'm good to go...
somebody cracks my 'account' at some non-critical website ? ? ?
*yawn*
[ link to this | view in chronology ]
Oh, wait, no. That other thing.
Moron. That's it!
[ link to this | view in chronology ]
[ link to this | view in chronology ]
I don't like storing my passwords elsewhere even if the service has a reputation but seriously, my brain fails at memorizing several strings and I'm inclined to believe only a few gifted people can do without a password manager.
Which reminds me I have to update the USB key I have in case shit hits the fan at the site.
[ link to this | view in chronology ]
Re:
For example I use apg to generate passwords but there are countless other tools like this.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
Thought one thing wrote another.
[ link to this | view in chronology ]
Thing is...he's not. Can someone clarify if he's complaining about the password policy at his workplace? Those systems aren't his. If he has a weak password at his job, it wouldn't just be himself affected, but all of his co-workers. I think it wouldn't just be the sys-admins who would want to have a word with him at that point.
[ link to this | view in chronology ]
Re:
The password strength should be related to the importance of the data and some data just isn't very important.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Yes, but I'm going to guess that you're the sort of person who would also be free to sue banks and other institutions when your poor practices lead to suffer a tangible loss. To be free to berate and attack IT and other personnel for not "protecting" you when things go wrong, even though you willingly rejected their every word of advice. To be free to blame everybody but yourself when you realise why security is so important.
"I am quite happy to sign online once and for all that I accept full responsibility for any password theft"
I sincerely hope others take up this challenge. Reminds me of Jeremy Clarkson - http://news.bbc.co.uk/2/hi/7174760.stm. All bluster and "who cares?" until someone demonstrated to him why he should care.
[ link to this | view in chronology ]
Re:
If someone breaks your "easy" password and does harm to you they still are liable for the damage.
"You were asking for it" does not excuse the criminal of wrongdoing.
[ link to this | view in chronology ]
Re: Re:
However, a person must also be responsible for their own security. If you're in the habit of leaving your house with the doors and windows open, you still bear some responsibility no matter how wrong the person who robbed you was for doing so. People aren't trying to take away your rights if they tell you to lock up when you leave.
Also, as noted several times elsewhere here, the implications of not taking care of security with a computer may have many implications beyond what happens to your own account, so any analogies related to burglary are horribly inaccurate.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re:
Actually he has a point.
At least some of the policies imposed by sysadmins are not just pointless- they are actually counterproductive.
Changing your password every month is one of them.
(This pretty much guarantees that most people wil react by using simpler - related passwords).
Never writing them down is another.
Again encouraging weaker passwords - contrary to the advice it is quite safe to write down passwords in most circumstances.
Not using the same password for multiple sites is another.
Most sites are fairly non-critical (hacking my techdirt account would not be the end of the world) using a common password for large groups of similar non-financial sites is fine.
Always including a number or non-alphanumeric character is another. The amount of extra entropy associated with expanding the character set is modest compared to the extra effort required to memorise it. In addition most people make obvious substitutions (A->4 s->$ etc) which don't trouble the average password cracking program even a little. Increasing password length is a much better solution.
All of these things are eminently practical in an environment where you have just one or two sites to find passwords for and use them frequently.
However in the modern world where you may have >>10 passwords it is simply impossible.
My advice is this - use the same short easy password for all non-critical sites. Ignore suggestions not to do this from the site. Most site owners believe their site is way more important to you than it actually is.
Use separate long (multi-word) passwords for the sites that matter. If you will only (or mostly) use them when at home then by all means write them down (at home only - if a burglar is rifling through your thingss then you have bigger problems than a cracked password and you will know to change it).
You are probably left with just one or two sites that demand you remember a secure password - hopefully that is not too hard.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
I've used the same password since 1998 for a lot of things. I haven't been assimilated.
I won't sue banks, or get angry at IT people. I know full well I leave only myself to blame.
I've had my PayPal account hacked. That was 7 years ago. I got my money back. *shrug*
I know good and well what the risks are. Don't tell me what my reaction is going to be.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
Money may not be the motive.
I thought only copyright maximalists consider money to be the sole reason why people do things.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
that is free market enconomy, as it is company policiy no government regulation.
[ link to this | view in chronology ]
There are dozens of suitable technologies, from smart cards to certificates to multi factor authentication, but they're all obscure and hard to use for grandma.
[ link to this | view in chronology ]
Re:
I've been hearing this since about 1990. I don't think the end of the password is any closer now than it was then. For all their faults, passwords have advantages that no other scheme can match.
For some things, I use certs. For other things, certs/smart cards/multifactor schemes are simply unworkable, and I see nothing on the horizon that will change that.
[ link to this | view in chronology ]
bad article
writing everything down anyway.
http://xkcd.com/936/
[ link to this | view in chronology ]
Re: bad article
[ link to this | view in chronology ]
Re: Re: bad article
Number of guesses per second is only really an issue if the authenticator allows it to be. Enforce a small account wide delay between password attempts. Your users won't be fast enough to run afoul of it, but the exponential increase in computer speed is no longer a concern. Sensitive destinations should include password lockout mechanisms. Sensitive administrative access requires certs/tokens/two-factor.
[ link to this | view in chronology ]
Re: Re: Re: bad article
Offline attacks, are limited only by hashing algorithm and hardware (for example, WPA runs sha1 4096 times to make cracking slower), but then again, offline attacks involve other stuff like getting hashes, etc...
[ link to this | view in chronology ]
Re: bad article
What you shouldn't do is write them on post-its and stick them to your monitor.
[ link to this | view in chronology ]
Re: Re: bad article
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
AC is right
If the Italian guy wants to have a weak password THAT IS HIS RIGHT. Sorry Mr. Moody that you don't like it that other people have rights.
If his computer is used to host a botnet or attack a hospital (REALLY??? SERIOUSLY???) then that will be funny as hell because only an idiot would suggest that THAT is the reason for having a password or a secure one.
Computers are taken over all the time because Windows, not because insecure-password.
Get over yourself.
Ehud
oh yeah, don't follow me on twitter. I am now going to check the byline on Techdirt articles. Masnick yes. Moody no.
[ link to this | view in chronology ]
Re: AC is right
[ link to this | view in chronology ]
Re: AC is right
Funny thing is, while Porro does have the right to be totally insecure and he has the right to put himself at unnecessary risk, Moody has equal rights to criticise and/or mock him for what he said. That's the thing about rights - you can have the right to do something, but that neither shields you from the consequences nor criticism of those actions. I agree that hyperbole was used, but Porro is at least equally guilty of that sin.
Equally, the people who security policies he's whining about are unlikely to relate to a system he personally controls - it sounds like a website or domain login policy. The people in charge of that system probably have more of a right to keep their systems secure than Porro has to access them. You may disagree that the security policy is necessary, but they have the right to secure their systems in the way they see fit. If someone's rights have to trump another, I'll go with professionals over someone whining that a password policy is "communism" any day, if only because the latter claim is idiotic.
"oh yeah, don't follow me on twitter"
Isn't it his "right" to follow the information you put out there for public consumption?
[ link to this | view in chronology ]
Re: AC is right
"If the Italian guy wants to have a weak password THAT IS HIS RIGHT."
And where did he say otherwise? Everyone has the right to be stupid, and everyone else has the right to say "hey, look at the stupid guy!"
The case where you don't have a right to any stupid password you want is when you have an account on someone else's computer or service. A compromised account is a risk to the entire system, not just that account. But on your own machines, go nuts.
[ link to this | view in chronology ]
Re: AC is right
http://www.bbc.co.uk/news/technology-19280905
In the Reuters case it was SQL injection, but the principle is the same; others may be affected, don't you care about them?
[ link to this | view in chronology ]
Il Giornale
This wasn't always the case as Il Giornale was founded in 1972 by the journalist Indro Montanelli, who is considered as perhaps the greatest Italian journalist of all times.
[ link to this | view in chronology ]
I suggest that it's just possible that was what the journalist was aiming at.
A genuine gripe about how secure systems often cause people to behave in insecure ways due to an insistence on a particular password format which they never can remember, especially if it's only one of umpteen different secure and ever changing logins that they are required to have, played with tongue firmly in cheek as if fox news were reporting on it.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
On another note, "communist" does not mean what he thinks it does.
[ link to this | view in chronology ]
On top of that, you can (if it's YOUR hardware) make the choice to have a simple password (though, actually, with Windows, your machine is safer WITHOUT a password, than a weak password). If it's not your system, then you don't get that choice. Same goes with websites, too. You have the option to not use the site, if you don't like their password policies - but that site is just covering their own butt, more so than they are covering yours.
To those griping about FUD? I'd agree with the fear bit. Not so sure about the UD parts though. Working in the information security world, you'd be surprised at the insanity I see. Maybe a bit of fear is needed for some of the PEBKACs out there.
[ link to this | view in chronology ]
A twit by any other name?
[ link to this | view in chronology ]
[ link to this | view in chronology ]
what do you mean, no way? we should do our job that this doesn't happen? dude, making sure you follow the security rules is part of that job and if you don't YOU are the reason if it fails.
It is quite simple, really. security is a matter of choice in a lot of situations, but making that choice also means it becomes your responsibility, especially if it fails. The problem is, that the people that can't be bothered are the very same people that cry blue murder and demand "something be done" if their weak security doesn't hold up. They want others to keep them safe even if they don't want to contribute to it and they deny every responsibility at the same time, because it is "someone else job". They have to either realize that they are part of the security process, or they need to be made to take the responsibility if they don't want to be part of it.
They won't learn without suffering from the consequences.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
We don't blame the homeowner when their house gets robbed... afterall most houses are protected by about a cubic inch of wood. Passwords and locks keep honest people out. Those that are really trying to cause harm are not going to be stopped by a password.
[ link to this | view in chronology ]
Re:
I kinda do if the homeowner left the home protected by just a locked screen door.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
If you leave your house for a few days with the front door open and the screen door locked, then you get robbed, it's not exactly your fault -- but you were a complete idiot.
[ link to this | view in chronology ]
Re: Re: Re: Re:
I always think the blame lies on the criminal and not the victim.. I know many people who don't lock their doors ever.. Comes with growing up in a small town. If someone with a locked door and a fancy alarm system gets robbed, they are certainly no less of an idiot than someone without one that gets robbed in my book. They are just an idiot with a broken window
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
More like "We don't blame the homeowner when their house is used as a methlab for several years and they claim they didn't have any clue".
[ link to this | view in chronology ]
Re: Re:
Say you live in an apartment, and your neighbor fills their apartment with trash. The trash attracts roaches, which then breed, and now your apartment is filled with roaches too. Most people would probably blame their neighbor.
[ link to this | view in chronology ]
Re:
Fun fact, we do. The home owners insurance (and car insurance as well) will not cover losses due to negligence. You leave your door unlocked, you are responsible for the losses.
If (and that's a big if) they catch the person who did it, then you can try to get your stuff back or compensation from them, but the insurance companies will do nothing.
I don't see why shared blame is not a thing in some people's worlds.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
Not long enough, no capitals, no numbers, no special characters.
By the time I had picked a password that it would accept, I cancelled the order on the basis that I was never going to remember that password with the passage of time. Ended up ordering from a site I was already registered with that had not made registering quite so irksome.
Con men and phishing and so on work, because they exploit the weakest part of any system, the way people actually behave and respond. When systems security is designed around an idealised method of how people behave, people will remain the weakest part of the system.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
The stupidity is strong in this one
That's not democratic. That's not egalitarian. I opposed it for a very long time (as in "decades"). But my Internet/ARPAnet experience, which now spans four decades, has taught me that it's unfortunately necessary. Everyone who has run the experiment of letting users have control has paid for it with failure. Everyone.
And users have not yet learned that they have a responsibility to each other. Being on the Internet is an enormous privilege. But it comes with enormous responsibility, something that most users don't comprehend and few actually shoulder. We are all responsible for each others' security, and a breach of one of us can and DOES affect all of us. So when I read comments like Porro's -- short-sighted, ignorant, asinine, selfish, idiotic -- my response is that he should be forbidden for life from being on the Internet. I judge him unworthy of the privilege because he is refusing the responsibility.
[ link to this | view in chronology ]
Re: The stupidity is strong in this one
Sorry, cats out of the bag. You can wish on a star for the power to control the internet (your seriously asking for precisely that) but you aren't going to get it. No one will give it to you (or anyone else for that matter) and the engineering of the internet itself will fight back against trying to get that type of control.
And while I won't call your argument communist, it sure as hell sounds a lot like "we need to control you for your own good" progressive bullshit.
[ link to this | view in chronology ]
Re: Re: The stupidity is strong in this one
[ link to this | view in chronology ]
Re: Re: The stupidity is strong in this one
Congratulations. You completely missed the point.
I've spent an entire career helping build and advocating for a free, open network built on free, open standards, using free, open code. So I think it's safe to say I'm pretty familiar with "the engineering of the Internet".
However, I also understand that making the Internet free and open REQUIRES making it secure. Haven't you been paying attention? Haven't you noticed that the security problems we face at all levels are enablers for spammers and the NSA, phishers and blackmailers, con men and GCHQ, and every other kind of bad actor out there? Don't you understand that unless we can solve those security problems, all the high-minded prose (e.g. "information wants to be free") will remain a hypothetical, an unrealized dream?
And "making the Internet secure" is, unfortunately, not possible if the task is handed over to end users because they don't know and they will never, ever learn. As Marcus Ranum points out in "The Six Dumbest Ideas in Computer Security" (which is flat-out brilliant, by the way, see http://www.ranum.com/security/computer_security/editorials/dumb/), "if it was going to work, it would have worked by now".
So please, don't give me any flack about "high priests". We tried "educating users", in fact, sometimes we still try it even though it's pretty obvious by now that it's a strategic failure. Yes, we DO have to do it for you because you won't do it for yourselves. And while we don't always do it perfectly (in fact: sometimes we suck) we have a hell of a lot better chance of pulling it off than you do.
You're welcome.
[ link to this | view in chronology ]
That would imply he obeys the rules of the road. I have been to Napoly, Italy once, and judging from the traffic there I'd draw the conclusion that Italy has no traffic rules any day....
[ link to this | view in chronology ]
if he don't like it, let him open his own bank and allow weak passwords.
what's the problem?
[ link to this | view in chronology ]
Re:
Provided they really are strong. I object, however to a bank enforcing rules that seem like a good idea but actually do not improve the password strength at all.
[ link to this | view in chronology ]
Free to cost other's money
[ link to this | view in chronology ]
Cue Jokes
Like many posters here I use and teach the use a password manager with every log in having a separate password. If someone got my password to my Twitter account they do not have my credentials to my bank.
Calling this clown a moron is an insult to morons.
[ link to this | view in chronology ]
expiry
[ link to this | view in chronology ]
Re: expiry
In fact, password reuse is arguably an even greater problem than having a weak password. If a password is cracked and the damage is limited to access to a single service, that's manageable. If that password is also used for other services, that's a much bigger problem.
[ link to this | view in chronology ]
Re: Re: expiry
I never asked anyone to change their password. I simply ran every cracking program I could find, in background, on every account, over and over. When I cracked someone's password, I told them and their boss. And I sent them the password to prove it.
Worked pretty well. But of course that was early days, and it wasn't even my primary job. Maybe if I'd have a lot of formal training I could have come up with something way better. Like a bunch of increasingly angry memos about password safety from something called the "IT Department".
[ link to this | view in chronology ]
Second: Anyone who has worked in an office should know forcing stronger passwords inevitably means weaker security. If your average worker can't remember their passwords easily, they write them on a sticky note on their monitor.
[ link to this | view in chronology ]
Re:
Your second point is not universally true. In my workplace, very strong passwords are strictly enforced and have to be changed frequently. Nobody writes them on sticky notes on their monitors. In practice, once you've typed a new password all day long, you have it memorized regardless of how complex it it.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re:
People do keep logs of old passwords, but that's acceptable so long as they're kept in a secure fashion (not kept on the computers you use the passwords on, under strict physical control or encrypted, etc.)
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
Frankly the nonsense of requiring regular password change has been debunked long ago.
Here http://all.net/Analyst/netsec/1997-09.html
for example.
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re:
Works if you only have one or two passwords - however most people these days have many services that require a password (often for no good reason). Often we use these services quite infrequently so "once you've typed a new password all daylong" doesn't apply.
My 4 important passwords are all different and all reasonably strong - but the 15 or so other ones are all the same. Making them different and changing them every few weeks would be just about impossible - I would be constantly using password reset.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Ridiculous
Or how about hey, maybe the dude just doesn't care if his Techirt password is stolen. Or NYTimes password. Or the password for any of a million other sites that pose no risk to the user if stolen. Nope, making that logical inference would require more common sense than Mr. Moody could possibly muster.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
"password theft"
Copying is not theft.
[ link to this | view in chronology ]
If you don't want to use a complex password to protect a database, then have more than one database.
[ link to this | view in chronology ]
[ link to this | view in chronology ]