Weak passwords stored in browsers make hackers happy
Insecurity complex still rife shock
Nearly a quarter of people (23 per cent) polled in a survey by Symantec use their browser to keep tabs on their passwords.
A survey of 400 surfers by Symantec also found that 60 per cent fail to change their passwords regularly. Further violating the 'passwords should be treated like toothbrushes' maxim (changed frequently and not shared), the pollsters also found that a quarter of people have given their passwords to their spouse, while one in 10 people have given their password to a ‘friend’.
Password choices were also lamentably bad. Twelve of the respondents admitted they used the phrase 'password' as their, err, password while one in ten used a pet's name. The name of a pet might easily be obtained by browsing on an intended target's social networking profile.
Eight per cent of the 400 respondents said they used the same password on all their online sites, a shortcoming that means a compromise of one low-sensitivity account hands over access to a victim's more sensitive webmail and online banking accounts. The survey respondents came from readers of Symantec's Security Response blog, who might be expected to be more security savvy than the general net population, though the survey shows many of them making the same basic errors that crop up time and again in password security surveys.
Symantec has put together its findings together with a list of suggestions for picking better passwords, a basic but woefully overlooked security precaution, in a blog post here.
The net security firm advised computer users to pick a mix of numbers, letters, punctuation, and symbols when picking passwords. This may be derived from taking a memorable phrase and altering it by replacing characters with symbols, for example. Surfers should avoid personal information, repetition and sequences in passwords, Symantec further recommends. ®
Agree with most of the above, especially the impossibility of remembering multiple, constantly-changing passwords. One thing the article doesn't mention is that browsers store passwords in plain text . I was expecting details of a hacking attack that stole the browser password file.
On a completely separate note, if you want readers to vote on comments, get some bleedin' ajax on your site so we don't have to wade through two page loads just to register a single thumbs-up or -down..
100 "Different" passwords that you change on a regular basis, don't write down and can't be related to anything in your life.
Nice idea for sure, but not practical unless you want to be constantly clicking on "forgotten password" links.
I can't argue with the logic but it'll never be practical unless we go Johnny Mnemonic
Did we really need Symantec to tell us this?
Did they even really need to do the research. They could have just cut&pasted the results from any number of previous surveys, instead. Of course users let their browsers to store their passwords for them: their browsers prompt them to do so.
Also, I don't go along with this 'change passwords frequently' crap. The toothbrush analogy is one of those trite-isms that sounds terribly wise - until you realise that what is being advocated, is a system that forces users to rotate between a handful of memorable-enough passwords, on a regular basis - or, worse still, forces them to think of some new, unique (and, therefore, in all likelihood, even easier to remeber/guess) password, every few weeks or so (and then immediately begins prompting them that their password is about to expire in a few weeks, of course!)
Just let the user select one, secure, password; tell them not to share it; tell them not to write it down; sack them if they do either of those things, and let them keep the damn thing for all eternity... If you really think someone might be trying to force-crack your password system, then any attack worth bothering with is going to take far less time than your enforced password-changing regime. Maybe you should be considering moving to a more secure password system, instead of beating up your users?
While we're on that tack, let's have a survey of all the applications that don't enforce passwords correctly, store the results in plain text, allow multiple users to share a session, embed human-readable data in things like querystrings, or just run the entire application logged in to the database as root/sa - with a blank password?