Recently, I was in a meeting where several people gave presentations via a projector. As almost always happens, there were minor glitches in transitioning the projector connection from one notebook computer to the next. As part of her presentation, one unsuspecting person needed to log in to a site. Without looking at the screen to see what was actually being displayed, she ran through her login and password and clicked ‘ENTER’. She then looked up and saw that she had accidentally entered her password in the ‘NAME’ field. The result was that for several seconds, 9 strangers saw her full access credentials for the site. Nobody said anything. She cleared the fields and ran through the process again – this time successfully.
At the break, after talking about the material she presented, I quietly suggested that she change her password. “What do you mean?” When I explained that there were 9 additional people who now knew her information, she looked surprise. “Oh, that little slip when I started! I’m sure that no one here has any reason to do anything funny.”
We humans are a trusting species, especially when face-to-face contact is involved. Unless we have a specific reason to be suspicious of someone, we usually give people the benefit of the doubt about possible bad intentions. That’s fine and necessary for our daily lives: the local grocer and paperboy don’t want to rip us off; if we didn’t trust the other drivers on the road, then we would never be able to get anywhere. But we still have keys to lock up our stuff.
As for accidentally revealing all or part of a password, I’ve had it happen to me at inopportune moments in the past, and it’s not that uncommon to see it when working with people at a projector or a monitor. The people sitting around may or may not notice what happened, and they probably aren’t interested in your passwords. But you never know. And why would you take the risk? Next time something like that happens to you, make sure you double back at the first opportunity to change that password.
Peter L
Password survey results
Wednesday, March 31st, 2010I ran across an interesting password survey conducted by Kevin Haley at Symantec. About 450 people answered his 9 straightforward questions. When thought about a bit, some of the results are pretty interesting.
The first question asked about the number of passwords. 33% of all respondents said that they have 10 or fewer password-protected accounts (networks, websites, etc.). Mind you that these folks took an online survey. As best as I can tell, they had to login to participate in the survey, which is entirely appropriate, but that would mean that that was one of their passwords – right?! My point is that most people severely underestimate the number of password-protected accounts they have. I’ve mentioned it in earlier blogs – stop someone on the street and ask how many accounts someone has and you’ll get an answer like ‘just a few’, ’maybe 10, or so’, or some small number. But when you think about most people (not technology geeks), you quickly see that even a basic Internet user will easily have 10 accounts, and probably more. Average users will likely have 20, 30 and more. Think about your own password-protected accounts:
1 free webmail (yahoo, gmail, hotmail, etc.)
2 email from your service provider (aol, comcast, earthlink, …)
3 facebook or other social network, maybe multiple networks
4 work
5 Amazon and other online shopping sites
6 Travelocity and other travel sites
7 online subscriptions (newspapers, magazines, newsletters, …)
8 just about any online blog to which contributions are made
That’s not to mention banks, credit cards and other financial stuff like retirement and investment accounts, government sites, libraries and local services, airlines, as well as cell phone accounts, utilities, and so on. This is interesting because a result of this underestimation is likely to be that many people entirely misunderstand the threat to their data, which should be protected by their passwords. If there’s no threat, then you don’t need to manage anything – right!?
The response to question 6 flows from the first: if you don’t think there’s a lot to remember (i.e. that you have only a few passwords), then you’re bound to think you can do it all in your head. 60% of people responding said that their ‘memory’ was their method for remembering passwords. I’ll bet a dollar to a donut that these folks’ passwords aren’t the strongest on the block. Still, quite a few (7%) admitted to storing theirs on post-it notes next to the computer.
Questions 2 and 3 were about choosing passwords. Just over eighty percent (80%) indicated that they recycled or duplicated their password to some extent. This would seem to contradict the 71% of respondents who selected ‘strength’ as one of the most important factors when selecting a new password. I thought the 9% who selected passwords because they were ‘fun or interesting’ were at least a little more aware of what was going on. (In general, this isn’t a good attribute in a strong password.) This is a big aid in remembering your password, but that also creates the temptation to share it with others. And then there’s the risk that others also know that your cat’s name is ‘Precious’.
The detailed results of the survey are worthwhile and so is Kevin’s commentary.
The failure of passwords is because of human nature: we are driven to make things easy for ourselves. Good passwords require the opposite.
Peter L
Tags: passwords, personal security, security
Posted in News and Commentary, Passwords and Security | 1 Comment »