digg

Facebook Connect Join Digg About

Study: 1 In 3 Workers Write Down Passwords

news.com.com One in three people write down computer passwords, undermining their security, and companies should look to more advanced methods, including biometrics, to ensure their systems are safe, a new study shows.

Who dugg this? Made popular Oct 18, 2006

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

77 Comments

show profanity settings
expand all
  • felchdonkey, on 10/12/2007, -1/+35Which is exactly why people SHOULD write down their passwords.
    If you tell people to never write their passwords down, they pick easy to remember things, and tend to use the same one over and over again.

    Come up with a strong password, write it down, and keep it in your wallet. Guard it like you guard your credit cards, and treat it the same.
    If you lost your wallet, you'd change your credit card numbers - so do the same with your passwords.

    It's absolutely moronic that CNET would put up an article like this, when they themselves wrote about why it is GOOD to write down passwords: http://news.com.com/Microsoft+security+guru+Jot+down+your+passwords/2100-7355_3-5716590.html
  • noodlez, on 10/12/2007, -1/+28simple passwords aren't the only problem.
    people just don't really care about them, don't associate them with needing to be secure.

    for my final project in a network security class, where the final grade was based on compromising other students' linux boxes in a closed lab, i sent out an email as my professor (with his permission, gmail address) to the kids in the class asking for their passwords. a little over 1/2 of the kids, kids in the security class, gave them to me. i got an A.
  • jasper976, on 10/12/2007, -1/+21I understand the security issues, but forcing me to change 6 different passwords every few months is a bitch. People write them down because they will forget them.
  • polyGone, on 10/12/2007, -0/+15If they go to biometrics, I'll cut off my finger and stash it under my keyboard. :P
  • mt066, on 10/12/2007, -0/+12If people all stopped writing them down, this article would be called "1 in 3 workers call tech support because they forgot their password"
  • doctorcaligari, on 10/12/2007, -0/+9I choose my passwords using an Oujia board. Then I encrypt them in a password-protected file, using a random-number generator to generate that password. Then I embed everything into a RAR file with another randomly-generated program, and hide the RAR file inside of a JPEG. Then I name the JPEG "jenna_jameson.jpg" and throw it out onto Bittorrent.
  • doorock42, on 10/12/2007, -1/+9Yes... and the fact that you can't use the same password until three or four months have passed, and the passwords have to have x level of uniqueness (at my old job, at least five characters had to be different), it just gets tiresome.
  • sebnukem, on 10/12/2007, -0/+8I neatly print my passwords using a label printer and neatly stick them on my monitor. I have about 50 of them by now. While I can't remember a password, I can remember where it's located on my monitor. My system gets more and more secure with time.
  • dodoporridge, on 10/12/2007, -0/+8"I filed a recommendation for termination for that exec. *crosses fingers*"

    Well, I AM that executive you speak of, and I learned of your recommendation and replaced it with my own for YOUR termination! Muahahahahahahahahahahahahahahaha!!!!!!!!!!!!!!!!!!!!!!!
  • BigManOnCampus, on 10/12/2007, -0/+6I tend to agree. Human beings sometimes remember things better if they have previously written them down. I'm one of those... so when I change a password, I write it down. I will typically destroy whatever I've written it on later (after I'm sure I've memorized it), but I will write it down.

    Also, in some situations, the password is written down and taped to the monitor because it is a community computer and everyone needs to know how to log into it.
  • deadgoon42, on 10/12/2007, -0/+5It figures. Where I work we have at least 9 different programs that require a password. None of the systems interconnect so each one has to be set separately. Most people just set them all the same, but they don't all reset at the same time, so that is difficult to maintain. In order to save myself a lot of trouble I HAVE to write my passwords down. I know most of the people I work with do the same thing. It's too difficult to change 9 different passwords every month and keep it straight in your head.
  • shertzerj, on 10/12/2007, -0/+5With as often as I have to reset people's passwords at work every day, I *wish* some people would write them down. Security be damned! They're not MY files. ;P
  • awm4, on 10/12/2007, -0/+5I have 5 different passwords that I have to memorize. They all are required to be changed every 3 months. The problem is they all change at different times within those three months. You can not reuse any password or variation of any previously used password.(no .1 .2 .3). They must contain both upper and lower case, they must include at least two numbers and one form of punctuation.
    Trust me, it sucks.
  • cyclescott, on 10/12/2007, -0/+5What jasper976 said. Some places have draconian password policies that one has to write them down or else forget them. Let's see, I have to create a password for a system I use once every other month, but it has to be 8 chars long, no repeating chars, contain numbers, symbols and mix of cap/lower case. And if I guess wrong 3 times, I'm locked out and have to fill out 2 forms and wait a week to get access again? I better write that down...
  • cody50, on 10/12/2007, -0/+5you'd be amazed by how many passwords are just "password" or the persons last name. We had to set up a server for a local police department and every single user password they gave to us was the officers last name.
  • wwwdot1jesdotus, on 10/12/2007, -0/+5So they are requiring passwords 12 characters in length, at least one numeric, alpha, symbol etc. and don't expect people to write them down?
  • Jwoey, on 10/12/2007, -0/+3mine's hunter2, but when i write it out all anyone sees is *******
  • totorototoro, on 10/12/2007, -0/+4..And the other 2/3rds use "password" or "1234" as their password.
  • r00tus3r, on 10/12/2007, -1/+5I stand by this statement. There is NOTHING wrong with writing down passwords as long as they are kept secure, as in under lock and key. If you're going to write down your passwords and leave them under your keyboard, well that's another issue entirely.
  • thewebguy, on 10/12/2007, -5/+9writing down a password doesn't automatically make it insecure. marked as innacurate.
  • NewChar, on 10/12/2007, -3/+6Yup, often the password is written on a sticky note taped to the monitor. Scary stuff.
  • Phrag, on 10/12/2007, -0/+3When I was first hired as a PC Tech, I walked around my office to install an upgrade for the networking software that we used. Now no one knew who I was but, because I was a young white male dressed in business-casual clothing, the vast majority told me anything I wanted to know without even asking my name. People are way too trusting.

    I do security administration now and I would say that at least 1 in 3 passwords include the company name, part of the user name or the name of one of the user's family members.
  • alsutton, on 10/12/2007, -0/+3Many companies use a password safe which made people think about their passwords and discourages (or explicitly stops) people using "dumb" passwords and also stops them needing to have somewhere to write it. The passwords are put into the shared safe to ensure that if something happens to them (holiday, accident, etc.) things can still carry on. Once of the best solutions I've seen is from http://www.argosytelcrest.com/enterprise_password_safe.html
  • HardwareLust, on 10/12/2007, -0/+3Kevin's just hedging his bets just in case this whole writing books/wearing a white hat thing doesn't work out in the end. =)
  • inactive, on 10/12/2007, -0/+3"Writing it down is the ONLY way to recall a 30-day lasting, un-rememberable password."

    That's crap. For personal passwords use a memorable, strong password. Passphrases are easy to remember, easy to type and very strong.

    A phrase like: "All the king's men." include multiple special characters, is 19 characters long, upper and lower, easy to remember and easier to type than 8u1!5h*7.
  • inactive, on 10/12/2007, -0/+3Expiring passwords are also a bitch. Having the same password used for all our corporate intranet stuff, I saved it in firefox. One day after I had to change it, I logged in with the new one, and opened all my usual windows. Firefox generated several invalid login attempts, so my account got locked out because it looked like somebody was brute forcing it (with the same password?). Got me a day off since the guy who resets them was out.

    /I just realized there are probably security implications for discussing company password policies in a public forum. Ah well, at least I'm not announcing our obvious security flaws.
  • fanboydcs, on 10/12/2007, -0/+3I truly believe that a complex password writen down on a sticky in their wallet or purse is much more secure than some bogus easy dictionary password they are going to remember.
  • Phrag, on 10/12/2007, -0/+2While reading this article I got a call from a user whose password is his user name. Oh the irony.
  • inactive, on 10/12/2007, -1/+3I'm doing the same thing, by repeating the last character n times. Problem is I've been through like 7 cycles of doing this, so now it takes me more than 3 attempts to get it right.
  • jasper976, on 10/12/2007, -0/+2@ noodlez

    I have done the same thing in the past however, like doorock mentioned more characters need to be unique now so it doesn't work anymore. It takes a few minutes to create a password now that doesn't get rejected. I usually just mash my keyboard now. :)
  • noodlez, on 10/12/2007, -2/+4use the same password for all 6 :)

    i have a nice system, its a random letters/numbers/symbols that i memorized a while ago as an old password, and when i needed to change it, i increment one specific number. so if i forget which password it is, it'll always be within the certain range.
  • curtissthompson, on 10/12/2007, -1/+3You make good points, but to be fair they were only reporting news from a study and from a "MS security guru" it wasn't like these were just opinion piece by the same author or something. Furthermore I like the fact that they took a look at both sides of the argument fairly, even if it does look a little like hypocracy or doublespeak, as they cited the above mentioned sources behind their articles arguments/points. I'd like to see more news agencies do this, rather than decide on their position, and write only from that angel.
  • HardwareLust, on 10/12/2007, -0/+2Security be dammed is right. 9 different programs? Ha, that would be luxury. My current job requires me to keep over *30* different logins...most of which must be changed every 90 days, and each with varying levels of complexity because of different vendors. There's NO WAY I could keep track of all these logins without writing them down, even using a simple system like using a base word with a number.

    And, thewebguy is absolutely correct. Merely writing down a password doesn't automatically make it insecure. Security applies to physical objects as well. I don't keep them on a sticky on my monitor My logins are kept in a secure space, locked in a drawer, of which I have the only key. Considering I don't have nuke missile launch codes or offshore bank account numbers, that's enough security for what I do.
  • dmason, on 10/12/2007, -0/+2Kevin Mitnick recommends writing down passwords in the book Art of Deception. IIRC, the reason was that if you don't, you probably won't make a good password to begin with.
  • doorock42, on 10/12/2007, -0/+2A similar policy was in place with the Benefits system at my old job. The worst part is, most people only accessed Benefits about once every quarter, and if you don't use something, you forget it.
  • noodlez, on 10/12/2007, -0/+2@doorock42
    yech. well, could still use my suggestion, just increment 5 characters. as long as you remember the base password and the characters incremented.
  • Jerim, on 10/12/2007, -0/+2There is nothing wrong with writing down passwords. Since humans are not computers, and we can't instantly recall every single detail, unfortunately we have to have a record of the information somewhere.

    As an IT professional, I have dozens of un/pw combos to remember. There is no way I can remember every single one. And what happens if I ever forget one? Either I have to go through a lengthy pw recovery process or I have to wipe something and start over from scratch. I have no problem writing down passwords. It shouldn't be a taboo. What should be watched is where those written passwords wind up. Are they in a secure area or left out in the open?
  • judoworm, on 10/12/2007, -0/+2Having worked in news I'm a little jaded about these kinds of "studies".

    It's the common way for companies to advertise their services by masquerading as news. You can bet this was commissioned by some large biometrics company to spur some interest. Pay attention to every "study" put into the news and a good number of them turn out to be somewhat clever marketing.

    (The silliest example I've seen of this, and shame to say, the paper I worked for printed it, was one by Crayola, "What's your favourite color?". Blue, apparently.)
  • Thujone, on 10/12/2007, -0/+2Due to rediculous requirements and short cycles on passwords you can find my password for work written right on my phonelist above my phone. Strange how much more secure all of my personal passwords are since i can keep them long enough to memorize them.
  • HardwareLust, on 10/12/2007, -0/+2And his behavior is just as much your fault as it is his. You couldn't be bothered to offer him any helpful advice or tools to help make remembering his password easier, you just said to him "don't do that". If the users of the system you administer have security problems because the password requirements are too rigorous for them, then it's *your* job to help them and give them the advice and/or tools to help them keep the system secure.

    You exhibit the typical surly and combative nature of most sysadmins and IT departments. There's a great many problems, including security, that could be reduced or eliminated if sysadmins didn't spend most of their day cursing the very users that are responsible for their employment in the first place.
  • nalf38, on 10/12/2007, -0/+2of course we write our passwords down. it's the smart thing to do, depending on where you keep the piece of paper with all your passwords on it. i have five different passwords that i use at work that all change every three months, and i have to write it down to remember them for a while. otherwise, i'd just use the same password five times, and that's less secure.
  • rayblasdel, on 10/12/2007, -0/+2I get a random 10-16 char alphanumeric password each month for my windows login. And that doesn't include the 2-3 continually changing server passwords I have to update. I have a mini-notebook of active and inactive passwords. T.T

    I would really like to see some security/biometric advancements that are actually secure.
  • inactive, on 10/12/2007, -0/+2@OrangeTide

    Couldn't agree with you more, but it should also be against company policy to password protect worthless stuff. It's like we have an armed guard blocking the bathroom.
  • OrangeTide, on 10/12/2007, -0/+2@ doctorcaligari

    If you use a Oujia board, why don't you just get your passwords by using the Oujia board again. Thus storing your passwords in the spirit world.
  • sdether, on 10/12/2007, -1/+2Totally agree. How often do you have someone steal your wallet or rifle through it? Now compare that to a weak password that isn't written down but you use everywhere because its the only one you can remember?

    Even if you use a strong password, the moment you use it in two places, you have made each place a liability of the security of the other.

    Back in the ancient days, I ran a BBS. Another BBS got hacked and the password file cracked and shortly after that my BBS went down because my co-sysop used the same password (albeit a strong one) on the other BBS.

    At least with a wallet, I know when someones got it and my passwords are at risk.
  • romulusnr, on 10/12/2007, -0/+1When I was a sysadmin for an ISP, we wrote down our root passwords -- in a verbal "code", to serve as a mnemonic for the real password.

    So e.g. "W@+(m=" would be remembered via "we are the champions my friends".

    It's not all that hard to make rememberable, yet combinatorically secure passwords.
  • Fizzyboy, on 10/12/2007, -0/+1>> "It's these higher order techniques that companies need to shift to in order to get away from passwords," O'Connell said.

    This is entirely unnecessary. The article exaggerates the amount of people that forget their passwords. Implementing biometrics and other such systems will only cost you more money and headaches.
  • regeya, on 10/12/2007, -0/+1When people started handing me their kids' names, last names, etc. for passwords, I started generating passwords. I agree with another poster that it's a GOOD idea to write down the passwords, though there are smart ways to do this. Also, guard the password with your life and if you lose it, or if more than one person has the password and one of them quits (especially if they quit in a huff), change it.

    My password generator is a Ruby rewrite of SopPasswd. The original password is a Perl script and I wanted a version I could understand. I suppose I should share it because I added simple things like command-line options. :-) All it does is it takes a word length, a segment length, and uses fragments of words from /usr/share/dict/words and pads out the rest with random numbers. An example with the defaults would be this:

    kerrea7

    That satisfies the average password requirements, and you'd be surprised at how quickly one can memorize it, and how many of these one can remember.
  • OrangeTide, on 10/12/2007, -1/+2@ VTmruhlin

    It is against my company's security policy to have saved passwords in the browser. And it ought to be your own personal policy as well, it is trivial to extract the stored passwords in a browser. Even if you encrypt them, the encrypting password is typically not very strong and is almost never changed.
  • Pawfoots, on 10/12/2007, -1/+2Sadly, I must admit that I write down multitudes of passwords myself. Our company even has very good "ways" to keep everything secure that I am most likely compromising. I do keep my written passwords very secure (either on my person or in a double locked drawer), but still vulnerable in some ways.

    Noodlez - great project and congratz on the "A".
  • Fetching more discussions...
    Show 51 - 76 of 76 discussions

  • Add a Comment

    Login or register to comment!
    Or, sign-in super fast with your Facebook account ...

© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.