Why asking you to change your password makes it easier to hack the system

frogboy

In memoriam 1961-2018
Thread author
Verified
Top Poster
Well-known
Jun 9, 2013
6,720
iThuu8Q.jpg


WASHINGTON





The requests cascade in: Reset your password. Update your anti-virus program. If, as a computer user, such digital demands irritate you, you may have computer “security fatigue.”

It’s an actual phenomenon, studied by behavioral scientists and computer security experts. It happens when users get bombarded with security warnings and demands for compliance. As a result, the studies show, three-quarters of computer users know how to make strong passwords but don’t practice what they know. It just seems too overwhelming.

After all, average users have dozens of accounts that require logins and passwords.

“We’ve been coming to realize that we’ve been asking people unreasonable things in terms of passwords,” said Dr. Lujo Bauer of the school of electrical and computer engineering at Carnegie Mellon University in Pittsburgh.

“It’s not possible to create 100 strong passwords that are unique and actually remember them. It’s even worse if we have to periodically change them,” he added.

IT’S NOT POSSIBLE TO CREATE 100 STRONG PASSWORDS THAT ARE UNIQUE AND ACTUALLY REMEMBER THEM.Lujo Bauer, computer security expert at Carnegie Mellon University

A new government study titled “Security Fatigue” argues that users feel it’s gotten too hard to maintain adequate security, so they’ve grown careless. Security may be getting worse.

“Users are tired of being overwhelmed by the need to be constantly on alert, tired of all the measures they are asked to adopt to keep themselves safe, and tired of trying to understand the ins and outs of online security,” warned the study by the National Institute of Standards and Technology, a unit of the Commerce Department.

And, hey, it’s not just average users. Think Silicon Valley tech honchos. Some of them just reuse the same simple password for multiple sites, a big no-no for computer security.

How else did Mark Zuckerberg have his Twitter and Pinterest accounts hacked last June? His password for both accounts was “dadada,” according to the hackers. Then there was Hillary Clinton campaign Chairman John Podesta, who this week had his Twitter account, his iPhone and his iPad hacked because he apparently used the same password for his Apple ID and Twitter.

Concern about online security grows apace with the frequency and volume of hacks of retailers, banks, social media and other sites that let vast numbers of passwords fall into the hands of hackers. So far in 2016, more than 500 million passwords have been leaked, according to a new study from LastPass, a password manager product from Logmein.com, a Boston-based software and cloud management company.

PEOPLE DON’T EVEN KNOW THAT THEY’VE BEEN HACKED.Joe Siegrist, vice president of LastPass, password manager software

“What you hear about is just the tip of the iceberg. People don’t even know that they’ve been hacked,” said Joe Siegrist, vice president of LastPass.

“It’s probable that everybody in the United States has lost a password or had one stolen, and they don’t even know about it,” Bauer said.

Problem is, if you reuse the password and it got swiped from LinkedIn or Ashley Madison or some other site that was hacked in the past year or so, maybe your bank account or social media account is at risk, experts said.

LastPass arranged a survey of 2,000 adults in the United States and five other developed countries to explore their password habits, and found that 91 percent know there is a risk to reusing passwords but 61 percent continue to do so.

The requests cascade in: Reset your password. Update your anti-virus program. If, as a computer user, such digital demands irritate you, you may have computer “security fatigue.”

It’s an actual phenomenon, studied by behavioral scientists and computer security experts. It happens when users get bombarded with security warnings and demands for compliance. As a result, the studies show, three-quarters of computer users know how to make strong passwords but don’t practice what they know. It just seems too overwhelming.

After all, average users have dozens of accounts that require logins and passwords.

“We’ve been coming to realize that we’ve been asking people unreasonable things in terms of passwords,” said Dr. Lujo Bauer of the school of electrical and computer engineering at Carnegie Mellon University in Pittsburgh.

“It’s not possible to create 100 strong passwords that are unique and actually remember them. It’s even worse if we have to periodically change them,” he added.

IT’S NOT POSSIBLE TO CREATE 100 STRONG PASSWORDS THAT ARE UNIQUE AND ACTUALLY REMEMBER THEM.Lujo Bauer, computer security expert at Carnegie Mellon University

A new government study titled “Security Fatigue” argues that users feel it’s gotten too hard to maintain adequate security, so they’ve grown careless. Security may be getting worse.

“Users are tired of being overwhelmed by the need to be constantly on alert, tired of all the measures they are asked to adopt to keep themselves safe, and tired of trying to understand the ins and outs of online security,” warned the study by the National Institute of Standards and Technology, a unit of the Commerce Department.

And, hey, it’s not just average users. Think Silicon Valley tech honchos. Some of them just reuse the same simple password for multiple sites, a big no-no for computer security.

How else did Mark Zuckerberg have his Twitter and Pinterest accounts hacked last June? His password for both accounts was “dadada,” according to the hackers. Then there was Hillary Clinton campaign Chairman John Podesta, who this week had his Twitter account, his iPhone and his iPad hacked because he apparently used the same password for his Apple ID and Twitter.

Concern about online security grows apace with the frequency and volume of hacks of retailers, banks, social media and other sites that let vast numbers of passwords fall into the hands of hackers. So far in 2016, more than 500 million passwords have been leaked, according to a new study from LastPass, a password manager product from Logmein.com, a Boston-based software and cloud management company.

PEOPLE DON’T EVEN KNOW THAT THEY’VE BEEN HACKED.Joe Siegrist, vice president of LastPass, password manager software

“What you hear about is just the tip of the iceberg. People don’t even know that they’ve been hacked,” said Joe Siegrist, vice president of LastPass.

“It’s probable that everybody in the United States has lost a password or had one stolen, and they don’t even know about it,” Bauer said.

Problem is, if you reuse the password and it got swiped from LinkedIn or Ashley Madison or some other site that was hacked in the past year or so, maybe your bank account or social media account is at risk, experts said.

LastPass arranged a survey of 2,000 adults in the United States and five other developed countries to explore their password habits, and found that 91 percent know there is a risk to reusing passwords but 61 percent continue to do so.


Full Article. Why asking you to change your password makes it easier to hack the system
 

_CyberGhosT_

Level 53
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Aug 2, 2015
4,286
I am quite good at coming up with unigue long passwords.
I use a name of a person, place, or thing that I am familiar with.
1> first I find the name, for example I have a "SkyScan" atomic clock in my PC room.
2> next I play with the letter, number, and symbol combos that I can use to represent that word
SkyScan = 5ky5CaN
or
SkyScan = SkY5cAn
That is just one example, you can do this with much longer words I have a 25 character PW that I have had for many years and is still in use.
The thing that helps is associating it with something within your every day life so it's easy to recall, you can use the name of your pet, router, dishwasher, ect.
The longer the name the better and the easier it is to come up with different combos ;)
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top