Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?

Password Overload 124

Cy Guy writes "The NY Times has an article on how users are coping with an overload of passwords. Helpdesk costs related to lost passwords are $340/user/year according to the Gartner Group estimate cited." (Free NYT account required to read.)
This discussion has been archived. No new comments can be posted.

Password Overload

Comments Filter:
  • I've been bitching about this for a while now. The sheer number of passwords one has to remember today to function is outrageous, and the amount of web pages that require you to log in (you're guilty too, Rob) doesn't help. I try to use the a-few-different-depending-on-security passwords approach, but because every password program has different restrictions it isn't always that easy. Usually I wind up recreating my accounts whenever I need access. And finally, don't forget with nearly each password comes a login name... There must be a better solution out there.

    Finally, a little quote from the article I thought was fairly humorous :)

    "Michael J. Koszenski, a computer technician in Lexington, spent 2,000 hours of his own time creating a password database software for his PC after being disappointed with various password tracking programs...who has 30 or so passwords and access codes to manage."

    That's TWO HUNDRED AND FIFTY eight hour days! 66 days of work for each password! I hope that's a misprint :)
  • In case any of you are interested at all about the Keychain and MacOS 9's voice passwords, AppleInsider has it all in its MacOS 9.0 archive:

    http://www.appleinsider.com/macos9.0.shtm l [appleinsider.com]

  • A combination of a single easy to remember password and a substitution cipher based on the name of the thing that the password is for. Example, NYT would be encoded by making the first version of the alphabet (for the first letter of the password) start with N, the second letter Y=A, the third letter T=A, and then back to N=A until all the letters of your password are encrypted.

    Of course there are more high tech ways to do this but you better not lose the program you used to encrypt your passwords unless you know how to rebuild it from scratch. (Still, writing a password encrypting program is fun for a rainy day, I think.)
  • How dare you!
  • The more and more insignificant sites popping
    up that require login accounts, the more and
    more seldon my preferred login names (or any
    variant of any of them) are available.

    So now regardless of how often I reuse a password
    or PIN, whether I can remember the login I chose
    for that site is hit/miss.
  • Agreed. Gartner group 'reports' at utter trash. They are only used as ammo in your aid for winning over the boss to your ideas :-)
  • login:slashdotid


  • Actually I tend to fill in as many 'bla' as I can. For instance when dowloading software (for instance a plugin) companies ask you all sorts of stupid question to which i always answer bla. Sometimes a stupid javascript tells me bla won't do so I then make it bla@bla.com.
    I have registered for NYT the conventional way ,though, since it frequently has interesting stuff to read.

    greetings, Jilles
  • It's called passface [id-arts.com] and it is password like in the sense that something needs to be remembered, but what you need to remember is very different.

    The principle is that humans are very good at remembering faces, so you can select a face out of a series of faces, and then a second, and a third, and a fourth. That is your password. When you want to log on, you are greeted with the series of faces, and then you choose one, and then you get a second series of faces...et cetera.
  • You have to keep in mind that not all helpdesk people know the root password on the machines they maintain. For example, where I work, a lot of what we do is done through sudo and we don't even need to know the root password on the machines... however if sudo is not enabled for changing a users password, you will need to know teh root password on that machine, and if it s not yours, tehre is time involved with contacting the owner of that machine and having them change the password.
  • I've a little script called "ring" I use to look up phone lists. For passwords I just have a pgp encrypted file; I decrypt it and pipe it through ring to find the password I need for whatever obscure site I need to visit. I have a few shell aliases for storing (unexported) the passphrase for this file in my shell and for passing it to pgp for the pgp->ring lookup. Works just find.
    So I just make random passwords for sites and note 'em down. (md5 on an active log file is a handy way to get arbitrary strings for passwords).
  • What I usually do is have an easy to remember password that I use for things that I don't care much about the security of. Things like web based email accounts I signed up for and end up using as another address to use for those sites who make you fill out those surveys before you can download their product. For more secure things I usually make up random passwords in the form of three letters, two numbers, and then three more letters. I usually keep the case of the passwords mixed, but consistent so I can remember it. The result is a password that is fairly difficult to guess due to the mixed case and the numbers, but easy enough for me to remember since I know the pattern of the letters and numbers.
  • I can type fast and obscured enough so that noone can read, what Im typing.

    I can rent a camcorder and single-step through your keystrokes. :-)
  • Some time ago Apple Computer included software called "Keychain" with its OS.

    Keychain would keep all your passwords super-secure in a little pop-up window and you only needed to remember the one Keychain password to access it.

    Keychain was great software. Unfortunately Apple is too daft to recognize a good thing and axed Keychain from the MacOS.


  • One of the biggest problems (for me, at least) is the differing 'security' requirements for how you should choose a password.

    One system has a maximum length of eight characters, while a website has a minimum of ten. Some require mixed case, some don't. It would help enormously if webmasters were a little more relaxed and just allowed users to pick their own passwords - particularly for things like the NYT which are not exactly 'top secret'.
  • Yes, but what's the point of having really great and difficult to remember passwords for all these crappy accounts? You can use simple passwords for these (usually they don't check very much), and you can use the same one every time.
    So you can use your brainspace for the real passwords, that really have to be save.
  • Is it just me, or have others also noticed a couple
    other articles on this topic? It seems to me, all of these
    are just a preamble of a hype-storm for the Microsoft
    solution to this problem. go take a look at this [passport.com]
    Hotmail is already using this, but i don't know of any others yet.
    i am thinkink this could really become big, and could really give MS
    a monopoly on website user authentication. How about moving quickly, and developing an open source standard similar to this?

  • Well, the article says that it was the Gartner Group doing the estimating. I usually multiple their estimates by .1 to get a realistic amount...
  • 'Please enter all of your passwords, pin #'s, etc. into this form. Click the "OK" button to send this to^H^H^H^H^H^H^H^H^H^H^H^H store this information in encrypted form.'
    Any program I used for such a purpose I would want line-by-line audited, much like OpenBSD.
  • >1/2 half of that is $1,190,000.

    > um.... (no further commenting needed.)

    Okay, so I forgot a '0'.. $11,900,000... The rest of the math was right...297 1/2 people changing passwords....


  • No. Which is why I said I'd never put a real system account into this, just all my crap webmail passwords that I really couldn't care less if they are compromised. :-)

  • as people have often access to more than one machines (shell), and sometimes more than one email address, it means one password for each of them! Even if i have about 15 sheel/email i use 4 or 5 passwords, easier...
    the poll are fucked, but here's a link [slashdot.org] of poll about number of email address, another link [slashdot.org] which is the same subject?!? and link [slashdot.org] to the password one.
    also what happened to this poll [slashdot.org] of Aug 4th?
  • Forgive my naivete, but could you not create a netscape-plug-in or an Active-X control to just delete this file everytime you go to a new page?

    Not sure if it would mess up search engines, but basically, a Cookie Monster that eats em as you go?
  • My university dept actually does have the ladies room password-protected, sort of. It's an extremely weak 3-digit password, though.
  • I wrote Strip [zetetic.net], the Password and Account manager for the Palm Pilot. I am not trying to plug the product but since its been mentioned twice already I feel more comfortable. Strip will protect against user stupidity. It encrypts EVERYTHING before it goes into the palm databases. Furthermore, if you leave it on in the back seat of the taxi it locks the program when the palm automatically powers off. Idea is the same algorithm used in PGP, so its heavily tested and secure. Its open source, so you can look at the crypto code and compile it yourself if you want to. Strip does specific and comprehensive memory wiping of unused data, so even if your would be attacker got an actual RAM image off your palm they would not find your key, or any of the data that has been displayed during Strip's use.
  • I do it the same way you do. Sometimes I recycle old high-security words and use them at the mid-security level. If I forget one, it makes it a little easier to guess.
  • At least with a Palm you can use physical security. I dunno about you, but I'd feel a lot safer cracking into a networked box somewhere than trying to take a Palm off of someone my size. ;-)
  • We set up an new Intranet web server then gave folks their passwords. Afraid that they weren't going to remember that they could be mixed-case, I put the following on the entry page:

    Remember: Your password is case-sensitive.

    Looking through the logs a while later - I saw multiple entries of people trying to use "case-sensitive" as their password...

  • > bgates@microsoft.com

    YM billg@microsoft.com. HTH. HAND.

    You really want microsfot talking to your ISP about you forging billg's email?
  • I can type fast and obscured enough so that noone can read, what Im typing.
    But if I have my pws on a PalmPilot or whatever I have to make them visible, at least long enough for me to read. Or do you hide under a newspaper everytime you want to enter a password :)
  • I just staw my passwords in a simple pw's.txt text file. format like:


    And I only have one copy, on my drive, I have no backup system, no floppy disks, no zip drives, if my hard drive were to crash today, not only would i loose everything ive ever done, but id never be able to fix things when i come back cause id have lost all my 500 or so passwords.

    (so now buy me a zip drive, thank you)

    $mrp=~s/mrp/elite god/g;
  • I remember reading this from a computer magazine about 5 years ago. The secret to maintaining password security is to store them in clear text, in a file which is globally readable, but pick a file that no one would ever bother opening.

    Dowload some shareware, say, a typing tutor, or something equally useless. Install it. Go to the directory where the software is installed, and you'll find a file called ORDER.FRM or PURCHASE.TXT or something like that. Type whatever you want into the exact middle of the file. In clear text. No one else will ever see them. =)
  • The most effective password management idea that I've heard is the advice we gave to people using our lab---come up with "password themes". That is, pick some class of passwords that are related and enumerable, munged in a fairly consistent way, and wouldn't be well known to anyone but you; this way you don't have twenty distinct things to remember, just one pattern that ties into something you already know.

    For instance, ``Last names of people in my boy scout troop, with the first two letters swapped''. Or, ``First names of people at my last job, spelled backwards and with the fourth letter capitalised''. This sort of a method tends to be very productive, easy to remember, but hard to guess; and even if someone gets one of your passwords, they won't be able to figure out the others, unless they know you really well. And if you still can't remember your scheme, it's much safer to write down a dummy password that obeys the scheme, or even to write down the scheme itself, than to write down each valid password next to your computer.

    Of course, it's probably easier if this gets used in combination with some of the other suggestions on this board---I think even this scheme would peter out if I needed to use a separate password for every registrable site I belong to. ;)

  • Where did 'great and difficult' enter? Most of these passwords are the same, or variations, based on what the length and other limits. Most of the time its the account name that I have to remember. Some times its the same one I like to use all over, sometimes its my 'quake' handle, some times it one of the dozen or so webmail accounts I have.

    I'm not using keep it safe to lock up inner-sanctum passwords, just to have a moderately-secure place to keep track of all these accounts and passwords. I used to have them in a clear-text notepad file, this is a shade better.

  • by DrJolt ( 1435 )
    If you're a pilot user suffering from this problem, check out STRIP at http://www.zetetic.net/
  • You've read my mind! This is exactly the sort of multi-tiered password system I came to over time.
    I think I'll document this now ;-)
  • That's three decimal numbers (10*10*10) Not three digits from a keypad of 3 where repeats aren't allowed (3*2*1)...
  • by willhelm ( 12091 ) on Thursday August 05, 1999 @09:57AM (#1763796) Homepage
    forgot my NYT password--how am i going to read the article now!

  • Is it just me or does trying to read a story about the cost losing/having too many passwords which requires me to register with yet another password seem a bit ironic?

    The NYT is just not that interesting....

  • I'm beginning to use just two passwords, my main UNIX one at work, and another one everywhere else. I'm sorry, I just can't remember six dozen pseudo-random strings.

    And don't get me started on PIN numbers... Bring on the biometrics, and fast...
  • by jd ( 1658 )
    This post requires a password to read, and you've forgotten it.
  • Some security paranoids try and have every password different. Others make all their passwords the same. Both end up causing problems. I use a compromise. I have three passwords.

    One is a 'high-security' password that I only use in trusted, secure situations. My root password falls into this category. This password NEVER goes over any clear channel, nor is it typed in when anyone is possibly watching.

    The next level of password is the medium security password. This is for systems where I care about security, but compromising it wouldn't cause serious problems, the person would just be able to read some personal documents, and perhaps impersonate me.

    The final password is the I-don't-give-a-rat's-ass-about-security password. This is for things like slashdot, NYT, and other web services. These are ones where I (or someone else) wants some kind of security, but I don't particularly care if it gets compromised, as the person couldn't do much with it (Oh no, they impersonated me while reading the NYT!).

    Each password gets changed with a frequency tied to how important it is. For example, root gets changed every month or so. My regular login gets changed every few months, and I haven't changed the who gives a shit password in over a year.

    The upshot is that I never forget my passwords, and I haven't had to ask a sysadmin to change one in years. And none of my accounts have been compromised (yet).
  • I really should start writing all my passwords down.

    Then what do I do with the list?
  • Just make a list of all your passwords, put it in a text file, and encrypt it with PGP. Then you only need to remember one password -- your PGP password.

    It might also be a good idea to encrypt the file with 2 separate keys & passwords so you have a backup in case you forget one of the PGP passwords.
  • cypherpunks/cypherpunks
  • Well, you password-protect it, of course.

    Honestly, though, password list management programs are out there in droves. The problem with them though is that they are inherently insecure. E.G. one global password reveals all other passwords...

    I'd like to see a password management system with a physical level of security. For example, you insert your smartcard or HASP key into a reader or the computer's serial, parallel, or usb port and then whammo your list is decrypted based on the private key in your physical device (or using the device itself in the case of smartcards)

  • I really think it's better to have a few passwords for various levels of importance than to write your passwords down. Important passwords shouldn't be written down under any circumstance, and unimportant ones, well just use the same password for all of them. Oh, and NY times remembers your password for you, w/ a cookie I assume, so it's not really ironic at all.

    The only reason I keep my ms-dos partition is so I can mount it like the b*tch it is.

  • What the heck is going on that makes the help desk cost that much to fix a password? Come on!

    Either someone doesn't know how to estimate, there is _far_ too much bloat in the organization or some wacky combo of both.

    In UNIX, doesn't helpdesk just have to:


    give the dummy password to the user? Unless the (l)user looses the password twenty times or more a year, I can't see how password fixing is really a problem. The only thing is things lost because superuser can't remember password, then you're screwed out of much invested data in the system, even then, there are quick work arounds.

    Clue stick anyone? (I don't want to login NYT, so I haven't read it)
  • There's some sort of utility I saw a while ago that let you store your password and what site they're for in a file that is encrypted with {PGP|GPG}... so you only have to remember that one password to look up anything else.

    Of course, if you loose or forget that one password then you're pretty much screwed.

    My passwords are all fairly similar... they all come from a common source, but with vairences... for example, there's an inside joke I have with a long time friend... Using one of those words, the next word in another language, and a significant number, and capitalization changes I get a new password! Works very well...

    Which reminds me.. I'm way over due for a password change..

  • Gee, do you think he was serious?

  • I gave up on remembering all of my passwords. So I generate a different (random) password for every account I have and store them all in an encrypted database on my Palm Pilot. Works great, and if someone gets my TV Guide profile password, I don't have to fear for my online banking accounts.

    Works great for me...
  • "But since the introduction of the automated teller machine, people have accumulated an arsenal of passwords, access codes and personal identification numbers to use everything from answering machines to office bathrooms."

    I'll be going home a little early today because I forgot my bathroom PIN and soiled my pants.

  • What the heck is going on that makes the help desk cost that much to fix a password? Come on!

    Either someone doesn't know how to estimate, there is _far_ too much bloat in the organization or some wacky combo of both.

    In UNIX, doesn't helpdesk just have to:

    passwd "usr"

    give the dummy password to the user? Unless the (l)user looses the password twenty times or more a year, I can't see how password fixing is really a problem. The only thing is things lost because superuser can't remember password, then you're screwed out of much invested data in the system, even then, there are quick work arounds.

    Clue stick anyone? (I don't want to login NYT, so I haven't read it)
  • For Windows

    To get those hidden passwords (******) that you have forgotten, but your programs remember, try
    Revelation http://www.snadboy.com/Revelation.shtml [snadboy.com] ... it helps for getting your forgotten passwords out of your ftp program to be used for telnet or whatever...

    It's an invaluable tool, I use it all the time.

    Ok, so telling your program to remember your password isnt very secure... but that's your discretion.
  • And 90% of all stats are made up by operations managers looking for more budget for helpdesk functions.

    And the other 90% are made up by consulting firms looking to court SSO (single-sign-on) product companies......

    Let's look at the numbers, shall we? Let's say we work for a company that has 70,000 (I have one in mind) employees that use computer systems and have at least one password.

    Let's also assume that the helpdesk function at this company spends a 50/50 ratio on personel and equipment for help desk functions, and the median help desk person gets $40k per year (which is actually high to account for HR costs and benefits).

    Lets do some math:

    70,000 employees x $340 = $23,800,000

    1/2 half of that is $1,190,000. At the median salary of $40k per year, that means that the helpdesk for this company has 297 1/2 people doing nothing but password recovery functions every year. I know for a fact that this is not true.

    Now, not having read the article (I refuse to register to news sites), I'm sure that they figure things in such as lost productivity, research time, and so on. But I sincerly doubt that the actual costs are even approaching what Gartner gives.

    You should take these things with a grain of salt. Different environments have different costs associated with password management. A large mainframe-based company can handle thousands of users with a very small staff for password functions. A loosly networked company, where everyone has Administrator on his NT box, and 15 servers to log into, will have higher. A large company will have smaller costs per capita than a mid-sized company.


  • There's a nice freeware encryption package for the
    pilot call cipher. It uses IDEA (128 bit keys).

    I use it to encrypt passwords on my pilot

  • Don't misplace your PalmPilot.

    Keep it locked up with a
    combination lock.

    DOH! a number to remeber!

    it's a viscuous circle!
  • How secure is anything? If I leave my planner in the seat of a taxi or a restaraunt table the lucky person gets my money, my credit cards, my address, and knowledge of when I won't be home. To me, that's a lot scarier than someone finding out what my root password is. I can change that. Changing a business trip is a little harder.

    It's almost impossible to protect yourself from your own stupidity. If you put your passwords in your pilot, just be sure to recognize it's value and don't leave it in the back of a taxi.
  • I know many of you will nearly die in a paranoia attack, but I believe that when the day comes that is cheap and reliable enough to have biometric access codes on everything that needs to be protected, this endless password dance will be reduced.

    If I could simply get a retinal scan to log into my computer, the need to password protect much of it's content would be a great deal less.

    - Raider
  • Boy I wish it was that simple to reset a password in a large help desk enviroment. At least in the current large help desk I work at the poor fools over in user administration have to fill out a ticket first, then reset the password. Now due to security concerns nearly every password can NOT be given out directly over the phone. So they have to the End User on hold and call and leave the new temp password on the audix. Of course I hear people complaining all the time about how the end user can't seem to understand directions to not answer the phone and let it ring through the audix therefore a second call has to be made. Now if the end user doesn't have an audix, it has to be left with on thier managers audix, which means they call and if the manager answers explains what is going on and call back one more time to leave the password on an audix. Now after the end user manages to get the audix with the temp password. They have to be walked through changing the password. Of course they have to be reminded of the password policy even though it hasn't changed in about 16 months at this point. Also given that on average the end users have probally around 4-5 passwords and there are 30, 45, 60, and a couple of 90 days expiration times which makes it even more complex to the end users. So while I think the 340/user/year is high, it isn't to high of a number.
  • Pick a theme. Something like "names of Star quarterbacks of the seventies reversed and with all vowels replaced with the number of letters in their team name".

    I.e.: n7tgn7kr7T

    That way, when you forget a password, you have a very limited number of things to try. I've done this and found it very useful when I forget which password I gave some web service eight months ago.

    (I do use a different theme.)
  • Of course, mneumonic devices (SP?) also help. Classic example:
    By the dawn's early light
    Bill Clinton has 15 interns under his desk!
    Then it just becomes a question of which is which.
    (Damn, did I bash Bill Clinton or Bill Gates in my foobar login? Or did I use the same line as on goober? Or do I still even have a goober account?)
    That's where the earlier suggestions (ie one high-security, one medium security, and one low-security (e.g. slashdot/nytimes/etc) password). I actually use three or four, but along the same lines. Of course, I suppose I should change them at some point....
  • I'm not arguing that password changes cost money, it's just that these figures get WAY out of hand out after a while.

    You may notice that MY numbers were just as abitrary and meaningless...


  • I'm sorry... I must be punished..
    How many "hail linus's" must I say?

    Actually it's the only one I knew of, therefore
    I had to use it instead of another, better, open-sourced one.
  • I just had an idea for a password theme, lets say you were born in 1972. Ok, take the 72, now lets say this password is for a pop3 email account. Lets say you use EarthLink, take the E and L from EarthLink and you get EL, now lets say your email address is "nerd@earthlink.net", take the first letter from your email, which would be N, so now you got ELN, now its a pop3 email, so take P and 3, now you have ELNP3, now its a password, so go PW, ELNP2PW, now your bday is 1972 so take 72, tada!:

    E-Mail: nerd@earthlink.net
    Password: elnp3pw72

    And if you dont get that, lets say its an ISP, lets say MindSpring:

    MS (MindSpring)
    I (Internet/or Isp)
    LN (Login: Nerd)
    PW (PassWord)
    72 (19'72')

    So your "nerd" account with mindsprings, pw would be: msilnpw72


    $mrp=~s/mrp/elite god/g;
  • A solution you can use is have one really strange password "ql69$!amzsefb" (not mine of course) and memorize this. When you need to create a new password create a variant => ql69$!anzsefb and ql69$!aozsefb this way you will never forget your password.

    The encrypted passwords:
    ql69$!amzsefb -> OBLzco1HA9QN2
    ql69$!anzsefb -> .5/ZI.2Wlfn0w

    To me that gives good variance so it would be tough for password crackers.

    If you have no choice about some passwords you should use a VERY secure password database. I don't personally use password databases but its better have a backup, then to be locked out of your accounts.
    ^_^ smile death approaches.
  • Hmmph! Open source software developed on a closed source operating system using closed source development tools. Shame on you!
  • "Keep it Safe" [suxdorf.com] is a freeware program for W32 that does this. I use it at work to keep track of all the mail-lists, web-mail, web-shopping-accounts and stuff like that. Not sure I would ever really put a real system account there tho.

    Wish there was a Linux port of this that I could use at home, it is pretty useful.

  • Ron Dilley is a network administrator. He maintains 129 active passwords using a Palm organizer to track his passwords.

    I ain't got one (yet) so I've got to ask... How secure is that? Can you get PGP for the Palm? Seems to me he leaves his Palm Pilot on the seat of a taxi or on a restaurant table and he is going to be hating life very mucho a lot and a half.
  • If you think about it, how many of these systems really *need* to be secure? Do I really need to have a unique, six-digit, alphanumeric password just to read the NYT, or my e-mail for that matter? It's not as if it were my bank account or anything. If you want security, use strong encryption. Otherwise, don't waste my time.
  • The only one I found during a quick search was on called Gpasman [student.wau.nl].

    I'm still not certain of it's security, but its a start.

  • That way, we could read these dang articles without having to sign up for this.

    Just an idea.

  • How secure is that? Can you get PGP for the Palm?

    Nope, there is a small utility for the palm called "Secret!", which does all this. It keeps all the stuff stored crypting it wiht TripleDes (yes, it's not that secure).
    It even has a TAN-Mode (for those of you into homebanking).

    Neat, I keep all my passwords (and the root-passwords of our customers machines) stored in it.

    Doing this is also quite a reminder to not forget your Palm anywhere ;-)


  • Don't forget about desktop and laptop passwords, which aren't always easy to circumvent, and often require a call to the manufacturer's tech line and some sort of ID before you can get the magic incantation. Beyond that, you have password-protected applications, Office documents, db accounts, PGP, etc. which all require varying degrees of knowledge and/or hassle to bypass, or are so difficult to bypass that it isn't worth the effort required, thereby making the protected property, real or intellectual, worthless for all intents and purposes.

    Then there are PDAs, door lock PINs, secure filing cabinet PINs, ATMs, etc.

    The use of password protection has proliferated beyond out ability to manage it and it's not always cheap to bypass the protection.

  • >Lets do some math:
    >70,000 employees x $340 = $23,800,000
    >1/2 half of that is $1,190,000.

    um.... (no further commenting needed.)

    ..................................@ @
  • I, of course, read the paper version this morning. Sure, it's backwards, but it doesn't have a password, and you wouldn't believe how fast the pages load.

    And the NYT is much more interesting than most papers, unless your version of interesting is heavy on sports, sensationalism and/or local news.
  • And if you expanded the concept, it could include some management program to keep track of your real Verisign cert, your "free" certs and anything in between. I think it would be just awesome if someone came up with the "marketing cert". You put whatever personal information you feel comfortable with inside a cert, then the website that wants it can come and get it from you, instead of those @*#&ing forms you have to fill out (which is the prompt for the password issue, anyway). /m
  • I first heard about this through a marketing survey. It seems that you just give your information (Name, credit card number, etc.) and when you want to buy something, you just let your trusty third party company (and who is more trustworthy than Microsoft?) handle the dibursement of your name, credit card number, etc. for you.

    Can you imagine the money you could make selling information on what products a person buys, if you know that person logs all exchanges through you? I think I can handle the burden of retyping my credit card number each time I use a different business.

    An open source standard wouldn't do anything. This is pure capitalism.
  • OH MY GOD!!!! Can you imagine such a thing! Well, we used to have a metal key for the downstairs ladies, but mgmt finally got rid of it - we were losing one key a month and that was bad enough!
  • Unfortunately, I work for the help desk of a leading IT firm in Chicago. I would estimate that at least 50% of the time, the user's problem is either a request for a reset password or is solved by resetting the password. Think about the time (time=money) we could have back if there weren't so many password issues. We would have twice as much time/resources to devote to serious problems. Think of it this way -- with ~10 help desk employees responsible for 3500+ employees on billable consulting time at client sites around the world, a lot of money is lost to inactivity of the consultants due to thei computer problems. I will admit though, that supporting Winblows causes at least as many headaches... arrgghhh.. I thought I hated Windoze *before* I had to troubleshoot it all damn day. Tangent, sorry.
  • I'm going to start a consulting firm whose only service is changing passwords. I'll telnet in from home and take my 800-line calls in my pajamas, and for this remarkable service I'll charge $300 each, and call that a discount.

    And for a volume discount, I'll personally rap lusers upside the head when they reach $3,000 or more in charges.

  • Is anyone else catching the irony, here? NYT is just adding to a vicious circle by requiring people like me, who don't have an NYT password, to *gasp* register for an NYT password!!!

    I remember an article on /. a few weeks back. The NYT had an article on Online Privacy, but you had to register to read it. Now that's ironic.

    Just waiting for MacOS 9's keychain. Let's you store all your various passwords in one, tightly encrypted and portable keychain which you can unlock with one master password. Just hope MacOS 9's vioce recognition passwords carry through to keychain!

  • Is usually not the password or the security system. Its the people who use them. For example , at work I have people everyday who tell me their passwords because they don't have the time of day to stay and login as Administrator on their NT boxes while I fix their dumbass problems. Further more, many passwords can ge guessed due to their simplicicty (almost half are the reverse of their login or their login + #). Of course, this is to be expected since the human brain is meant to generate and remember patterns, not random characters. Perhaps even more unbelievable is the fact that almost any employee can call the helpdesk and have their password reset. With _no_ ID check.

    On top of that, the real problem is not people getting into a system with passwords. The real security problem is the idiot things people can do while logged in as a high security user. Its amazing what they do. Many people, mostly experienced techs (with high priviledges on the system), login outside the firewall and the secuity features therein, and access high risk sites (not pr0n but warez and other sites due to high access speeds). Therefore, the password security and access standards don't need to be revised, the user's intelligence does.
  • Much of this will change when things like retinal scanners, thumbprint scanners and infared face scanners come out. My I am waiting for voice print access that can filter out good copies of my voice. (possible even programmed to ask questions only I can answer such as what happened the night of June 28 1992?)(Answer: I lost "ScRaMbLeD ThE ReSt" )
  • When I played sysadmin, we ended up assigning passwords like 7fesy3q and let the user change them at their own risk. Of course we would run crack daily, so this would discourage this unless they follows the strict "acceptability" rules.

    When I have to play the letters/numbers game, sometimes I pick a radio station as a password like 8950kbaq.

    I've also seen secure ID badges too.

    What we really need is biometrics everywhere.

"Experience has proved that some people indeed know everything." -- Russell Baker