[olug] [OT] Password study.

[Carl Lundstedt]

>Honestly, much as it pains me to say it, I think the "average user"
>thinks little more about computer and password security than they did in
>years past.  We still have a *long* way to go before it becomes
>ingrained into people that security is important, and not just an
>after-thought.
>  
>
The study in question was about MySpace accounts.  I certainly have 
different strength passwords for different things.  MySpace would not 
get a strong password from me (I have pretty weak passwords for shopping 
accounts that don't store credit card info for instance).  What would 
have been more interesting is a study of, say, online banking passwords 
or online credit card account passwords.  These types of passwords are 
far more likely to be a real measure of the strength of common user 
passwords.

Looking through the article at the long passwords, I think most of those 
were clearly fat-fingered or typos.  The fact that the long passwords 
had repitition in them really makes me think the user's password is 
shorter than advertised (working on a laptop with a touch pad can often 
lead to that kind of thing as the mouse can be clicked into a field by 
accident).  As for the f*you as a password, I'd wager that that user 
figured out it was a phishing attack. 

I do know that we have users on our clusters that use weak, or 
previously compromised passwords (which, if found out, will lose them 
their account), but user password authentication isn't our real worry.  
Our real security worry is a compromised system (via a break-in or 
service flaw) not a compromised user.  But we're not doing financal 
stuff, nor is there any personal information on our research clusters.  
Security for us is for maintaining service and keeping crackers and 
spammers from gaining access to and abusing our systems.

Really, what does a compromised MySpace account get someone?

Carl Lundstedt
UNL