undefined | Better HN

0 pointsdeathcakes12y ago0 comments

I agree with you - using the same password in multiple places is a dumb thing to do. However, you seem to be totally missing the point made in the previous post, namely that people are, on the whole, pretty dumb. The vast majority do not share your understanding of computers and security and hence see no real issue, although this is very very slowly changing.

I disagree entirely with your statement that: "This isn't human nature, but is simply accepted and defended behavior that gets caught out again, and again, and again."

This is patently false - remembering a different password for every single system, device and site you interact with is not a feasible proposition for the vast majority, especially if you require these passwords to be in any way meaningfully secure.

There are ways of sidestepping this problem, such as 1password and the like, but the ones that are most seamless are paid for services and hence the adoption rate among technically illiterate people is pretty small (I'd imagine, no stats here).

The real issue is that passwords are a broken way of authenticating. End of. Passwords that are easy to remember are trivial to crack, and passwords that are difficult to crack are hard to remember. This is the issue here.

People may do dumb things, but it is far easier to change your system than it is them.

0 comments

4 comments · 1 top-level

personZ12y ago· 3 in thread

However, you seem to be totally missing the point made in the previous post, namely that people are, on the whole, pretty dumb.

The whole discussion revolves around a fundamental principal that is simply broken to begin with, akin to "How to try not to die when you eat rotting meat".

Don't eat rotting meat. Use a fridge. Etc.

In the case of passwords-

-Use a shared authentication platform -or on sign-up implore that your users do not use a shared password. Education -or offer, or force, a generated password

But instead we'll discuss the risk that shared passwords get lost, when they were in the wild the moment you used them on a second site.

deathcakesOP12y ago

This is a disingenuous analogy - the reason people keep eating rotting meat is because there isn't a usable alternative for the vast majority. Fridges are unknown, to hopelessly overload the metaphor, to the masses and those that are aware of them are reluctant to shell out for the cost.

The problem needs to be solved at a more fundamental level - people should not have to be forced to perform a function that they are demonstrably bad at. Mitigation strategies like having randomised passwords and storing them in a shared authentication platform are only masking the reality that passwords are a bad way of performing authentication.

Not that I'm clever enough to come up with an alternative mind you, and not to suggest that I don't agree with your premise that using a password in multiple places is a bad idea.

grayclhn12y ago

I love this analogy. But, to continue it a little further, the article and discussion are about "preventing meat from rotting during transportation," and you seem to be saying, "screw it, the customer should know not to buy the meat if it's gone bad." Going even further: most countries have consumer protection laws that prevent things like selling rotting meat.

personZ12y ago

and you seem to be saying

If you have given an untrusted third party site the credentials that you use on other sites, that meat is complete fetid. It is now deadly.

This whole discussion is arguing about what to do once the meat is rotten, rather than daring to maybe discuss not selling rotten meat in the first place.

When a site gets compromised and the passwords may get stolen (because of weak or no cryptography), the site should send out password reset emails en mass, and that should be the end of the whole issue. Instead it's moralizing about how they put everyone at risk because of other sites where the same credentials work. No, the user put themselves 100% at risk. But it is never discussed that way, and instead we continue this ignorance train.

As an aside, I marvel that some defensive imbecile keeps coming deep into this thread to downvote me.

1 more reply

j / k navigate · click thread line to collapse