Whats terrifying is that they are referring to "their password" and not their passwords.
Password reuse is much worse that having a weak password. Hackers only brute force high value targets, everyone else should just aim to have unique passwords for every service they use.
However, the average person can only remember 5-10 unique passwords and they have many many accounts...password reuse. For the average person password managers aren't an option for normal people, so we have a big problem.
> For the average person password managers aren't an option
Why not?
Every major browser in its default configuration offers to remember your passwords, and some will even offer to sync them across all your devices.
The only thing that's missing is an offer to generate random passwords automatically, for which you currently need an add-on/extension. But even without that ability, the browser is already a pretty decent password manager.
> "Cantor Fitzgerald did have extensive contingency plans in place, including a requirement that all employees tell their work passwords to four nearby colleagues."
This baffles my mind. Is this common practice in finance? What would stop a malicious actor from impersonating someone whose password they knew? Even if these passwords aren't tied to someone's identity in any way, they presumably exist to secure sensitive data and/or systems, but then they're shared with officemates like Dilbert comics?
Agreed. They might as have everyone use the same password.
Aren't there regulations for security of financial information? It's hard to believe this passes muster. If it's a 'reasonable precautions' regulation, this fails badly.
Secret sharing systems are a good solution to this.
I wrote a basic command line only one[1] a few years ago, but command line UI doesn't really make for "usable by everyone". It would be nice if there were something like this that had a good UI.
Our company has interesting contradiction in this regards. On one hand all accounts, files and digital communication belong to the company. Assume you could instantly lose access in a sudden layoff.
On the other hand the annual IT security video course tells you encrypt like crazy and leave no digital assets in public.
Well I guess talking to people and telling them you're writing an article about "The Secret Life of Passwords" is more novel than giving them a call pretending to be from their bank or telco.
I dearly hope that those people who actually told passwords to the author were either no longer using them or immediately changed them to something better on reflection of just how terrible they were. My mother kept a door from her parents' first house (which they built after emigrating after WW2) for sentimental reasons, that doesn't mean she relied on the old antique lock to secure her current house.
If someone from my loved one's job called me 24 hours after they were killed in a horrific terrorist attack to talk about passwords I don't think I would be able to contain my vitriol.
If someone from my loved one's (and family's sole breadwinner's) job called me 24 hours after they were killed in a horrific terrorist attack to talk about passwords because the company was in a crisis I think I would be relieved that someone was working to make sure I could continue to feed my kids while I figured out what to do next.
And if you see how Cantor Fitzgerald treated its employees and their families in the wake of that crisis, you'd see that helping them was the right thing.
The banking industry may have metastasized from a service industry to a giant vampire squid, but that doesn't mean every company turned into slimy blood-sucking leeches.
(And maybe C-F were heartless leeches before the attack and reformed due to their literal near-death experience -- I really paid little attention to them until that day. But they are famous for how they responded and rebuilt the business).
Imaging your entire IT department being wiped out instantly overnight, managers included. How quickly would it take you to restore access to your infrastructure?
Like their offsite location in the other tower that was also destroyed? I don't mean to say you are wrong, but many times contingency plans rarely consider such devastating circumstances. Once heard a rumor that a large defense contractor had a backup plan that included flying disk drives from one coast to the other to safe guard against nuclear strikes on either coast or both by having a day old backup in the air. Do you have a plan for nuclear strikes on both coasts?
Side comment about the web design- very cool and clear way of integrating audiovisual stories into the article. Lots of people try to find novel ways to share interviews/first-person accounts that they've recorded, with mixed results. This piece strikes me as best in class.
[+] [-] seanieb|11 years ago|reply
Password reuse is much worse that having a weak password. Hackers only brute force high value targets, everyone else should just aim to have unique passwords for every service they use.
However, the average person can only remember 5-10 unique passwords and they have many many accounts...password reuse. For the average person password managers aren't an option for normal people, so we have a big problem.
[+] [-] kijin|11 years ago|reply
Why not?
Every major browser in its default configuration offers to remember your passwords, and some will even offer to sync them across all your devices.
The only thing that's missing is an offer to generate random passwords automatically, for which you currently need an add-on/extension. But even without that ability, the browser is already a pretty decent password manager.
[+] [-] unknown|11 years ago|reply
[deleted]
[+] [-] john_b|11 years ago|reply
This baffles my mind. Is this common practice in finance? What would stop a malicious actor from impersonating someone whose password they knew? Even if these passwords aren't tied to someone's identity in any way, they presumably exist to secure sensitive data and/or systems, but then they're shared with officemates like Dilbert comics?
[+] [-] hackuser|11 years ago|reply
Aren't there regulations for security of financial information? It's hard to believe this passes muster. If it's a 'reasonable precautions' regulation, this fails badly.
[+] [-] ryan-c|11 years ago|reply
I wrote a basic command line only one[1] a few years ago, but command line UI doesn't really make for "usable by everyone". It would be nice if there were something like this that had a good UI.
1. https://github.com/ryancdotorg/threshcrypt
[+] [-] peter303|11 years ago|reply
[+] [-] perlgeek|11 years ago|reply
[+] [-] zarify|11 years ago|reply
I dearly hope that those people who actually told passwords to the author were either no longer using them or immediately changed them to something better on reflection of just how terrible they were. My mother kept a door from her parents' first house (which they built after emigrating after WW2) for sentimental reasons, that doesn't mean she relied on the old antique lock to secure her current house.
[+] [-] comrh|11 years ago|reply
[+] [-] gumby|11 years ago|reply
And if you see how Cantor Fitzgerald treated its employees and their families in the wake of that crisis, you'd see that helping them was the right thing.
The banking industry may have metastasized from a service industry to a giant vampire squid, but that doesn't mean every company turned into slimy blood-sucking leeches.
(And maybe C-F were heartless leeches before the attack and reformed due to their literal near-death experience -- I really paid little attention to them until that day. But they are famous for how they responded and rebuilt the business).
[+] [-] mikeash|11 years ago|reply
[+] [-] towelguy|11 years ago|reply
Something they couldn't access then. Are they talking about passwords for 3rd party services? Or perhaps passwords for encrypted hard drives?
[+] [-] mlrtime|11 years ago|reply
[+] [-] iamleppert|11 years ago|reply
Passwords to business-critical systems should be stored in a safe, in an off-site location (preferably multiple offsite locations).
[+] [-] varikin|11 years ago|reply
[+] [-] ddebernardy|11 years ago|reply
[Cough]. Even in America? More like especially nowadays, no?
Beautifully written piece, otherwise.
[+] [-] dredmorbius|11 years ago|reply
Massive declines.
[+] [-] hammock|11 years ago|reply
[+] [-] qq66|11 years ago|reply
[+] [-] nly|11 years ago|reply
Does anyone feel like sharing?
[+] [-] divegeek|11 years ago|reply
Ahh, the memories.
[+] [-] hlfcoding|11 years ago|reply
[+] [-] akkartik|11 years ago|reply
[+] [-] danielweber|11 years ago|reply