Let’s Stop Asking Users to be Security Professionals.
Your passwords are crap.
That’s not meant as an insult, or even a guess. It’s an objective observation, based on a vast amount of evidence gathered over the years from hundreds of data breaches, password dumps, and people posting their passwords on Twitter. Most people really have no idea whatsoever how to create strong passwords that aren’t easily guessable and are resistant to quick cracking. And those people who do understand how to do it often use weak passwords anyway, out of expedience or laziness or a simple need to remember them.
Password strength comic via xkcd.
The latest reminder of this is the huge credential dumps in the last week from data breaches at LinkedIn and MySpace (yes, MySpace) that included passwords from more than 500 million accounts between the two. The LinkedIn password dump is the big brother to a smaller one that hit the web in 2012, right after the actual data breach occurred. That first dump was about 6.4 million password hashes, and the second one is nearly 178 million. The MySpace dump is more than 360 million credentials and the most common password in that data set - aside from one that was used by spammer accounts - is “password1”.
This data set is from 2013, when MySpace was breached. And the most popular password in the dump was “password1”, followed by “abc123”, “123456”, and the even more clever “myspace1”. Now, you could make the argument that users don’t really care about their MySpace accounts at this point, so they’re not all that concerned about protecting them with strong passwords. Which seems like a fair assumption, given that we’re talking about MySpace here and not Citibank or even Twitter. And that’s fine. People commonly use weak passwords for low-value accounts.
But they also use weak passwords for high-value accounts, and that’s a much bigger problem. Users aren’t always properly informed about the risks of using weak credentials, even on sites that really matter, such as banks, retirement accounts, or email services. When confronted with a requirement to create a strong password with a variety of letters, numbers, special characters, etc., many users will just create the simplest password that meets those requirements. Like, maybe, password1. It’s a natural human instinct, and at this point we shouldn’t be blaming users for their inability or unwillingness to come up with stronger ones.
Security professionals know how difficult security is, and they do it for a living. Handing the responsibility for some of that to users is an understandable move, but it’s the wrong one. Users, as we’ve seen, are not very good at all that, and it’s a mistake to ask them to shoulder the burden. We need to take the responsibility for account security out of the user’s hands. There’s no real reason that at this point in Internet history, we should still be asking users to create silly usernames and passwords. We have the technology. We can do better.
The first step is to encourage, if not require, that users employ password managers that will generate unique, long passwords and store them in encrypted form. Users don’t need to come up with new passwords for each new account or every time they’re asked to replace an expired password. Password managers don’t offer any protection if a site is breached and users’ passwords are dumped, but they do prevent users from employing the same password in multiple places, reducing the risk of one data breach compromising multiple accounts.
The second step is for sites to give users the option - or requirement - to use two-factor authentication or verification. Many banks, email platforms, and social media services give users this option, but it needs to become the baseline for other services, as well. 2FA isn’t a panacea by any means, but it will protect users against many account-takeover attacks and put up another barrier for attackers.
The reality of security is that it’s a brutally difficult discipline, and pushing a good portion of the responsibility on to users is hurting them, as well as the sites and businesses they interact with.