Why can't we create secure passwords?

Because password123 is easy to remember.

Creating a strong password is hard. Everyday we hear a story of someone's account that was hacked. On Twitter, there are always companies apologizing for tweets made by someone who hijacked their account.

It is much harder to find security flaws in tech companies like Google or Amazon, so attackers take the easier route and attack the user instead. The user usually has less resources to defend against an attacker.

Side story

A few times a month, my Google account would suddenly lock and I couldn't access it from my phone. When I log in from my desktop machine, I would get an email saying that someone was trying to hijack my account. I'd change my password but then a week later it would happen again.

One day I was trying to access my GPS to see the traffic, and to my surprise I was in Ho Chi Minh City, Vietnam. There was a problem with my GPS and it was placing me in different parts of the world. And when the phone tried to access Google, it showed someone logging in from Vietnam. Which was me.

hijacked Google account

One common way of hacking is through social engineering. The hacker tricks users into revealing their password. This is very difficult to protect against because each hacker uses his own unique clever approach. So all I can say is don't give your password to anyone, ever!

The other approach is by guessing the password. A surprisingly common password is password123 or its better half test123. For a password like this, the hackers just needs to have a list of common password and they have a chance of taking over your account.

Technically, if you can create a long complex password that you never share with anyone, you successfully foiled the plans of 99% of hackers. The problem is, you don't have a long complex password at your disposition*. Even if you did, you would probably lose it and would have to go through the forgot my password process to create another weak password that you can remember.

Everyone can come up with a secure password. The reason we don't is because of one thing: Time. The only time we ever think about passwords is when we are already in front of the form.

Why will someone ever come up with a password like password123? It's obviously not secure, but they don't have time for a better one. If I chose a random person and told her that in one hour she'd have to fill up a sign up form with a secure password, chances are she will create something better than test123, because she has time to think about it. But the only time we ever think about creating a password is when we are interrupted by a sign up form.

You are reading about an amazing online service that promises to be better than facebook. You watch the short videos and your enthusiasm is up the roof. You are only a click away from experiencing it first hand. You click on sign up and you are asked to create a user account with a password. All you want is use the product, so you type whatever that works just so you can get to the product. Suddenly, it's been 3 years since you created your Twitter account and never bothered changing that very convenient password123 password.

First Solution: Education

The apparent solution is to educate users. No matter what path we take in our career, or the lifestyle we chose, we will be exposed to passwords at some point. So might as well be prepared. With schools embracing the Internet, it is only natural to help their student securely navigate around the web.

I propose a short orientation class that focuses on passwords. An introduction to tools that can help you create and manage passwords, awareness of the green https:// on the address bar to signal a secure connection, and an overview of phishing.

The same way there is an orientation for sexual harassment for every new employee, there should be one for understanding passwords. Just like in school, it can be used as a refresher to cover all bases.

Whether you create passwords manually or with software, you need to be prepared for them. Passwords are a fact of life.

The Better Solution: Generate passwords for the user

As of wordpress 4.3, when you try to create an an account, a strong password is generated for you. The user has the option to change the password to whatever they please, but by default they will have a strong password. Even if they can't remember it, most browsers now offer the option to remember it by default. There are also many password managing tools available.

As simple as this sounds, it is a revolutionary idea. Having your user come up with a complex password is the equivalent of asking them to write a complex math formula. (most people will just write 1 + 1 = 2). This method makes the coming up with a password a developer problem, not the user's problem.

If there is one thing we've been learning about users in all these years of software development, it's that users rarely if never change the default settings. So having a strong opinionated password by default is the perfect solution.

In every large company I worked in, there was a struggle for password management. You are asked to create a complex password every 3 months to access your account. My problem was they always expired at an inconvenient time and I chose simplicity over security. I usually added an extra character to the old password instead of coming up with a new scheme. If it was just generated for me and all I had to do was confirm and save it, I would have a secure password.

Making this the default password metaphor on the web would make the password123 joke disappear. We don't expect users to understand complex UIs, we don't need to make them understand complex passwords. Let the developers who is much more experienced deal with that.


We don't have to chose one option of the other. A good password education will shift the task to the developer to come up with strong password will make the whole process better.

A well educated user already have a strategy for how to create a password. Whether it is manual or through a password manager, they would think about the problem long before they are interrupted by a form that requires a new password.

Every website that requires authentication would also be responsible for creating strong default passwords that the user can save using their favorite password manager. The developer has more expertise when it comes to creating passwords, so might as well let them come up with it.

In the long run, maybe passwords are like the alarm clock problem. Maybe in the future we will fix authentication problems without needing any traditional password as we see them today. But in the meanwhile every website that requires authentication use passwords, and most of them let weak passwords in. Updating them shouldn’t be a terrible burden compared to coming up with a whole new strategy.

* Yes I know you developers come prepared to the battle, but let's remember we are a minority on the internet.


Comments

There are no comments added yet.

Let's hear your thoughts

For my eyes only