Some IT security “pros” seem to live in a bubble, telling “normal” people to go and use a password manager, to invent complicated passwords, a different one for each website, never to write them down… bla bla bla.
What they seem to forget is that most people are barely coping with their computers and apps. Most “normal” people hardly understand the difference between the password to unlock their PC and the password for Facebook or other websites. Let alone how cyber-attacks work. If you are chuckling about so much ignorance, I have run into great software developers in important web projects with no clue about the HTTP protocol, what was client-side, what was server-side (just happily ploughing on in their abstract coding framework).
Often they give impossible password advice, much like preachers to the poor peasants. Serious admonishing face, some nodding for extra effect: “You should never re-use passwords”, “You have to start using a password manager”, “Never write passwords down”. Crazy. I suspect they are not even walking the talk themselves.
Get real. Password managers are a pain to use. Even for the pros. Long passwords with complex characters and capital letters are terrible, especially on a smartphone. There should be better protection measures in place to prevent brute-force “guessing” attacks by strangers, like throttling (3 tries account locked for a while), adaptive authentication, and monitoring of suspicious activities and anomalies. Rarely does it matter how long or complex your password is. Because to get your password an attacker uses a phishing email or key-logging. And yes: Everyone re-uses passwords, all the time. Also the pros.
It is wrong to preach impossible advise and place the burden at the non-technical end-user, who has no time, no tools and no expertise, whose day-job is not IT or IT security: We should instead focus our effort and energy at the hundreds of websites and their developers who are too lazy to implement things like OAuth to connect to existing authentication systems. They are implementing a whole new password authentication system without having a serious security team like Google or Facebook has. They are taking the lazy (and dangerous) approach of asking people to create yet-another-password. It’s these websites that are the core of the problem. Single-sign-on and protocols like SAML and OAuth have been around for over a decade now. It is just not allright to implement a website and ask your customers to create yet another password before they can purchase a T-shirt. No matter how much you like long complex passwords yourself. And with these password strength meters you are only making things worse.
I think that the IT security pros, instead of preaching impossible password advise, should really start blaming and shaming these “dear-customer-now-create-a-new-password-just-for-us”-websites. There must be colleagues of ours behind these websites. There must be auditors checking these systems. Let’s speak to them! This kind of lazy design choice puts customers seriously at risk. And I believe it is up to us, the IT security pros, to point the finger to the real problem: Users choosing bad passwords is not the problem. All these websites asking users to create new passwords, that’s what’s the problem. So we should not speak about good practices when implementing password systems, we should say it is simply bad practice to build yet another password authentication system.
I welcome your thoughts on this. I think there is a funny decision tree hidden in here somewhere.
P.S. To keep things short and simple I have left out a lot of technical details. First of all there is the updated NIST guidance on passwords cancelling a lot of the old ideas about passwords (such as password complexity and expiration). Read a nice summary here. Secondly, please read up about OAuth and try to avoid building your own password system altogether. Thirdly I would like to point out that there are many many complex security issues to deal with when implementing an online authentication system. It is NOT easy and requires a lot of thinking, designing, tweaking, and then a lot of work, by professionals, round-the-clock. There is an endless list of technical aspects you need to worry about: Storing passwords as salted hashes to mitigate breaches. Having sufficient entropy to prevent session hijacking. Implement adaptive authentication. Spot stealthy attacks like low-and-slow-brute-force attacks. Notify customers about suspicious activity in a safe way (your email should not look like a phishing email). Offer a 2-factor authentication system. Scan the web and the dark web for password leaks and dumps, e.g. on pastebin. Stay in contact with the CSIRT community about phishing campaigns. Be ready to warn customers about attacks and lock accounts. Have a helpdesk to handle locked out customers. Etc. etc. I believe only a few large organizations are able to do it securely, such as major multinational IT providers, maybe some national e-ID providers. Once you dive into the issue you will agree that you should NEVER re-create your own password authentication system, and that it is better to integrate with an existing one, for example using OAuth. Implementing online authentication is not trivial and it is not a matter of adding a password strength meter, or using some built-in functionality of a CMS or a coding framework.