How do you know that someone is who they say they are? It’s an age-old problem, and passwords were invented to solve it, a long long time ago. A simple shared piece of knowledge, that only someone on your side will know. Easy to implement (tell everyone on your side the password, don’t tell the enemy), easy to test (ask them what the password is and stab them with a pointy thing if they don’t get it right). Guards in the dark don’t need to identify uniforms or faces, they just need to get the password right.
We now have the same problem; how to identify a person, but unsurprisingly the solution that worked wonderfully for ancient armies is not ideal for the Internet. The combination of a public identifier (the user Id) and a private authenticator (the password) needs to be replaced badly. The problems are:
- Computers can ‘brute-force’ attacks by guessing random passwords very quickly.
- Dictionary attacks are even quicker, where the attacker runs through known words to see if any one of them is the password.
- Humans are really bad at remembering combinations of letters and numbers. For example: spelling. It seems most of the human population these days can’t even spell ‘lose’ correctly. What chance have we got of remembering ’4T2jO0vQbl2′?
- Hard to guess combinations of letters and numbers are also notoriously hard to remember. For exactly the same reason: each letter or number in the sequence is unrelated to any other. Any logical or semantic sequence in the password makes it easy to remember, but also easy to guess.
- Each site needs an individual, unique password. Sharing passwords between sites is a security risk because the security of the password relies on it being secret. Sharing it with more than one site means that the secret is shared, and a shared secret isn’t secret.
- Writing down the passwords is a security risk because then the passwords are only as secure as the piece of paper/text file they’re written on/in. Usually this is a post-it note on the monitor, which the experts in this area generally frown upon.
So we’re currently asking humans (who are known to be really bad at doing this) to remember an intentionally hard-to-remember random combination of letters and numbers for each site they intend to visit, without writing it down. And if they get it wrong we’re going to take their online identity and do bad things with it like steal their money or insult their friends.
What’s worse, every site implements a ‘forgotten your password?’ feature that allows anyone with access to your email to reset every single password. So in fact all your passwords are only as secure as your email. And you’ve got your email permanently logged in on your smartphone right? So if you lose your smartphone you can lose your entire online identity because whoever has your phone can change all your passwords and lock you out of your own identity.
This is so broken. So why don’t we change it?
- Because passwords are easy to implement.
- Because people are trained to accept passwords as being secure, so not implementing passwords equals not being secure.
- Because choosing a unique and hard-to-guess password and ensuring it remains secure is a user problem, not a server problem. If a user loses their identity because their password got compromised, that’s their fault. Anything else might make it the server’s problem.
- Because it works most of the time and when it fails nothing really bad happens (unless it happens to you).
- Because forcing your users to have an account with your site means you’re managing the customer relationship (this is not true and very poor logic but is trotted out to support password identification occasionally).
I say enough. Let’s be the change we want to see in the world. As Exhibit’s resident Uber Geek, here are my pro tips for appropriate user identification strategies:
- Do you need to securely identify your users? I mean really need to? If it’s online banking, yes. If it’s a blog comment system, probably not. Forcing your users to remember one more password will actually deter them from using your site. Make it easy, let them just post with their email address and whatever nickname they want. If they abuse it you can moderate your way out of it (and that’s engagement with your customers, which is good, right?).
- If you do need to identify your users properly, use a 3rd party. If your users are under 40, they almost certainly have a Facebook account, and Facebook has a simple identity verification system that will let your users identify themselves to Facebook, and Facebook then identifies the user for your site. Google has the same service, as does Microsoft.
- If you need to identify your users, and you can’t/won’t use a third party, then consider using a passphrase of 3-4 words instead of a password. Pass-phrases are a lot easier for humans to remember because we can tell stories about the words, but it’s actually way more difficult for computers to guess a passphrase system than an 8 digit password.
And finally from a user’s perspective, DON’T USE THE SAME PASSWORDS!! Sorry if that sounds shouty, but seriously you are putting yourself at huge risk, especially if you utilise any sort of online banking or purchasing system. Check out Awkward Web Guy’s explanation as to what to do instead below.
Over and out …. Marcus