Password security has been in the news lately and so the last few days I’ve been slogging through a long-neglected project replacing all the insecure passwords I’ve used over the years on various websites with new, very strong passwords.
(I use 1Password from Agile Bits Software for my password management. It’s available for all major platforms, Mac, Windows, iOS, and Android. It’s powerful, easy to use, secure, and allows you to sync your passwords across all platforms.)
Something I’ve discovered is a discouraging tendency among the user interface designers for many e-commerce websites to fail to provide a good experience to their users to encourage good password discipline.
For one thing, they often fail to give you any requirements for passwords up front. I typically use a 20-character password consisting of upper- and lowercase letters, numbers, and symbols. I can’t tell you how many times I have submitted a new password along those lines only to receive an error message that I couldn’t use symbols or that the password had to be shorter. You should never present necessary information for the first time to the user in an error message after their first attempt. In a sense, you’ve created a Soup Nazi customer service experience. It’s a minor annoyance, but the customer’s attempt to do something that seemed completely valid received the equivalent of a hand-smack and makes them feel stupid at some level.
Another troublesome trend is from websites that put an upper limit on the length of passwords. I understand that when you have hundreds of thousands of users, an extra dozen characters to store in a database will take up, oh wait, 3.5 megabytes of disk space. If you have that many users, you can afford the disk space. What’s even more disturbing is that some large sites, like CafePress, which handles financial transactions on behalf of users, puts a maximum length of 10 characters on its user passwords! That’s hardly suitable, according to many security-minded folks. In fact, I think that should be a minimum password length.
Something else to be wary of in account security is the use of security questions. The best security questions ask for obscure questions that only you will know. Unfortunately, what you often get asked for is your mother’s maiden name or the city where you were born. In this day of massive Internet databases, that information is all too easily found. Other answers might be similarly easy to mine if you’ve talked about yourself at any length on a blog or social network. In 2008, Sarah Palin’s personal email was hacked because the security questions on her email provider asked for data that was available in her public biography.
The best security questions are open-ended. They let you devise your own questions you will answer. Second best are a large selection of questions that ask you for some obscure information. But even if the site asks for some obvious data, keep in mind, you don’t have to tell the truth. Make up fake answers. Just be sure to remember your mis-answer or record it somewhere secure, such as 1Password.
Far too many people still use easily cracked passwords. Many security studies have shown the most commonly used password is, in fact, password. The rest of the top 25 list is similarly maddening from a security perspective. (Also, I am always appalled at the password-insecurity of even my friends and colleagues who are technologically sophisticated.)
So like with locking your car door to keep your car from being easy pickings by opportunistic car thieves, your goal is not to be perfectly secure from hacking, but making your passwords less hackable than the majority. After all, you don’t have to outrun the bear, you just have to outrun the guy whose password is password.