Password security has been in the news lately and so the last few days I’ve been slogging through a long-neglected project replacing all the insecure passwords I’ve used over the years on various websites with new, very strong passwords.
(I use 1Password from Agile Bits Software for my password management. It’s available for all major platforms, Mac, Windows, iOS, and Android. It’s powerful, easy to use, secure, and allows you to sync your passwords across all platforms.)
Something I’ve discovered is a discouraging tendency among the user interface designers for many e-commerce websites to fail to provide a good experience to their users to encourage good password discipline.
For one thing, they often fail to give you any requirements for passwords up front. I typically use a 20-character password consisting of upper- and lowercase letters, numbers, and symbols. I can’t tell you how many times I have submitted a new password along those lines only to receive an error message that I couldn’t use symbols or that the password had to be shorter. You should never present necessary information for the first time to the user in an error message after their first attempt. In a sense, you’ve created a Soup Nazi customer service experience. It’s a minor annoyance, but the customer’s attempt to do something that seemed completely valid received the equivalent of a hand-smack and makes them feel stupid at some level.
Another troublesome trend is from websites that put an upper limit on the length of passwords. I understand that when you have hundreds of thousands of users, an extra dozen characters to store in a database will take up, oh wait, 3.5 megabytes of disk space. If you have that many users, you can afford the disk space. What’s even more disturbing is that some large sites, like CafePress, which handles financial transactions on behalf of users, puts a maximum length of 10 characters on its user passwords! That’s hardly suitable, according to many security-minded folks. In fact, I think that should be a minimum password length.
Something else to be wary of in account security is the use of security questions. The best security questions ask for obscure questions that only you will know. Unfortunately, what you often get asked for is your mother’s maiden name or the city where you were born. In this day of massive Internet databases, that information is all too easily found. Other answers might be similarly easy to mine if you’ve talked about yourself at any length on a blog or social network. In 2008, Sarah Palin’s personal email was hacked because the security questions on her email provider asked for data that was available in her public biography.
The best security questions are open-ended. They let you devise your own questions you will answer. Second best are a large selection of questions that ask you for some obscure information. But even if the site asks for some obvious data, keep in mind, you don’t have to tell the truth. Make up fake answers. Just be sure to remember your mis-answer or record it somewhere secure, such as 1Password.
Far too many people still use easily cracked passwords. Many security studies have shown the most commonly used password is, in fact, password. The rest of the top 25 list is similarly maddening from a security perspective. (Also, I am always appalled at the password-insecurity of even my friends and colleagues who are technologically sophisticated.)
So like with locking your car door to keep your car from being easy pickings by opportunistic car thieves, your goal is not to be perfectly secure from hacking, but making your passwords less hackable than the majority. After all, you don’t have to outrun the bear, you just have to outrun the guy whose password is password.
Another maddening feature is requiring a strong password where none is required.I want a strong password on an account like Amazon where if the account is compromised I can lose money. When I sign up for receiving coupons or some such nonsense, I don’t want to be forced into putting in a strong password because frankly, I don’t care.
You have a lot of good points here, and I do agree with Mike as well. Some sites (paypal, etc) you need a good password and you need to change it now and then. But some sites you may never use more than once and you shouldn’t need to bother with strength. Although I mostly rely on Firefox to remember all my passwords for me.
I like how with facebook you are able to put in your phone number. And if for some reason it gets hack or you lose your password, you are able to retrieve it through a text.
Also using the same password for all your log ins is not a good idea. Once someone gets the log in information for 1 account, they will pretty much have them all.
I was looking for information about the passwords because I have to make an application for a major company in web development with a secure password.
Thanks for the article.
I so much agree with this post and I appreciated those key points the writer sited on the article about passwords security and this is really important for those people with a big trust of using online services as their payment gate way. So it is best to have a good password for every account that you will have on online. Thanks for sharing this post.
I absolutely love 1Password. I use it personally for tons of sites, information, serial numbers, etc. I’d recommend it. The password generator is pretty nice too.
Anyways, cheers!