Sometimes the best way to sell an article is a killer title. However, a lot of times people just remember the title and forget the article behind it.
Take Mat Honan’s article in December’s issue of Wired, Kill the Password: Why a String of Characters Can’t Protect Us Anymore.
It’s a great post. I find every time people comment on it, they talk about their own password mojo (which btw, you should never ever talk about – like ever) and they miss a couple of key points the author made. Namely the fact that the weakest link is not your password… unless of course you make it so. I am not going to go into the usual diatribe of people choosing easy-to-guess passwords and/or not protecting them. Both Wired and countless online articles have devoted enough pages to the subject.
I’m talking about the usually weakest link of the chain, that unavoidable feature that all service providers of any online access site must have: the password recovery feature. You need password recovery. You need an alternate authentication system. This is where so-called hackers would try to get access to your account.
Most end users hate password recovery features because most of the time they require those pesky security questions answered. That’s just the half of it. The other part of the weak link is that almost every password recovery feature online will require an email to either sent you some dynamic link to actually access the system and set the new password yourself or even worse, an email to send your password directly on the content.
Although I don’t want to discuss password strenght, I’ll mention xkcd has one of the best takes I’ve seen:
By the way, we’re all end users. Colleagues of mine who recoil at the term must admit that as much system they manage, they might be system admins at work but they’re also recipients of a service like a phone, water, power or owning a car or a house. Some of us may have high end creds in some network but we’re complete pawns on another.
On a point that the Wired article already made clear, having one email associated to every service downgrades your security to one single stress point: that email is capable of taking away your access to countless systems. By extension, if you have your accounts linked together, it’s the same thing.
The problem however deepens where you have a password recovery feature that can be circumvented by guessing personal but available information, or worse – by talking to a customer service representative. That is because people are not inflexible, and ultimately they want to help you on the phone. That’s why if you weaken the security of your password recovery, it becomes your point of failure – and the first brick of the wall that will fall if an unsavory character tries to get access to your system.
I can’t tell you the number of times that I’ve seen companies narrow down all their security questions to simple ones that can be guessed by anybody because their intention is to assist the customer. Also, renewing and keeping those questions up to date are a hassle to every end user. You probably have run into the classic company executive that can’t type his own password right several times in a row, gets locked out and can’t remember the answers to his own security questions.
So, what do we do… no easy solutions here. There’s the obvious complex password conversation that I won’t go into here. But also, check your weak links. If you can, avoid service providers with weak security systems like AOL. If you must, then isolate each service. I understand it has become a security versus convenience issue. Sometimes it’s a balance. We choose to link a few things together for the sake of convenience. Just don’t throw out the entire thing onto one email account.
Here’s another tip that I don’t see mentioned often: use a different username for different services.
Also, do the same thing we do with everything else. How do you get people not to break into your car? You don’t use the same key. You don’t park it in rough neighborhood at night. You don’t leave stuff in it that people will want to steal. In other words, don’t make yourself into an attractive target. Make him choose an easier target than you.
And if your car ends up getting broken into, try to make sure they won’t get anything else.
That will do for now.