Harry Potter Fat Lady

Having worked in technical support for well over eight years I have seen all manner of password management methods. From observing computer users I can honestly say that the security of passwords is severely left wanting.

In the Harry Potter books; as Harry comes back from a night time wonder around Hogwarts he will often find a student who has forgotten the password stuck outside the Gryffindor common room, usually because it has changed recently, perfectly representing the massive issue in expecting users to remember complicated passwords that change frequently.

Most users take the approach of writing all their passwords down, usually in a Moleskine style journal or on post it notes attached to their computer. The other major approach is to use a password so simple and personal it is unlikely to be forgotten such as catsname1.

With the sheer number of accounts a user needs to create it is unrealistic to expect a user to set a unique, complicated password for each account they create and to memorise it (personally I have 312 login records in my password manager).

I am a massive advocate of password managers having used one now for a number of years, but consider password managers to sometimes be complicated for an average user to use. One implementation of a password manager that is a massive improvement is Apple’s implementation of iCloud Keychain.

When paired with a Touch ID enabled device; all passwords are stored in the users keychain, only viewable once the user is authenticated, and entered automatically when the user browses to the relevant website. The passwords generated by iCloud keychain are also complex enough to not be easily crackable, a massive improvement to the simplicity of a password manager.

My major criticism of password managers is not with password managers themselves, but that they do not resolve the issue with passwords as, in my opinion, they are simply absolving developers of responsibility for resolving the password issue.

A number of solutions have attempted to unify login such as Google Sign-in, Facebook Login, and Sign in with Twitter among others. Most people attempting to login to a website will likely have an account with a social media provider and so seems natural that this could be leveraged to ease password strain. I have concerns about allowing a social network to know every site I login to, I will always choose to use a separate login if it’s available.

Social media logins though are perhaps the best attempt at resolving this problem at this time. This issue with implementing a unified login is who should be the one providing the unified login. This is exactly the type of situation that creates the issue where one solution doesn’t do what an organisation wants, that organisation creates another standard and we end up with yet another login method (examples of this include HD-DVD and Blu-ray, H.264 and WebM. XKCD created a comic which sums this situation perfectly).

Organisations also still hold the belief that requiring their employees passwords expire after a period of time represents best practice when in my experience the result is people write passwords down, increment the number in their password by 1 (password1, 2, 3, 4…) or forget their newly reset password and spend time calling IT support resetting their password. Guidance by the NCSC agrees that this doesn’t increase security and only increases possible weaknesses for attackers to exploit.

Recommendations

The reality of what we currently have is that if we do want to have a high level of security, a unique password should be used so that if one site is compromised all sites we use aren’t compromised. Despite their complexity I would recommend a password manager as password management is easier once a user has got used to the way they work.

I would also recommend creating passwords of a significant length (at least 20+ characters if possible); with a mixture of letters, numbers and special characters. Unfortunately I still come across sites that restrict password length to an odd level (e.g. between 8 and 16 characters) as well as not allowing users to use special characters. Whenever I come across this type of password policy I question if I really need to create an account with this site.

Two-factor authentication has also become increasingly popular to implement (and I would recommend all users have this activated), but while this has been shown to be open to loop holes I would always advise that this be activated. I have never implemented a SIM lock on the SIM card within my phone. While perhaps overly paranoid, if someone were to steal my phone, if they had access to my passwords, despite me having a passcode on my phone, they could simply put the SIM in another phone and be able to receive my authentication codes.

It is important to ensure recovery processes are secure, if all logins point to one particular email address, how secure is this email account? If an attacker had access to this account they could request password reset emails and reset the password to a number of accounts. With two-factor enabled not only is this risk minimised, but if two-factor is enabled on your email and your password completely unique to that site, helps reduce your problems if one website is compromised.

Passwords are a problem that are unlikely to be resolved anytime soon, but if a little bit of time is taken to implement a good level of password security, worries are hugely reduced when a data breach is announced by the company of site you have an account with.