Passwords suck
The Washington Post’s Hayley Tsukayama recently pointed out out that in the latest version of Windows,
if you go through setup as recommended, you’ll never get a password option.
Passwords, we can surely agree, are the bane of modern digital existence. On a big-picture level, insecure passwords cause an estimated 80 percent of breaches, according to a 2017 report from Verizon. On a human level, they’re paralyzing; right when you need to access your utility bill, you can’t remember if you replaced the “a” with a 4 or an @ symbol.
Indeed, we certainly can agree: passwords suck. I seemingly have quite a few more online accounts with passwords than the average person. It’s simply impossible to have unique passwords for all these accounts and have any hope of remembering them. So for many years, I used Lastpass to manage my passwords (though I moved elsewhere after their significant data breach), and turned on two-factor authentication wherever I could. I even used a YubiKey for a bit, until I got fed up with having to fetch my keys to log in to stuff. Despite this, I was still pretty lazy, and typically used the same password (or a simple derivative of it) to sign up for new services, which meant that–despite all advice to the contrary–many of my accounts ended up with the same password.
I thought this was “alright enough” security. I had unique passwords for accounts I saw as “high risk”, such as banks and email accounts, but “so what” if some loyalty card account shared a password with some other account. I didn’t think I cared. Even when I knew that various company’s data breaches had exposed my information, I didn’t think I needed high security on most of my accounts.
Then, in a matter of months, three things happened that changed my mind.
First, somebody used my details to spend a couple of quid on my Greggs app. I don’t actually use the Greggs app very often, so it took me quite a while to notice that my account had been drained of the small change it contained. And I wasn’t all that bothered: I was mostly amused that someone had gone to some effort to steal a small amount of money to spend on pastries. I didn’t even report it, I just closed down the account. (Sidenote: yes, I’m a public health consultant, and yes, I had an account on the Greggs app. Deal with it.)
Second, I noticed that dodgy advertising text had been inserted into a number of posts on my blog. This did irritate me. It turns out that I had both used a frequently repeated password to secure the database that runs the site, and also left this in a publicly accessible place. I’m fairly certain that it was the former rather than the latter that led to the problem. In some cases, the miscreant had also deleted the backups of posts, so I couldn’t do a simple restore to overcome the problem: I had to do it manually. And I still occasionally come across bits of inserted text that I missed when cleaning up.
Third, someone knicked £8 of Costa points from my loyalty card. This also annoyed me–albeit slightly irrationally given that I rarely bother to redeem the points, hence having £8 built up. Again, used a password that I’ve often used elsewhere to secure this account. I did report this, and Costa refunded the points and (so they told me) investigated the fraud.
What’s the point of all this? I suppose I realised that I cared more about many of my accounts than I thought I did. The convenience of using an easy password meant that my security was a bit lax around the edges, and I lost out around those edges. The system of using passwords to secure accounts inappropriately rewards lax behaviour on a day-to-day basis, as it is less hassle than securing things properly.
I’ve since used my password manager properly, changing all of my accounts to long random sequences of numbers, digits and symbols that even I don’t recognise, and got into the habit of generating new secure passwords every time I’m asked to set one up. This takes a very small amount of hassle, but certainly more hassle than a go-to easily remembered reusable password… until the account is breached, of course.
There are still settings where I maintain that a long string of characters as a password is not particularly helpful. For example, I was at a conference at the Royal Society of Medicine the other day where the delegate wifi password was long and complex. Who were they trying to keep out? Why was any password even necessary? But at the same time, it’s becoming clearer to me that lax security is no longer really good enough, even for seemingly insignificant accounts.
It seems to me that ‘password management’ has gone from being something that ‘techy people’ need to think seriously about, to something we all need to think about. And let’s be honest, most of us won’t, at least most of the time. So it’s always good to hear that passwords are being ‘phased out’. The sooner the better, as long as the alternative isn’t too much hassle!
The image at the top is by Christiaan Colen on Flickr, used under Creative Commons licence.
This post was filed under: Posts delayed by 12 months, Technology, Passwords, Security, Technology.