This morning, as I was drinking my industrial-size iced coffee (coffee purists look away!), I was thinking about the oppressive heat (100+ °F) and other exciting stuff. More specifically, I was mulling over the Twitter chat that we participated in last week.
I want to share a couple of thoughts with those of you who weren’t able to join in. So, “why does the most commonly used authentication method (username & password) get so much negativity these days?”
As I see it, there are three main reasons for this:
- gloomy and pessimistic news coverage. The great majority of news stories about passwords (anecdotally, in the range of 86.155%) are either about major hacks or breaches that just happened, or one of the frequent announcements that login+password authentication is antiquated and inadequate and must be replaced (lock, stock and barrel) by something else – anything else. The rest of the stories are mostly collections of new ‘top 10’ lists of lousy passwords.
[It is understandable that many people feel helpless in the face of so many ‘the sky is falling’ messages.]
- it’s hard! John Oliver does a great job highlighting this in his interview with Edward Snowden. It’s not so much that people don’t know what to do, or can’t follow basic steps or use available tools, it’s that people perceive it to be hard to remember all those passwords! “You mean I need a unique long and strong password for each of my logins? I’m not going to do it!”
[Just like video killed the radio star, ‘plug and play’ is killing individual responsibility for security.]
- it’s not a perfect system. After all, what kind of security system is it, if breaches and hacks happen so often?! “You mean to tell me, that after all my hard work there’s still a chance that Hotmail is going to get hacked anyway? What’s up with that?!”
[The strange part of this thinking is that no system is perfect. According to this thinking, we should have replaced the system of locks and keys in the physical world with something that would eliminate all locks that can be picked, burglaries and other instances where a lock fails to keep someone out.]
When you think about it, it’s a lot like going to the dentist.
Huh?! What do passwords have to do with dentists?
Ever notice that folks aren’t nearly as afraid of dentists as they used to be? For those of you who remember back to the 90s and 80s and earlier, you’ll remember how often you would hear someone talking about the dread of having to go to the dentist. Sure, there was ‘laughing gas’ and pain killer shots to make you not feel the pain of getting that cavity filled, but having your teeth worked on hurt. (And don’t even get me started on the inserts that the dentist made you bite down on with the Fluoride that tasted awful with the warning that you couldn’t swallow!)
You don’t have to take my word for it, just notice how often the dentist theme came up in TV shows and movies back then. (And I’m not even talking about Marathon Man – the movie with Dustin Hoffman and Laurence Olivier. Just thinking about the movie makes me cringe in pain!)
Everything about dentists was negative: everyone hated going to the dentist but was only too happy to talk about how terrible it was. Getting cavities filled hurt! Braces hurt – for a long time, and they were ugly! A root canal was the worst pain that anyone could imagine.
Well, over the years, the discussion changed. Technology improved and now it’s not nearly as painful or traumatic to go to the dentist. Another big factor is that marketing and positioning of dentists and dentistry has changed a lot. Today, whenever you see an ad for a dentist, you see beautiful smiling people. The talk is of ‘looking better’ and an ‘incredible smile’ – not of root canals and cavities. I suggest that the result is pretty clear: with all the improvements and changes in the conversation, unpleasantness and pain are no longer the first things that comes to your mind when someone says ‘dentist’.
Let’s get back to passwords. What’s a person to do when the news repeats stories about alarming breaches and violations, and the security pundits say things like “the system has been around for too long and needs to be replaced”? All those negative stories and public messages actually undermine our best intentions for good security because – in our own minds – they reinforce our internal justifications for our own bad password habits! If even the important people on TV say it’s hopeless, then how can I expect to protect myself?
Am I suggesting that all that’s needed to make passwords more secure and user-friendly is to introduce a ‘new and improved’ PR campaign? No, of course not! I’m saying we need a more realistic conversation about passwords.
When all you hear about a topic is negative, it is very hard to take a constructive approach when dealing with it. It is because login+password authentication is such an integral part of our online lives that it is so important for people to approach it seriously, and not with a sense of hopelessness that is engendered by the ‘passwords are worse than root canal’ message that we hear so often.
We all need to be encouraged to follow best practices when it comes to our passwords. Today, using a strong, unique password for each of our online accounts is integral to protecting ourselves. A password manager like Sticky Password gives you the best chance to remember all those strong passwords to protect yourself and your family. Another simple, and increasingly available, way to increase your security is to make sure you turn on multi-factor authentication where-supported by the sites where you have an online account.
New authentication methods are constantly being introduced, but they won’t be replacing passwords any time soon; instead, we can expect biometrics and other authentication methods to supplement and improve security on the sites that support these new methods. Sticky Password supports fingerprint authentication on mobile devices, and we’ll continue to extend support for new authentication methods that offer added security and protection.
The introduction and support of new authentication methods is very positive for security and is to be encouraged, but not because of any hope for a silver bullet that will create the perfect authentication system that can’t be cracked! For one thing, even in the area of security, competition will push the best to the top. Just as important, the availability of multiple authentication methods that companies can choose from will tend to increase general security because it will make it harder for bad guys to attack every site with a single hack method.
Now, that would be something to talk about!
The live chat took place Thursday, July 16. You can check out the entire discussion by searching #ChatSTC in Twitter. Panel members included: @id_eco_system, @cyber, @brettmcdowell, @TeleSign, and @NSTICNPO. Visit staysafeonline.org or stopthinkconnect.org to find out about their next chat, and to get loads of other great information about staying safe online.