Passwords Are Here To Stay

Many of the visionaries in the technology field have predicted that the password will cease to be a part of the user authentication process on future computing devices.  They point to the fact that passwords do not have a solid history of providing the best security.  They are too hard to remember by end users who end up writing them down or reusing them.  They are too easy to guess by thieves who understand the bulk of technology users are novices.  The overhead that passwords create for the organizations and companies that must manage their end users and customers has reached a tipping point.

Those of you on the leading edge of technology may have forged ahead into the new world of Windows 8.  If you have decided to protect your tablet with user authentication, Microsoft has provided you with a new option.  Instead of choosing a password, you can now identify yourself with a series of swipes on the screen.  When compared with passwords, these series of swipes provide a much stronger barrier to entry.  The swipes are created by the end user upon a background picture featuring distinct people and objects.  The user must memorize these swipes (direction, angle, length) so they can gain access to their tablet each time it requires authentication.  This sounds revolutionary.  It is.  Stealing your swipes is much harder than stealing your password.

I’ve seen a few of these ‘swipe’ solutions in action and they are quite impressive.  However, sometimes a user forgets their swipe sequence . . . just as they do a password.  Frequently the vendor response is to provide hints for each of the swipe sequences . . . just as they do for a password.  When all else fails and the hints do not help a user remember their swipe sequence, the backup plan is for the user to provide a user ID and . . . and a password.  The backup plan is to use the old plan.

I believe the swipe method will work out the kinks in the future, but I think it will always tow passwords with it.  Swiping will resonate with end users because it is easy and fun.  Other authentication methods may be more secure, but they have failed in the mainstream because they are simply too hard for the end users to remember and perform.  Two-factor authentication combines something you know with something you have.   This method is clearly more secure, but because it requires two items, it is twice as likely to fail.  Failure does not mean that security is broken.  In this case, failure means the user does not have one or both items and therefore, cannot gain access to their computer.  They are then unable to perform their task and become unproductive.

Despite all of their warts, using passwords is still seen as the best fit for those seeking both security and ease of use.  Even some of the visionaries I spoke about earlier are admitting we will continue to use passwords for the foreseeable future.

The Social Login

In some of my previous blog posts, I’ve written about the stringent password rules that some web sites employ in the name of protecting themselves and the end user from theft.  In turn, the end user, while acknowledging the need for security, is always looking for an easy and quick way to get things done.  I admitted that in the past, I had taken to using the same user ID and password combination on many different web sites.  I quickly learned that many thieves think the same way.  They are hoping you use this shortcut because if they steal your password for one site, they have it for many others as well.

A new phenomenon which introduces some of the same benefits and problems is the practice of allowing an end user to use their social media user ID and password to log into a web site.  I can login to some web sites now without setting up a site specific user ID and password.  These sites are giving end users the option to click on an icon for sites like Facebook or Twitter to verify who the end user is.  End users do not need to spend time choosing a user ID, choosing a password, answering security questions, and building account information.  Their existing identity on Facebook or Twitter is enough to provide verification.  The convenience is a huge plus for both the web site owner and the end user since the selling and buying can take place so much quicker.

Upon further examination, this convenient practice might be even worse than using the same user ID and password for all your online accounts.  Why?  Let’s say I am already logged onto my Facebook account as I busily work away at my local coffeehouse.  I take a much needed break and get in the long line to order a vente café mocha latte double espresso (sorry . . . I don’t drink coffee).  At any rate, a curious coffeehouse patron with evil intent notices my unattended tablet.  They pop open a browser window and logon to Best Buy  . . . using my Facebook identity!  If I made the mistake of storing my credit card information within the account, I have just gifted our thief a new Wii console.  Wow!  This new social login process is convenient for everyone… site owners, end users… and thieves!

I realize I’m not providing a solution here, but I do have a concern that the rush to make things easier will end up making life more difficult in another way.  I’m all for advances that make me more productive, but they need to be thought through to determine if security holes have developed.  I think it is clear that there is a problem with the current social login approach so maybe this approach shouldn’t be used by web site owners who are selling something or those who have the end user’s personal information available.

Facebook and Your Employer

Sometimes I worry that important events are going on around me and there is no way for me to weed through all the unimportant media noise to get to it.  The local TV news is embarrassingly bad.  Newspapers have become irrelevant.  The internet has the real news if you know where to look and don’t get distracted.  I am easily distracted.

So it shouldn’t come as any surprise when I read a news story about a law which will prevent an activity I didn’t even know existed.  I just read that a new law is going into effect in five states that will prevent employers from requiring employees or job applicants to provide their personal social media passwords.  What?!!  This was a real thing that companies could do?  I am angry on many levels:

  • How is this not a direct violation of one’s privacy?
  • What pompous executives think this is not a rights violation in this day and age?
  • Why did a specific law need to be written to protect our privacy on social media?
  • What rock have I been living under that I didn’t know this was a real thing?

As I understand it, employers believe your presence on social media is a direct extension of you.  For a job applicant, they feel they can have access to your social media accounts as part of the background checks they perform.  For existing employees, they want to keep tabs on your social media accounts to make sure you aren’t breaking any of the rules in your employment contract.  All of this makes sense if you live in a society where enterprise and government rule the individual.  However, the United States was built on a different set of principles that these policy makers can’t seem to understand.

I challenge these policy makers to look at the supposed problem in a different way.  How would they feel if the tables were turned and we had access to their accounts?  I know… you will find a few who will proudly say, “If you have nothing to hide, then why won’t you give me the passwords?”  My reply is that if I tell you it is my personal information and I am not willing to share with you, the laws of this country protect me and compel you to treat me as you would any other candidate or employee.  What I do in my personal life is of no concern to you unless it directly affects your business.  Your job application has questions like, “Do you have a criminal record?”  and “Have you taken illegal drugs before?”  How about adding another one like, “Do you engage in any social media activity that could be detrimental to our company’s business?”  That should suffice.

Only five states will see the law go into effect in 2013.  That’s means it is still legal in many other states.  Social media is an animal that much of our government is just beginning to understand.  I’m guessing they just didn’t know how to apply existing rights that individuals have to new technology.  Common sense should have prevailed.  Just as I own my personal information such as my bank accounts, my credit card numbers, and my stock portfolio, I also own my social media accounts.  One may argue that social media information can be shared with hundreds and thousands of others and that a company is just looking out for itself by looking over the shoulder of the user.  Sounds like these companies are acting like Big Brother to me.

Social media is the way the young technologist communicates.  It is foreign to the old guard including myself, but I’m willing to learn.  What worries me is that with each new technology change, our world has to adapt.  Information flow and how it applies to business and government must be constantly reviewed so that laws like this do not have to be written and passed.

Don Friesen

I got hooked on live comedy in the 80’s and have loved it ever since.  My friends and I saw the starts to so many careers including Bobby Slayton, Ellen DeGeneres, Paula Poundstone, Dana Carvey, Tom Kenny (SpongeBob Squarepants), and even Robin Williams.  Even though there are not as many comedy clubs as there used to be, I still like to take in a show now and then.  One of my new favorites is a comedian by the name of Don Friesen.  Don is the only two-time winner of the San Francisco Comedy Competition and recently had his own Showtime comedy special called “Ask Your Mom”.  While I having nothing against a comedian who uses harsh language and sexual situations to produce laughs, Don is a refreshing change from all of that.  His observational humor is storytelling at its finest.  Check out Don at his web site: http://www.donfriesen.com.

Don has one particular routine called “Forgot Password” that is funny for all kinds of computer users.  See the five minute bit at here.  Without spoiling the act, the comments that really struck a chord with me were:

  • We get conflicting advice about how to select a password.  On the one hand, we are asked to choose something we can easily remember… like a pet’s name.  On the other hand, we are asked to use capitalization, numbers, and special characters in our passwords.  Don asks, “Who names their pet ‘P 3 Underscore’?”
  • If you don’t go to a web site often, do you find yourself clicking the ‘forgot password’ link automatically?  You are then asked if you want a hint which is usually constructed of questions and answers you set up long ago.  Don laments, “Can I have a hint for my hint?”
  • Many of the security questions we are asked at web sites must be chosen from a predetermined list:  What is the name of your first grade teacher?  What was the mascot at your high school?  What is your mother’s maiden name?  Many months later when you return to the site, those hints seem like they were selected by somebody else.  Don has a different theory… “I think ‘Previous Me’ decided to play a joke on ‘Future Me’!”
  • Sometimes we get so frustrated trying to figure out our user name and password, we resort to setting up a whole new account from scratch.  We smile smugly thinking we have found a way around the hoops.  We put in our new user ID and new password.  Alas, we are told the password is too weak and too easy to guess.  Don disagrees… “If it were so easy to guess, why did I just resort to setting up an entirely new account?”
  • The last thing you have to do when setting up most new online accounts is the CAPTCHA.  The name is short for ‘Completely Automated Public Turing test to tell Computers and Humans Apart.’  The purpose is to prevent automated computer ‘bots’ from performing actions on the internet that are intended for people to do.  These actions include making purchases and providing personal information.  The CAPTCHA is a picture of jumbled letters and numbers that the user is asked to reproduce.  Don’s view… “That Squiggly Letter Test always takes me six or seven tries.  It might work better if they chose real words or phrases, but they never make any sense.”

I don’t believe Don is trying to change anyone or anything.  He is just pointing out the funny things that occur to him when he is forced to interact with technology.  Judging by the number of laughs he gets, I suspect the same thoughts have crossed the minds of most members of his audience.