Stop Blaming Users For Bad Passwords

Another year, another vendor study about how users choose absurdly bad passwords to protect their precious online accounts. This year’s study came courtesy of Keeper, while prior years’ reports (for 2015, 2014, 2013, 2012, and 2011) came from SplashData, a password management service for small businesses. Spoiler alert, the most used password this year is the same as last year: ‘123456’.

Every time I see one of these “studies”, I die a little inside. It’s not because poor passwords aren’t a real problem – they are: proper authentication is critical to defending the mobile and desktop internet applications of today, and the Internet of Things applications of tomorrow. I hate these reports because they blame the victim, the user.

Oh sure, these articles might levy some small admonishment aimed at applications (“the bigger responsibility lies with website owners who fail to enforce the most basic password complexity policies”), but by and large the unspoken message is “look at how stupid users are for using one of these passwords.” These click-bait articles are designed to deliver a dose of Schadenfreude to the reader, and allow them to wallow in smug superiority while they giddily guffaw at gems like ‘123456789’ (“Oh look, some moron actually thought that was better than ‘123456’—what a dolt!”).

Everybody knows bad passwords are a problem. Everybody knows you shouldn’t re-use passwords across multiple sites. Everybody knows you should pick a password with a mixture of characters, but not a dictionary words (except, well, if you’re using a passphrase, in which case you should use dictionary words, but only the right way). Everybody knows all of this, and much more.

There’s just one problem: users just don’t care.

Just look at the stats over the last 5 years: some variant of ‘123456’ has appeared at or near the top of every one of these lists. Who’s the bigger idiot: the user for whom ‘123456’ keeps working and with little or no obvious adverse impact, or the apps and web sites that allow such bad passwords in the first place and ultimately suffer all the reputation damage or regulatory fallout?

These kinds of articles do little to advance awareness of a real solution to this problem, nor do they make much of an attempt to do so. It’s telling that such articles rarely mention the very real advances being made to address the problems posed by passwords, such as:

On that last item: there’s literally no reason to even ask the user for a password anymore. App developers can use both Touch ID and FingerprintManager to build password-less authentication schemes like FIDO (check out the video below). Right now. Today. Like, as I’m speaking to you. There’s even commercial SDKs that developers can just plug into their app to perform this function with minimal additional code.

Instead of blaming the user, how about apportioning some blame to the apps and their developers? How about calling out the applications that allow such ridiculously poor passwords? How about shaming sites that actively disable password managers? How about some link-love for sites like TwoFactorAuth.org, which catalog which sites do and don’t support strong authentication options, and enable users to demand better?

But of course, that’s not the purpose of these articles. The articles aren’t about getting rid of passwords. They’re about positioning a vendor’s technology as a solution to this problem. Yes, a password manager when used properly is better than nothing. Yes, adding SMS two-factor authentication will reinforce poor passwords.

But passwords are an addiction, and these bolt-on half-measures are methadone. Heroine is bad, they say, but let’s not be too hasty about going cold turkey.

It’s time articles like this called out apps and developers to kick the password habit.

We Are The Walking Dead

Lately, I’ve been devouring Robert Kirkman’s “The Walking Dead”, a comic set in a post-apocalyptic zombie wasteland with a narrative focused on the daily lives of the non-zombie survivors. It sounds bleak, but it’s a good drama piece on how things fall apart in a crisis whose scale is beyond any individual’s comprehension.

I’ve started to see it as a bit of a parable for the current global situation and the probable future scenarios that await us: the constant hunt for food and shelter, and the vigorous and brutal means used to secure those same essentials. While most of the population of our world hasn’t turned into actual zombies, there’s a lot of parallels between our world and that of the comic.

Consider survival. Regardless of your current financial situation, you will be affected by the crisis and your ability to maintain your quality of life will face increasing strain. Are you prepared? I remain dumbfounded at the shabby state of Canadian and Americans’ finances, and individuals’ overall lack of restraint or planning. A quick run through the numbers courtesy of GreaterFool.ca shows that there are a lot of people out there who:

  • Lack of significant savings: According to Garth, seven in ten Canadians have no corporate pensions, sixty per cent have no money saved, and only five in ten have RRSPs. Of the fifty percent of Canadians that do have an active RRSP, the average amount saved is a little over $40K.
  • Have significant debt: Canadian families owe $1.45 for every dollar they earn, and carry an average debt of more than $25K.
  • Are overexposed to risk: Canadians are funneling a more and more money into real estate. Average cost of a house in Vancouver is upwards of 8x on average household income.
  • Are at or nearing retirement: There are nine million boomers comprising 32% of the population of Canada. The country is aging, and it’s only going to get worse. Oh, and we’re not alone.

No sweat, I hear you saying, I’ve sorted my own finances out. Which is just fantastic – at least someone’s been thinking ahead. In preparation for the Financial Zombieland that awaits us, you’ve at least been stockpiling cans, guns and ammunition. You’ll at least make it past the first wave of the outbreak.

Unfortunately, the fallout of the crisis will last slightly longer than a winter storm that knocks out the power. It will also dramatically reshape our society – permanently. While your larder may be full now, I believe the breadth and depth of the crisis will conspire to drain your reserves slowly but steadily in a number of ways:

  • The safety net will slowly disappear: Governments, being borderline insolvent, will look to dramatically trim expenditures while expanding taxation. One only has to look at the four-year “plan” in Ireland, and the economic restructuring in England to get an idea of what’s on the horizon for previously government-provided social services.
  • Things will cost more: Anyone who’s been paying attention has noticed that resources are becoming more hotly contested. China is playing chicken with the IMF by gobbling up resource rights in Africa in exchange for infrastructure, a flagrant violation of IMF’s rules that require those rights to be used to pay each African nation’s outstanding debts. Not only will resources cost more, but demographics and entitlements will force governments to find new sources of revenue. Read that: raise taxes.
  • Growth will be constrained: The natural response on the part of consumers and companies will be to find ways to conserve cash. In the wake of the economic crisis, US savings rates have increased dramatically. Canadians, believing they’ve avoided the worst, have decreased their personal savings rates; however, this will change as it becomes clear that no one can escape the grasp of the global economic decline.

The upside of this reshaping of our society is that it might be just what we needed. Just as in “The Walking Dead”, this crisis may have an upside. If nothing else, it may force us to shuffle our personal priorities. Perhaps we’ll reduce our consumption, redefine how we work, and reverse some of the global destruction we’ve wrought.