The web has a password problem. You probably have heard about the Adobe.com password breach, in which hackers downloaded millions of encrypted passwords and associated email addresses and password “hints,” then uploaded this data to the web for the edification of the general public. Your email address may be among them. You can easily check here whether you downloaded a trial version of Dreamweaver Lite back in 2003.
- The passwords were encrypted, but not very well.
- The password hints and email addresses were in plaintext.
- Since people are not all that original with their passwords there were plenty of duplicates. My relatively secure password, for example, was used by 31 other people on Adobe.com.
- This means one could take my encrypted password, find all the password hints that those other 31 people created for that password, and make some really good guesses. The New York Times reports that one guy was able to break one in six passwords using this methodology.
This matters, since most people, me included, use the same password for multiple sites. So, theoretically speaking, my moribund Facebook account could be instantly improved by some charitable script kiddie in Kazakhstan while he empties out my bank account.
Blame the User
The industry answer to all this bothers me. We’ll leave Adobe out of it — even though they are to blame and their response has been less than credible.
The standard advice doled out about passwords from security experts is that we should have a unique, strong password for each site we log into. Examples:
Use combinations of at least six letters, numbers and punctuation marks and don’t use this password for any of your other accounts.
Choosing the same password for each of your online accounts is like using the same key to lock your home, car and office – if a criminal gains access to one, all of them are compromised. So don’t use the same password for an online newsletter as you do for your email or bank account. It may be less convenient, but picking multiple passwords keeps you safer.
Do use a different password for each website you visit.
Avoid using your Apple ID password with other online accounts.
All good stuff in theory, but written by sysadmins for sysadmins. Very few people will create strong passwords for every site they visit. It’s not just “less convenient.” It’s pretty much impossible for the average human:
- We’re supposed to switch our passwords from the memorable “Fluffy123” to the unmemorable “fLu$fy87t.”
- And create unique passwords for each of the 30 or so accounts we have.
- And type “fLu$fy87t” into an iPhone.
- And figure out how to remember the passwords and which belongs to which account across multiple devices.
- Or figure out how to install software across multiple devices to remember it for us.
Fix the $%&^@$ Problem
Google, Facebook, Apple and Twitter are in the business of analyzing human behavior — and making money off that analysis in return for a dollop of fun and convenience. It’s time they applied some their analytical and engineering expertise to solving the web’s password problem, instead of pretending that users will solve it for them.