Getting a Handle on Password Insanity
How many keys are on the key ring you carry around with you every day?
For me, the answer to that question is eight. I’d love to cut that number down if I could, and I don’t keep all my keys on the same ring out of frustration and fatigue.
Keys are a lot like passwords, and Microsoft has done some interesting research into this: it turns out that the average user has about eight unique passwords, but they re-use them across an average of 25 sites. That could be akin to anything between having the same key work in your house and office, or having the combination to your gym locker be the same as the PIN for your ATM card.
I think that the problem of password fatigue is significantly worse and carries far greater consequences than our habits with keys and combinations. The internet affords far more opportunities for the leakage of passwords by mechanisms that go unnoticed, while you’re probably going to know if you lose your keys or tell someone your combination or PIN. Almost every website you visit or service you use that wants to verify your identity asks you to create an account with a password, and so we do that – often without considering where else in the world we’ve used that password or what it would mean if this website we’re giving it to now dropped the ball.
Since the internet is not a small town where the front door to the house can be left unlocked and the car left with keys in the ignition, users – and businesses – need to adopt strategies for dealing with password fatigue before it gets the best of us. The OpenSSL heartbleed bug recently drove this point home as millions of people were made more aware of how dangerous password re-use is, since the majority of the internet was vulnerable for a long enough time that it would have been possible for almost all of the credentials we use to have been seen by an attacker who knew of the exploit.
Users who take their security and privacy seriously, as we all should, must now result to using password key rings to make practical what would otherwise be impossible: using a complex, unique password on every service we consume that is delivered by internet. My tool of choice for this is Marvasol’s LastPass though there are certainly others. It generates secure passwords whenever one is required and stores them encrypted, releasing them only when I enter my master password and optionally provide a constantly rotating PIN code provided by Google Authenticator. The vast majority of the websites I visit use an account with a password I will never try to remember but that LastPass can enter for me if I’ve logged in to LastPass. That’s one big problem solved.
Businesses on the other hand are finally coming around to something I’d like to see happening much more quickly: identity federation and single sign-on. This describes a situation wherein two accounts are recognized to be related: your Facebook and Instagram accounts, for example, or the password you use to log in to your company’s network and the hosted email your company subscribes to (Google, Intermedia, Office 365 to cite a few typical examples). This is less akin to keying all your locks identically and more akin to giving the alarm company or doorman a list of people you’re OK with having access to your home, and under what circumstances. When implemented correctly, being able to sign on once with secure credentials and then not again significantly enhances security. It does this by reducing fatigue, and it reduces fatigue by replacing a large number of relatively larger risks with a small number of relatively lesser, quantifiable risks with audit trails.
It does take some work to set up, but it’s generally less work to get federation set up between two services that share the same security regime than it is to deal with a constant stream of tickets caused by the password fatigue and security breaches that accompany different credentials everywhere your users go during the course of the day. You should strongly consider this when you consider moving services to the cloud or signing up for new cloud-provided services, and ECHO can certainly help with this when it’s on your radar.