According to research done by password management tool LastPass, the average person has more than 190 passwords to keep straight. One hundred and ninety.
It sounds as if it’s an implausible and impossible number until you start to tally up your daily use accounts (personal and work e-mails, social networking sites and so on) and then add in the ones you use less often, plus any online shop you’ve ever purchased from, any subscriptions and memberships you have, and any old accounts you’ve let go dormant. Is your MySpace account still out there in the dusty corners of the web? How about Blogger, Hotmail or Flickr?
If you’ve even been a casual user of online services in the past two decades or so, suddenly having tens of accounts seems a little less absurd. And 190 accounts means 190 passwords, right? After all, experts extol the virtues of having unique passwords for each account.
Realistically though, that’s a perfect example of the kind of advice that most of us acknowledge is totally rational, and yet still studiously avoided when it comes to putting it into practice. I’m not innocent here, and most “security experts” aren’t either. That same LastPass report found that though 91% of people understand the risk of reusing passwords, 61% still do. Password managers, such as LastPass itself, present a solution — but also a huge risk. If your security fails at that point, all of your accounts are potentially compromised.
In those terms, it seems it’s just another reason to beat yourself up, like not sorting your recycling. And with this acknowledged, you know who to blame when your account gets hacked ... However, much like your recycling responsibility, this might be a case of shifting blame that should honestly be jointly shouldered by individuals and companies, indicative of an outdated mode of thinking about cyber security.
Hear me out: you should absolutely reduce waste and recycle. But the biggest polluters who are able to make the biggest systemic changes are arguably corporate citizens. The narrative of “you’re not doing enough” as an individual may be true, but it is also useful to bigger, badder polluters who find it inconvenient or costly to change their ways.
Back to cyber security, then: you know you should be better at password management, but the larger system has hardly made it easy for you, and it is more convenient to magnify the personal responsibility story than admit that the system they uphold may be fundamentally flawed.
And it is flawed, on so many levels. The basic principles of password management are one unique password per account, and only ones that are free of any reference to your pet’s names, mom’s maiden name or birthdays. Once we licked that, platforms and providers started demanding passwords featuring an increasingly complex array of letters, symbols, and numbers.
This website requires a password longer than eight characters. This one too, but no more than 12. That one will let you go up to 16 characters, but you must include upper case and lower case letters. Maybe one account applies the rule that — and I’ve seen this first-hand — your passwords can’t use recurring letters, which would rule out words such as “recurring” or “letters”, among thousands of others. If you work in a corporate environment or use enterprise software, you’re also likely to be prompted or even forced to update certain passwords quarterly or monthly.
Given this, can we really blame the average Joe or Joanne for reusing their passwords or writing them down? Or for relying on a familiar word that can be adjusted modularly in the “Password, Pa55w0rd, P@55w0rd123” format?
The truth is that even complex password policies don’t actually make sites as safe as we’d like them to be. There are vulnerabilities in the password recovery process, clues in published password policies, and so much of our personal information widely available online that social engineering attacks are a cinch.
This is the dire state of a system many security experts have been critiquing loudly for years. Thankfully, though, this “movement” is gaining momentum. It even featured prominently on the World Economic Forum (WEF) agenda last week.
A WEF report released on January 21 found that cyber crime is costing the global economy $2.9m “every minute in 2020”, and that “80% of these attacks are password related”. If private enterprise is to overcome this, and sidestep the humungous bill password resets lead to, the WEF argues that we are going to have to face the facts on the (non)usefulness of knowledge-based authentication (such as passwords and PINs) and declare them dead and defunct.
Andrew Shikiar of the Fido Alliance, which partnered with the WEF on the report, said: “The path forward is with standards-based, cryptographically secure authentication that keeps login info secure and private, while providing a fundamentally better user experience.”
This means a fundamental rethink, a shift to things such as biometrics, behavioural analytics and security keys to enable user authentication. And — back to my view, not the WEF’s — this requires making cyber security a shared responsibility, and relinquishing the temptation to throw users under the bus.
• Thompson Ferreira is a freelance journalist, impactAFRICA fellow, and WanaData member.
Would you like to comment on this article?
Sign up (it's quick and free) or sign in now.
Please read our Comment Policy before commenting.