Password Shaming Isn’t Productive – Passwords Are Scary Business

Wednesday, January 15, 2020

Tim Mackey

5fbfa7473f12e37a0ebbc623dcd9619f

We’ve all been in the situation trying to set a new password – you need one uppercase character, one number and one character from a special list. Whatever password we come up with needs to be between 8 and 24 characters long. Once created, we need to remember that password and heaven help us should we need to reset it. Yes, that’s the dreaded “you can’t reuse the last five passwords” message – but IT security requires the password to be changed every month. If you’ve lived in the corporate world, this experience is quite familiar. So too is this a common experience with most web properties.

Then along comes the dreaded “your account was part of a set of accounts which may have been breached” letter. As a consumer, you’re now left with some anxiety over what data might be in the hands of proverbial “bad guys”. Part of the anxiety comes from the prospect that these same bad guys might also now know your password, so you need to change it. If you’re like many people, that password likely was used in many places so the anxiety increases as you recall each of the websites you now need to update your password on – just to be safe.

Into this mess we have security pundits suggesting that multiple security factors are the solution. The net results being that not only do users need to remember their password, but they also need to enter a second code – often a set of numbers – in order to access their account. While each of these password complexity, password expiration, and multiple factor authentication rules can deter attempts to compromise an account, they do nothing to simplify the experience and when it comes to consumer grade devices or consumer websites, simplification is what we should be striving for.

Consider the current situation with Ring customers. It’s being reported that some users of Ring video devices are experiencing random voices speaking through their video devices. Some have even reported threats against them. These users are rightfully concerned for their safety, but some have been quick to lay the blame for the situation at the feet of the user. When someone states that “you should have a more secure password” or “you should enable 2FA”, those statements are fundamentally a form of victim shaming. The end user likely isn’t a security expert, but an expectation is being set that they should know how best to secure these devices.

The current situation with Ring devices isn’t new. We need only look back to September of 2016 when the US saw a major internet outage caused by an attack on the DNS infrastructure. This attack originated from a large quantity of DVRs, webcams and other consumer grade devices which weren’t properly password protected. At the time, there were similar cries that ‘password123’ wasn’t an effective password and users shouldn’t use it. This situation even prompted major service providers like GitHub to advise their customers to change their password – not because the user’s data had been part of a breach, but that the password had itself been part of a set of data sold on the black market.

These examples highlight a key challenge with product security– how to properly prevent unauthorized access while maintaining ease of use. This goal can’t be met if we shame users based on their security choices. Instead, product designers should look at the ways to use context to best secure systems. In the case of a video camera, access to the camera in all forms should be from approved devices. For example, if a user configured the camera from an Android phone, then that device is by definition an approved device to access the camera. Since the phone can’t be in two locations in two places at the same time, if the app is running on the phone, then there is only one possible way to access the camera until the user authorizes additional devices from within the app. This entire example doesn’t rely on password complexity to secure the camera, but rather uses user context as part of the overall system security where passwords are but one component. The net result being that while a simple password may not be advised from a security pundit perspective, the contextual information helps ensure that users don’t harm themselves. With the complexity of consumer devices only increasing, contextual security should be a priority for all – a situation which would avoid password shaming.

About the author: Tim Mackey is Principal Security Strategist, CyRC, at Synopsys. Within this role, he engages with various technical communities to understand how to best solve application security problems.

Possibly Related Articles:
53429
Infosec Island Enterprise Security Security Training
2FA password shaming weak passwords password reuse
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.