I’ve said over and over, the best password is one that you don’t know, and is so incredibly long and complicated that you need to write it down. That is what security people have always recommended, yet for whatever reason people are still using insecure passwords. Mainly because websites impose so many restrictions to what a password can be. These same restrictions the hackers understand, and will use against you, or the site.
The problem is two-fold. First, entering data into a smartphone or any small keyboard is time-consuming. Having to go back and forth to where the password is stored, writing a character or two at a time (due to its complexity), will cause anyone to give up. You can not have secure and convenient. Using a password manager is inconvenient, but much more tolerable if the process was made easier. Second, websites in order to be more secure, are banning password managers from filling in the fields, or not allowing copy and paste. While, preventing these two actions make it more secure in a perfect scenario, where the average person understands this, the reality is people want access to their stuff NOW! By lifting these restrictions, and pushing password managers, you will increase security.
The new recommendation is to use a password manager. Let the password manager create, store, and fill in the password. Set it to create the longest nonsense it can. So difficult, you won’t remember, nor write it down. All of this is in addition to using a second form of authentication, however, the password is the most important part.
I spent a lot of time explaining managers here: http://chaimtime.com/2012/07/25/the-sad-state-of-passwords-part-1-use-a-password-manager/
I’ve drafted a letter that I want people to email to any website that refuses to allow a password manager from doing their job. I’ll leave it editable, so that people who are much better writers than I am can add to it. Hopefully, this will be a catalyst for everyone to email the webmaster and forcing a policy change.
To Whom It May Concern:
I appreciate the security imposed by the site to keep my information safe and secure, but may I offer a few suggestions. My suggestions are based on technical support inquiries I’ve been getting from less tech savvy and security conscious people. I understand that as a business you have to weigh security versus convenience, but I don’t think the security you implement is acceptable enough to warrant the inconvenience
I’ve been a proponent of password managers to fill in credentials. Your website will not allow the auto complete of username and passwords. Password managers allows people to create passwords to your current website password restricts easily, and fills it in automatically. They also make it easily to remember the change when needing to change passwords. Allowing the automatic filling or copy and pasting means people can create more secure passwords with less inconvenience. Allowing copy and pasting makes entering credentials on a smart phone much easier. If you want people to use your app, you need to make it easy to log in, and keep user data secure.
Thank you for listening to my suggestion. I am open to discussing this with you, or your security team. I believe that this is a simple change that will allow a better experience on your website.
As always, please comment on the Google+ Post below: