Passwords and security: not all accounts are precious

Posted by & filed under Technology.

After Gawker password database breach news broke, there were several conclusions: don’t taunt hackers, especially if your own security is mediocre; don’t use the same password everywhere and, the most frequent one, “OMG! People are idiots and have very weak passwords”.

I completely agree with the advise of not using the same password in many places — that’s just silly. Like if your car key were also opening bank vault, mailbox and the house door at the same time (I suppose some would find that convenient, until they left the key with address tag attached at a restaurant or something). But the “weak passwords” claim is not genuine.

Mostly because marketing people just love to think of their own systems as overly important to users. These days it’s difficult to do anything on the internet without getting a demand to register/sign in/login/create an account. Can you imagine if regular newspaper required you to fill out a 2 page long application by the newspaper kiosk and then tell the salesman username and password every time you buy said newspaper?

Yet online newspapers do require it. And while in most cases the account is only need to comment on a news story, some want you to sign in just to read an article. “Hey, it’s free!” says marketing department. Sure. It’s also irrelevant beyond whatever was the original action that prompted user to create an account.

And irrelevant accounts get irrelevant passwords. I bet if you scan Washington Post accounts database, there will be tons of passwords “password” or “blahblah123” or something worse. Completely insecure, silly and throw-away. If you were given a key to “free newspaper” box, I doubt you’d guard it as zealously as the house key.

So, if you do require users to create yet another account to do something, don’t be shocked if users go the path of least resistance or give you fake data or try to set password to “password” (and, probably, be upset if your comment writing engine requires password to be 10 characters with mixed case and numbers). Unless your offering is important and relevant and pretty much requires good security, be prepared to see silly passwords and randomly picked options in mandatory “indicate your interests” sections.

Leave a Reply