LinkedIn, MySpace and all of the other recent (sort of) password breaches have resulted in many articles that advise everyone to not use the same password on more than one site. This is known as “password re-use,” and the only way to effectively accomplish the task of setting up unique passwords for all of our web accounts is to use a password manager. Along with that advice is the equally important step of using two-factor authentication (2FA). These are excellent guidelines we can follow. However, many users don't follow them. Allow me to illustrate. I am confident that if you created a Venn diagram of password manager use among your friends and family, it would closely resemble this one:
The ugly truth is that we seem to be making little progress in our ability to spread the word about the seriousness of password re-use, and even though many news organizations report about the theft of passwords and how they can be used to compromise people's accounts, they don't offer solid advice about password managers. Most of the reports still only remind people about creating strong passwords. What can we, as security professionals, do to better inform folks that the time has arrived to make password management a priority?
Standardize Login Page Links
The most common problem that I have come across with password managers is due to the fact that that there is no standardized login page format across the internet. Many times, a password manager will store the page location on which a password is set. This becomes a problem because the manager fills in the URL for the password reset page instead of the login link. Imagine how confusing that is to a non-technical person. Each time they try to use the automated link in their password manager to login, they are directed to the wrong page (the password reset page) rather than the login page. Most folks do not know the address of the login page for their Gmail account (https://accounts.google.com/) or Amazon account (https://www.amazon.com/ap/signin?_encoding=UTF8&openid.assoc_handle=usflex+300 additional characters!) Is it possible to make the login landing page as simple as https://www.<domainname>.com/login rather than some of the long, obscure addresses that exist?
All Password Managers Are Equally Good
Another problem that is holding back adoption of password managers by the general public is caused directly by us. When someone asks “which is the best password manager?,” we should preface our response with “They are all good” before moving on to which one we like best. We can debate the individual problems with each product amongst ourselves (there is certainly no shortage of bickering about password managers in our community), but to make a public statement about the problem with any password manager is the same as damning them all. Unless you are employed by a particular password manager software company, there is no need to talk about how any single product is horrible. Is it more horrible than the current password security methods currently used by most of our friends and family?
Password Managers Make It Fun to Answer Security Questions
Have you noticed how many sites ask the same security questions? You know, the ones such as “where did you go to elementary school” or “What is your father’s middle name”? How often have we seen breaches that were carried out using those all-too-easy-to-find-out answers? Gladly, many sites have started to allow the creation of your own question. A password manager lets you keep notes in which you can add ridiculous answers to any security question. Question: In what city were you born? Answer: Unicorn Island. Your friends may think you are crazy for suggesting that they answer those questions in such a cavalier fashion, but it also adds a sense of the hacker mentality to security questions, and people love the feeling of being on the cutting edge of technology with such a simple method. It has taken over a decade for people to start using biometrics, and it only became possible as the technology became easier to use. It may take as long for password managers to move into that zone of “people who know they should use a password manager.” However, it will only start if we make the technology easier and if we start acting as better cheerleaders. Then maybe we can start getting people to use two-step verification. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
