Aug 19, 2008

How people deal with password overload today

Working on LastPass.com for the last few months has given me the chance to question quite a few people about their current password habits. It's been eye opening to hear just how many people use the same exact password for any application they're faced with, completely not recognizing or not caring about the risk they're facing.

The people that do recognize the risk, typically 'tier' their passwords, making a strong one for the sites they care about the most, and a lower level one for ones they care about less.

Both of these are pretty flawed approaches because some companies are radically better at authenticating users than others; the most secure companies (like LastPass) use https (encrypted data passing), create a one way hash of your password client side (so your password never leaves your computer), and salt that hash against that for what they store.

Unfortuantely almost no companies are that careful, many allow you to send your password over a non-encrypted channel to them, then store your exact password unencrypted in their databases and will even send that password to you over email (which is also insecure), meaning that there's at least 6 distinct ways your password could fall into a nefarious person's hands for just that one site (sniffed over the network, taken by an employee at the company, sniffed over the network between the company and your email provider, sniffed over the network between the email provider and you, taken by an employee at your email provider, and stored unencrypted in your email client) .

Handling passwords the right way isn't hard if you have software that will create and remember strong passwords for you.

4 comments:

  1. Joe - According to a very dry Microsoft research paper from 2007, the average web user in the U.S. has - 25 passwords and is required to log-in using one of those passwords 8 times day. The vast majority of people reuse the same basic passwords across multiple sites. And to remember these they usually choose basic e.g. weak personal information.

    The research suggests that most passwords aren't secure enough.

    Even so lots of people, myself included, can't remember their passwords across multiple sites. According to this research in a three-month sample, 4.28% of Yahoo users forgot their password - roughly 2.5 M people.

    If you're curious here is the report: http://research.microsoft.com/~cormac/Papers/www2007.pdf


    Ian

    ReplyDelete
  2. I'm really interested in Lastpass as a timesaver, but I have to ask...how much do you really think that Lastpass will prevent password theft? I can see how it will help in some ways: it'll defeat keyloggers (with the onscreen keyboard) and sniffer programs that'll look for unencrypted passwords on my computer. I might be missing something, but won't Lastpass only really help with one of the six pathways to password theft that you mention?

    For someone like me who's behind a firewall and hasn't had a problem with spyware or viruses for...something like 4 years? How will Lastpass keep me safer?

    ReplyDelete
  3. Aster - The assumption I made that makes LastPass safer in those other scenarios is that you use the strong passwords that LastPass creates for you. If you're having LastPass create a good password for each site, the amount stolen by the other paths is limited to just that 1 site. It's of no use anywhere else...

    It's a change of behavior which is always difficult, but with LastPass generating and remembering for you it becomes far more feasible.

    If you are already using a unique password for each site you're in the extreme minority, but I commend you.

    ReplyDelete
  4. Joe: Ah, I see what you mean. Thanks for the reply. Now if somehow you could write software that would help keep passwords secure on all those mom and pop websites that don't use encryption...you would be set for life! ;P

    ReplyDelete