Users Suck: How You’re Ruining Security

Humans are by their very nature social and helpful creatures. They trust people and want them to trust them. This is an evolutionary advantage in social and group situations, but is the downfall of cybersecurity. This is especially true for managing and sharing passwords. Here, we will examine three password traps users fall into and how to avoid them.

Trap 0: Password Sharing

Say you’re in a relationship and you need to share passwords. Irrespective as to whether this is a personal or professional relationship, how does one share the password to the account?

• Email: Quite possibly the worst way to share passwords, this leaves unprotected passwords in both users’ inboxes
• SMS: This is no better than Email as it’s just robbing Peter to pay Paul on the unprotected passwords on both ends
• Verbally: This is theoretically best as long as the users have perfect memory
• Signal, WhatsApp: These encrypted apps are a remarkable improvement as nothing gets stored unprotected, as long as the users’ devices aren’t attacked
• Dashlane, LastPass: These password apps are even better as they encrypt the passwords and aren’t unlockable on the users’ devices without their keys
• PGP: The mack daddy of privacy apps with near perfect security is embarrassingly cumbersome to use

It’s no coincidence that these options are sorted in order of security and convenience. The front of the list is more convenient and the end of the list is more secure. End users tend to rely on the first three without consideration to the last three secure options.

Trap 1: Password Reuse

One of the biggest problems in passwords is using the same password in multiple services. For more, we go to Senior Password Reuse Correspondent Jimmy Kimmel:

These users should be humiliated for revealing their passwords on national TV! This brings to light some very key problems:

• Password Reuse: The implication of these two interviews is that these users utilize the same password for all services — a huge weakness
• Weak Passwords: All but one user in BOTH videos had passwords of inadequate strength to survive a dictionary attack
• Social Engineering: Using the pressure of the camera, ALL participants discussed their passwords on national TV

The main lesson here is to stop being so trusting. Humans want to trust and be helpful, even when it’s in their own interest to not to trust anyone.

Trap 2: Predictable Security Questions

As shown in the previous section, users’ passwords are too weak. Even worse, “security questions” actually compromise the security of accounts. Questions such as what is your favorite colour? is an easy question to guess and often appears in many sites, as opposed to more difficult questions such as what is the air speed velocity of an unladen swallow? It will only take approximately three to five guesses to guess a user’s favourite colour. By contrast, an attacker is unlikely to know the air speed velocity of an unladen swallow without knowing whether it’s an African or European swallow.

And don’t get me started on the capital of Assyria!

Moral: Security questions, like passwords, should be totally random. Ideally, both the passwords and the security questions should be random strings stored in a password manager for safe keeping.

Practical Password Advice

The most important thing one can do is to use a password manager to store passwords. This is especially true of cases where passwords need to be shared. Services such as Dashlane and LastPass allow users to share passwords in a secure and convenient manner that is resistant to both attackers and three letter agency snoops.

The main barrier for end users to migrate to such a password manager is how daunting it appears at first. Most users have password(s) memorized or written down elsewhere and the password manager starts out blank. This scares the user into how much work lies ahead of them. The best advice is to take the same approach as starting a new diet or exercise regimen: start it slowly and work your way into it. Make a goal of entering 3–5 passwords per day into the new password manager. Before you know it, all one’s passwords will be entered into the password manager. This way, you are guaranteed to never lose passwords.

After all passwords have been entered into the password manager, make the same goal of changing passwords from “dumb” passwords illustrated in the previous section to better passwords generated by the password manager. This will result in passwords changed from badPassword2017 to 23aPn92ia73ZQfERpMKGOkGd (actual example generated password).