Password "hell" isn't your fault

Peter Cohen recently wrote over at iMore about the huge  potential for in the new OS X Mavericks for fixing the "password hell" that the typical user finds themselves in today. This is typically characterized by two problems: 

  • Your password is insecure because it is some combination of either too easy to crack, or too widely used across your many, many internet accounts.
  • The solution to this is often to create complex passwords for each account, either randomly generated or using some kind of algorithmic pneumonic that will generate something both unique and cryptographically secure.  This increases the burden of complexity on the end-user.

The problem with putting the responsibility on the user is that it creates a situation where both remembering and storing these passwords becomes incredibly cumbersome, carrying the risk that they'll either give up with such a system, or institute a less-than-secure practice around storing these passwords.  And that's why the iCloud Keychain seems so appealing.

The iCloud keychain promises to behave like many other applications, like 1Password and LastPass, but with one key difference: you have no say in how your passwords get stored. With a tool like 1Password, the master passwords file can be stored locally on a computer, or in the cloud. The decision is up to you to decide where that information lives.

Every time I get an email from a large company notifying me on a data breach, I lose more faith in allowing corporations like Google or Apple to take control of my internet credentials. These companies have enormous targets painted on them and are a much richer source of wealth to hackers than the PC sitting in my basement. 

To consumers that are paying attention, it should be obvious by now that companies don't always follow security best practices, often forgoing encryption of user data, relying on easily compromised hashing methods, not salting data or simply storing passwords in plaintext. Despite the news of major data leakage and increasingly regular intervals, we keep seeing these companies push cloud-based solutions on us without assurances of basic common-sense security practices.

Emails I get about compromised servers only elicit a groan from me anymore. We treat it as a modern inconvenience instead of a major breach of trust. As long as companies insist on routinely capturing our details by asking to "sign up" , it means people will continuously supply insecure passwords. And that means we shift the responsibility onto companies to not just protect our account with them, but to protect all the accounts that exist under these credentials. 

Companies want to have control over our data, and we want more convenient ways to identify ourselves online. But until we both  start fixing the trust equation over how our personal data is protected and stored at both ends, "password hell" is going to continue to exist indefinitely.