With the widespread use of online authentication mechanism in an online correspondence, I believe a growing concern today is actually shifting from an online theft to the adequate use of this service. A service where a potential threat has always been believed from an anonymous user now rolling back onto the shoulders of the user himself, where nobody but the user is his own enemy!
Although no idea as to how correct it is to call the user to be his own enemy?
Was just wondering in the time when every possible lab, every big web fish in the name of web2.0 is trying to capture possibly every tiny habit of a computer user be him a beginner, intermediate or an expert, somehow the practice or means of online authentication still remains in its’ primitive stage till date.
And if one argues that there have been attempts to make this online authentication secure by everyday, do we also mean to extend this argument to the bad habits of password management that the users are actually adhered to?
It reminds me of the password strength-o-meter which you see while signing-up for Gmail, Y!, MSN kina services today but what I noticed is that even they too do not force the user to use the strong password instead they make it just visible.
Very true, forcing any such liability could have lead to a barrier to entry.
As a first hand task I tried quantifying the number of passwords that I’ve to remember at any given point of time;
Personal Mails – 2 (Gmail, Yahoo)
Messengers – 4 (Y!, AIM, MSN, others)
Blogs – 2 (General, Technical)
Wiki(s) – 2 (Wikipedia, Personal)
Shopping – 3 (eBay, Amazon, Rediff )
Tavel sites – 3 (Railways, Airline, Travel Agency)
Netbanking – 4 (Savings Account(s), Credit Card(s))
Official – 5 (Domain, Enterprise, Remote Servers)
General sites – 20 (News Magazines, Social N/w, Personal Task Management, Image hosting, Online Video, Online Bookmarks etc.)
Extra mail account – 1 (Subscribed to various groups and mailing lists)
Home Lap/Desktop – 3 (root & user for linux and a login for Windows)
Being a very much an average user I therefore have to remember some 50 passwords at any given point of time. I believe am not exaggerating if I say people do have to remember much above the average of 50 passwords in one go, the number which could actually go even upto 100.
Now the blame which is put on the shoulders of the users is that they re-use the username/ passwords over different online correspondences & remain their own enemy, does this really make any sense? Isn’t it really obvious for a user to reuse the username/password again and again? I wonder rather than a good solution to this problem, what exist till today are just the advices & blames.
Let’s take the analogy of mobile numbers, no need to count the numbers stored in your handset, just find 20 contacts that you make frequent calls. Find out how many numbers out of these 20 do you actually remember perfectly? Take it as an exercise if you even remember some 10 numbers perfectly out of them.
When we can’t remember even 10 numbers which are supposed to be much simpler to remember, given a pattern to identify the name of the contact, type of connection, region to which it belongs to, only 10 digits in a number etc. etc. how can it be expected from a user to remember these many passwords at one go with completely different structure, out of pattern (as advised)? Isn’t it a ubiquitous choice to have same username/ passwords across different online services, a compromise on the standard password management advices?
Now few of the typical issues that go transparent in using an online service effectively are:
1. Forgetting the passwords completely
2. Jumbling up of the passwords – Leaves the user helpless in critical times, restless & leads to lower productivity.
3. Fear of using them in a public place cafe(s) – Now the privacy of your account is as good as the laziness of the cafe owner.
4. Repetition of passwords – Although eases the problem of remembering various passwords but highly vulnerable to brute force attack.
5. Non-conformance to Standards on password creation/ management – Refer to Mobile analogy
As a lab exercise, we should first be quick enough to quantify the password reuse. Am sure that shouldn’t be less than a horrifying figure.
Was just thinking if some online password management service can actually resolve the problem? It should not be something out-of-the-box idea but just the way the online authentication is done. Am sure security still remains a hindrance in implementing such a solution for the general public but may be a product catering to the needs of smaller number of people in a project as a pilot. Employee productivity is one dimension I see as getting on to the higher side with such a solution.
Disclaimer – Personal Views