As Adobe's latest security breach reveals, people are pretty terrible at choosing hard-to-guess passwords. But as security expert Graham Cluley's (@gcluley) response also makes clear, security people are equally terrible at choosing easy-to-follow security protections.
Let's be clear: the passwords that dominate Adobe's top-10 list are really, truly bad. The rest of the top 50 aren't much better. Here are the top 10:
These are made doubly easy to crack by the hints users set for themselves to help them remember: 1to6, numbers, 123, 654321, numeros, 1-6, number, 1, 12.
Memory Is The Problem
That need to remember, of course, is the problem. It's not as if nearly two million Adobe users chose "123456" because they thought it would be hard for someone else to crack. No, I suspect they chose it precisely because it would be easy to remember. We're asked for passwords on nearly every website now. Having a different, hard-to-crack password for each of them is a nightmare.
Yes, one can use a password manager like LastPass or 1Password, but here's the thing security people don't seem to grok: normal people don't have the slightest clue what these are.
Ditto for Cluley's other suggestions:
[Y]ou should never use the same password on multiple websites. And you need to stop choosing obvious, easy-to-crack passwords...
Again, the reason people re-use passwords is because it's otherwise impossible to keep track of a variety of different, hopelessly complex passwords. As I learned when my daughter's Gmail account was hacked, it's critical to keep one's accounts protected. But as I've learned in daily interactions with her and many other friends and family members, it's also really hard to maintain stringent security measures.
Making The Matter Worse
This problem is compounded by the well-intentioned efforts of IT administrators and other security pros who follow Cluley's advice:
And maybe it’s time to implement tougher requirements on your customers in the first place, ensuring that they use passwords that are more complex and harder to guess in future.
Perfect. This is precisely why my wife can't remember the passwords she has set on a number of different sites, forcing me to use Keychain on her Mac to help her remember what passwords she has used. And it's why my parents keep files on their computers within which all of their passwords stored. Not because they don't know this is a security problem, but because it's otherwise impossible to master all the complex password hoops genius security folks force them to jump through.
Again, I'm not suggesting that such security precautions aren't important. They are. But they make an online existence cumbersome.
Two-Factor Authentication: Security Made Simple
Which is why I've actually come to love something that I once dreaded: two-factor authentication. When my daughter's account was hacked I turned it on for myself, my wife and my kids. Since then Twitter and Facebook have also joined in. Basically, it forces someone intent on cracking your password to also have access to your phone. Not impossible, but much more difficult than simply stealing a password.
I somewhat regularly get texts from Google with an authentication code, suggesting that one of my kids has attempted to log into Gmail from an unrecognized device. I call or text them to clarify that it's them, and then send them the code. As added security we use my phone number to receive the authentication codes. It's slightly more burdensome but also lets me talk them through how to restore access and otherwise serve as their IT administrator.
This, to me, is the ideal way to solve consumer security. Rather than forcing people to use special software or develop superhuman memory, security becomes a matter of having a device that others will rarely be able to compromise. It lets average users remain average, lame passwords and all, and still be secure.