A new survey from Gartner Research delivers some bad news regarding our online security practices: two-thirds of U.S. consumers use the same one or two passwords for all the websites they access. And they like it that way. Although people claim they’re concerned about security, they still tend to use unsafe password management techniques rather than exploring new methods – be they new hardware, software, or new authentication frameworks like OpenID.
Always Use the Same Password? You’re Not Alone
Gartner’s survey of 4000 U.S. adults in September 2008, once again demonstrated people’s tendencies to opt for convenience over security. It’s a trend that has stayed fairly consistent over the years despite the fact that an increasing amount of activity occurs online these days thanks to the growth of cloud computing.
According to Gregg Kreizman, research director at Gartner, “most consumers want to continue managing their passwords the way they do now.” But the way they do now is nothing to brag about. It generally consists of one or two passwords which the consumer uses on every website they encounter.
What should be done about this? According to Kreizman, online product and service vendors should redouble their marketing efforts to illustrate the advantages and practicality of routine and stronger authentication for consumers. Another analyst, Avivah Litan, also notes that “enterprises with consumer-facing websites that require stronger controls than weak password authentication alone should continue to augment passwords with complementary mechanisms, such as device identification, geolocation and transaction verification.”
Elephant in the Room: Facebook Connect
While these findings are relatively unsurprising, the study highlights one of the top issues when it comes to security: the human factor. For most people, convenience is key, even if it means putting their security at risk. Consumers would rather rely on service providers to protect their safety than change their own age-old habits.
Yet the one thing the study didn’t address is what impact Facebook Connect will have on the user authentication ecosystem. Unlike OpenID (new sign-in boxes notwithstanding), Facebook Connect makes sense to the user. People immediately understand what it means to sign in using their Facebook account. What’s more, the process is easier and faster than creating a new username/password combination for the website in question. That should prove well for its adoption and acceptance among consumers.
In addition, Facebook Connect solves problems that go beyond the security issue alone. Sites implementing the technology can gain access to your friend lists, too – a boon for social networking-type sites and those wishing to become more social. There’s also the great, untapped potential of how Facebook Connect could make the Internet a kinder, more transparent place. When people have to be identified – and are not anonymous – the chance they’ll engage in “troll-like” behavior (leaving rude, disruptive comments) is reduced. It could also impact sites that rely heavily on user reviews. No longer could marketers, business owners, and content producers game the system by leaving glowing – yet fake – reviews which are then hoisted upon unsuspecting visitors.
For those reasons and more, Facebook Connect could very well become the next big authentication methodology on the web. Personal opinion aside, it’s hard to ignore the potential of this social networking giant.
But while Facebook Connect may eventually solve the security issue of a commonly used username and password among consumers, it’s important to realize that it will introduce security concerns of its own. If this technology becomes ubiquitous, we’ll have to face the consequences of putting all the power of authentication into the hands of one private company, which many fear do not have our best interests at heart – especially when it comes to privacy.
And that makes us think that perhaps a common, often-repeated password may not be such a bad thing after all.
Image credits: key – Mirko Macari; iphone – Krynowek Eine [el Eine]
