Saturday, July 25, 2015

How are typical users handling passwords of their online accounts?

There as much been written about users and their accounts and passwords, but I recently was confronted with a rather funny story about this topic. Perhaps you can recognize yourself in a similar situation?

The story...

An acquaintance of mine got a new smartphone. He was very happy with it, but there was one major thing to do. Configuring it. As I am the local IT-guy in this circle, I was asked to help with it. Of course I want to help with that (for two reasons to be honest: firstly, to help the other, but it is always nice to fiddle around with a new phone though).

So I started to do the basic stuff first and ignoring the phase to enter accounts and such. First I disabled some apps (or bloatware if you like), set some settings, made connections with WiFi, renamed the name of the Bluetooth connection and so forth. Then I went to the first account. This was the Google Account which I needed to download the apps from the Play Store.

I gave the smartphone back to her and asked if he would like to fill in the account details. It went silent and a moment later the following was said.

Oh, I cannot remember that anymore...

I asked if he could have written it down. That was a possibility, so he went to search for the piece of paper with all their user credentials on it. There are some downsides with using a piece of paper as your Password Manager, but it is sure as offline as it can be.

After a long search, the final conclusion came: the password could not be found. So we started to try out some passwords. I helped her try to remember the passwords by suggesting some other passwords that are used for other accounts and by suggesting to extend the birthday and so on. Password reuse is the tradition here, but after 20 minutes of guessing and thinking we came to the conclusion that we would need to restore the password of the Google Account.

I could have started with this of course, but often such restore with Google accounts are bit tricky. You have to have continuously updated the restore information in your account and I was not sure that was the case. But as it was now time to undergo the last resort solution and I started to restore the account credentials. Luckily the information to restore (such as a valid alternative e-mail address) were up to date and the account was marked for a new password.

He went silent for a minute, processing all the passwords that have been thought of in the last 20 minutes, and decided that he had made up a new one. He entered it twice and hit the OK-button. The following message appeared.

The password has been previously used by this account. Please use a new one.

You can imagine the hilarious situation of this. When it was time to make up a new password, the actual correct password of the account was entered as a 'new' one. We had a good laugh, made up a really new password and written it down on the paper and all was set. And I moved on with installing and configuring the smartphone.

I immediately thought that it was a nice topic to write a blog-post about. I think it really reflects how typical users commonly handle their credentials.
  • They are written down in unencrypted manners or on paper.
  • Password reuse is the norm.
  • Passwords are relatively easy to predict.
  • There is not much commitment to do it the 'right' way.
Not that I can blame her or any other user on the last bullet though. The things to do are allot and sometimes difficult to configure or even difficult to use. And the fact that there are easily over 100 accounts that needs to be managed per user does not make it any easier.

So, I want to set out a set of simple best-practices to make improvements in matters such as above.

But what are the best-practices?

First of all, every account can be compromised. Sometimes by guessing or extracting (and using) passwords and sometimes by circumventing implemented Security controls. If an attacker is really dedicated and wants fast results, buying a 5 dollar/euro wrench at a local hardware store is enough to convince most people to give up their passwords. People tend to be more protective about their fingers and knees, than they are about their passwords.

But unless that is happening, you can follow the guidelines below when it comes to protecting your accounts.
  • Always use a unique password for every account.
  • Use a lengthy password:
    • A password is at least 16 positions long and is at least mixed with numbers, capital and non-capital letters.
    • A pass-phrase of at least 16 positions is also possible. For as long as it is not a easily guessable sentence.
  • Do not use your birthday and names of yourself, your spouse, friends, pets, and so one. Do not use any information in your password that might be found online.
  • If there is support for Two-Factor Authentication, always use that.
    • This is a feature that asks for an additional code (called One-Time Password) to be entered. The code can be send to your mobile using a SMS text message or can be generated on additional hardware or apps. This is often seen with electronic banking.
  • Store your account and password details in an application (Password Manager) built explicitly for such a functionality.
  • And never ever ever share your accounts and passwords with anyone else. Unless you are very certain that it can be done (think about a shared account between spouses to follow the sale of their home online).
With the rules above you can greatly improve the security of your accounts or the accounts of your family and friends. And most importantly, almost every family or a group of friends have someone in their mists who understands this all. Ask for his or her advice and ask them to help to get you going!

Do you have any other tips or questions? Please feel free to share them in the comments below!



Post a Comment