Please Enter Your Password, Again and Again

Things that I own or subscribe to that I can access without a password: the books on my bookshelf, the magazines that arrive in my mailbox, the radio on our kitchen counter, the cable service on our television, our landline telephone, my DSLR camera.

Things that I own or subscribe to that I must access with a password: almost everything on all of my computers and all of my mobile devices.

The Security State

This is a big problem, and for lots of people. Over the past few months, while working on various projects, I’ve seen computer users of all levels of expertise struggle again and again with remembering their passwords. Part of what I’ve been doing has been helping people install test versions of software, and doing so always requires signing into this or that and accepting this or that invitation and plugging into this or that computer or updating this or that software.

To do these things, nearly everyone I’ve worked with in this capacity has had to take pause and reach back into their brains to come up with their Apple ID or their TestFlight password or something else. There’s always a moment of suspense when it’s not clear if they’ll be able to produce the right credentials. Often they come up with the wrong ones, have to try multiple passwords or even multiple user names, or consult terribly non-secure caches where they’ve written down this information. It’s painful to watch.

The preponderance of digital credentials that are required of us daily is clearly already beyond reasonability, and yet there’s little apparent interest in this problem. Apple’s iOS would seem to be the single best hope for amending this situation — it’s the freshest start that we’ve had in decades, the first one in a long time that allows us to rethink the protocols through which humans and computers interact with one another — and yet neither my iPhone nor my iPad are shy about asking me for passwords, again and again. Worse yet, there’s virtually no password management solution built into its mobile Safari browser — that would be the minimum requirement to demonstrate that the company cares about this problem, but it would still be far shy of integrating a 1Password-like solution into the fabric of the operating system, which is truly what’s necessary in the short term. Long term, we need a complete rethinking of credentialing, but there’s no sign of that at all yet.

Everybody seems to agree that this is a problem, and yet no one is interested in it or sufficiently motivated to protest, much less create a solution. I just don’t understand why this is the case.

+

22 Comments

  1. I’m only 51% sure I’m remembering this correctly, but I think Instapaper handles things nicely. When you first start saving stuff, you don’t even have a password. As long as you know your (or anyone else’s) email address, you can view a list of things that have been saved to read later. At some point later in the process, you are coaxed into setting one, but you can choose to just live freely if you like instead. I like it. Not sure if it still works that way… I just remember liking it.

    There are some other sites that do lazy-password-setting too… can’t remember which ones now though.

    Also, let me test your damn app already. 🙂

  2. I was thinking along these lines last night. I was looking forward to the days when computers will just know who you are unobtrusively, whether that’s through facial recognition, touch recognition or otherwise. That’s definitely a step further than you’re thinking, but it will be a treat.

  3. What of OpenID? Wasn’t the idea delegating authorization before controlling a user’s identity/social graph killed it?

    @ Mike D: After months of hiatus from Instapaper I recently started using it again, and found the lack of password disorienting. 1Password had no trace and I didn’t remember which email I’d used to sign up.

  4. After hearing about PwdHash.com on the Security Now podcast I switched to using it. I can’t wait for the problem to be solved in a better way but in the mean time I am pretty happy with this.

    I ended up writing an iOS app and a browser extension to make it even easier to use PwdHash.com. If you want to check them out go to my website (click on name to left). There are also extensions for Firefox and Chrome. All of which make it to have strong, unique passwords for each website you visit but without having to worry about losing a password database or syncing.

  5. I loved that Instapaper once didn’t require passwords at all. I believe at least 50% of the stuff we do, if available openly doesn’t create panic password was invented to avoid.

    While saying that, it does not, however solve the underlying problem you’re proposing to be solved. In the programming world, an SSH key solves a problem where it requires setup for the first time only, and subsequent use requires no input from the user. I believe such a system, perhaps integrated with browser that automatically works with websites may help that.

  6. Noone thinks it’s a probelm, noone’s working on it?

    Um, OpenID, Facebook authentication, Twitter authentication, 1Password are all passionate projects to help solve this problem. It’s a more technical problem, so it’s not something designers can have _that_ much input into, so we perhaps just don’t see those discussions.

    I think it’s a false assumption though, that the discussion isn’t happening.

  7. There is a noticeable trend for more and more websites to offer “facebook login” or “google login”. This enables people to connect your scattered subscriptions to your everyday social network or email provider.
    Although not the golden solution for this problem there is a good chance that this technique will succeed in the long term – because at the end it is all about reaching the critical mass to push a technology ahead of others. And both, Facebook and Google, are obviously in the drivers’ seats to move a mass.

  8. I agree this is a big problem. Surely something like Keychain on MacOS is the way to go. The OS owns the authentication, it’s invisible to the user, yet is in control of the user if need be — through a very basic UI mind. Are there any big problems that have prevented it’s use on iOS?
    I use iPassword as well. I use their recommended method of using Dropbox to get this data onto my iPhone but this can’t be very secure?
    I don’t agree with trusting Google and Facebook with shared credentials as a basis for the future because my relationship is so tenuous. I use such services selectively but the handover of credentials is handled really badly. For example I’m interested in sharing stuff from Spotify on Facebook but when I hit that button Spotify seems to ask for more of my “identity”/life from Facebook than I’m prepared to give. I certainly don’t understand what is being asked of me at that point so I withdraw. Software needs to emulate real life in that disclosure between people is negotiated through trust.
    Why should I trust Apple more than FB or Google? Because I’ve bought hardware from them and it’s a longer term relationship than with a software service/website. It’s a shared responsibility for securing my information.

  9. Totally agree. Ten years ago it may not have been a problem. But then we didn’t subscribe or otherwise belong to twenty or more separate services. It’s why so many people have multiple accounts at online retailers and the like.

    And you’re right. the problem only gets worse on mobile. I’ve set up most of my passwords as experts recommend with lots of characters and various cases. To type these into my phone’s virtual keyboard is almost impossible. I probably have a success rate of 20%. And that’s on the Evo…

    I think the solution is either a single login (through 1Password or Google or something else) that runs in the background or it’s a simple four-digit PIN. Let the password compute in the background, but don’t make us deal with it on the front-end.

  10. Kevin Cannon: OpenID is largely a failure. Facebook and Twitter authentication are a band-aid, because they still require users to enter their passwords again and again. I don’t think it’s a false assumption at all to say that the conversation isn’t happening, because these efforts only attack a subset of the problem—consumer-facing web sites and services willing to allow a third party to manage the credentialization of their users. There are many more services that will never do that, and no one is talking about how to solve the password problem as a whole.

    Just to reiterate: I’m not talking just about signing into web sites. I’m talking about signing into your OS, unlocking your phone, authenticating your Netflix subscription thru Roku boxes (or whatever), signing into your magazine’s app with your print subscription, logging into over-the-top video services with cable TV credentials, etc. and on and on. OpenID, Facebook and Twitter are unlikely to solve any of these problems anytime soon.

  11. A single password is a huge – like mega – security risk. Unlock one place and you own that person.

    That’s the reason nobody has done it.

    I really hope you’re not using the same password on instapaper as you would on etrade.

  12. @Brian It would need to incorporate multi-factor authentication. Google is already working on that and has it enabled for many of its web apps. There are of course security risks in this too but security is a continuum not a boolean. Also, calling it a “huge – like mega – security risk” is ignoring the fact that the complexity of the current system causes people to act less secure.

  13. Apple should just buy 1Password and integrate it into iOS and OS X. It’s the best solution out there.

    Without integration it’s still *very* awkward to use on an iPhone or iPad; you have to leave the original app, go to 1Password, enter an unlock PIN, and then enter a master password (unless it’s a “low security” account), and then copy the password to the clipboard, home screen, return to original app, paste password. And that’s assuming the original app hasn’t navigated you away from the password prompt, which it often will.

  14. This is the reason why I’ve gone with using KeePass for almost every site out there. With a password + 256-bit usb key, I’m at least assured that short of someone actually remotely controlling my computer right at the instant I have the key in, each site is silo’d from the others.

  15. A lot of the solutions presented in the comments — Facebook sign-in or software add-ons like 1Password — are nice first steps but they’re patches.

    Of course forgetting your password is a problem, but with Keychain this can largely be avoided. Unfortunately Keychain is under-used and under-understood (if you’ll allow me), but that’s another problem.

    But there’s also the hassle of having to sign in to all these sites and applications repeatedly even if you do remember the password. This should be solved at the same time.

    What will be required is a fundamental rethinking of how security is approached. Authentication should be done at the device level. If this is my computer/phone/tablet and I’ve proven to it that it’s really me, it should be assumed that I have access to everything at that point. Devices are becoming increasingly more personal yet we’re still imagining people signing in from a computer at the library or something. (I know Khoi sees iPad as a shared device and user accounts could solve this.) Keychain is a great first step because it offloads work that a computer is good at onto a computer. I imagine in the future, an application like Keychain that is baked into the device OS will take a more active approach to signing you into services and applications, but done in the background. That way, when open TestFlight, you’re already logged in, no forgetting possible. (Is this easy? Of course not! That’s not my point here.)

    There’s also the issue of how people perceive digital security, too. I personally prefer convenience over a little added security. I have to sign into these things many, many times each day compared to the relatively unlikely risk of a security breach. Simple passwords are more of a road bump to legitimate users than to hackers.

  16. Acquiring physical (or remote) access to someone’s device is one of the easiest ways to compromise security. It’s the main reason why any administrative task like permanently changing a password still should require entering the old password. It’s why ssh keys on a linux root account is dumb.

    It never proves that you’re you. Just that someone (hopefully you) is logging in from a location you’re being lazy at.

    On the scale of security, device < password < two factor.

  17. “Things that I own or subscribe to that I can access without a password: the books on my bookshelf, the magazines that arrive in my mailbox, the radio on our kitchen counter, the cable service on our television, our landline telephone, my DSLR camera.”

    …well yes, but to get to any of those things in your house, your car, your parents’ house, your office, your safe, a locker at the station, your suitcase, etc, etc, you’re going to need at least one unique physical key per location… which you’ll doubtless have to fumble around for. I have 6 keys for my house now.

    Perhaps the reason people are kind-of OK with different passwords is that we’ve been handling the same problem in the real world for 4000 years, so the inconvenience is familiar, but offset by the fact that it reduces the risk of getting locked out of everything all at once, or giving anyone else access to everything at once.

  18. A few days before you wrote this, I addressed a similar issue in a post at adaptivepath.com: Link

    The challenge isn’t just within PCs/web experiences. The challenge has become truly evident as we move between devices.

Thank you! Your remarks have been sent to Khoi.