I last blogged about Talk*InfoSec which happened on May 29th.
I mentioned that in the panel discussion, two common themes arose: one about companies still not taking Cyber Security seriously, and one about security vs convenience. I have already blogged about the first of these topics; now, let us examine the second.
Security and convenience seem to be natural enemies. You can’t do what you want to do, until you have authenticated. Sometimes this is entering your password, sometimes it’s scanning your fingerprint, sometimes it’s finding a utility bill for proof of address even though you do it all online. It’s necessary, but inconvenient: I know I’m me, so why do I have to go to all this trouble?
It can seem as though the more secure you get, the less convenient it becomes. You needed a password, so you set it to “password”. Then it needed to have uppercase letters, so you set it to “Password”. Then it needed numbers, so you set it to “Password1”. Then it needed symbols, so you made it “Pa$$word1”. Now it’s harder to remember, but at least it’s a bit more secure. At least until the bad guys figure out what your system is, and then you might as well not have bothered.
Sidenote: you could, of course, use a longer passphrase like the above comic strip suggests, but sometimes this has its own problems:
— Kenn White (@kennwhite) May 25, 2014
Sidenote 2: If XKCD is not a reliable enough source for you, take a look at Wikipedia’s examples of weak passwords.
Then, just as you’ve got the hang of remembering your supposedly strong password, security ups its game. Now you need to change your password every month. And it can’t be one you’ve used in the last year. And it’s naughty to use the same password anywhere else.
Simply put, the best practice we tell people to follow on passwords is impossible to follow. If you claim to follow this best practice, you are lying. Which is exactly why when Colin Robbins followed recent advice to update all his passwords following Heartbleed he quickly decided to use a password manager – something I wholeheartedly recommend. Even then, there are inconveniences, because you can’t log onto a website if you don’t have access to your password database. So I guess you won’t be using anyone else’s computer to log in to any of your favourite websites. Unless you put the password database on your phone and/or in the cloud, but then you’ve got to think about even more questions.
As Colin Robbins showed in his recent blogs, if you put in the time and effort you can come up with a fairly good solution. Which is good news – if you’re a techy or an enthusiast. You have achieved security at the expense of convenience. But for everyone that does the secure thing, many more will do the convenient thing: they’ll use bad passwords, and if technology forces them to use good passwords then they’ll scribble them down on post-it notes.
Security and convenience: natural enemies. Or are they?
Password requirements are an excellent example here. Some password requirements take about 5 minutes to read, and encourage passwords like this:
A good mix of letters, numbers and symbols, pretty strong password, but a pain to remember – even if you know what it stands for. Now let’s say you strip off all the requirements for casing, numbers and symbols, and instead say the minimum password length is 30. So instead we change it to:
kids and grown-ups love it so, the happy world of haribo
What do you know – a 56 character password that is both secure and memorable. And there are endless possibilities. How about these?
my milkshake brings all the boys to the yard -kelis
“now we are all sons of bitches” – bainbridge
Okay – this isn’t the solution to all of our problems. We still can’t remember a unique password for every single website, so we still need a password manager. But the point is, you can have security and convenience. In fact, I would argue that you need to have both. Because if you don’t, you end up with passwords scribbled on post-it notes.
In the end, it’s all about a realistic approach. It is not enough to come up with a technically secure solution and tell people to follow it. We must look at it and think: is this actually something that people will do? If it isn’t, then we have not created a secure solution, because people will work around it. We must work to make it convenient for people. There is no security without convenience. In this way, they are the same.
Security and convenience: strange bedfellows.