Is pasword management possible the way we are told it should be

I just bumped into this story about 51% of internet users share their passwords. The  research result showed that

  • users are putting their personal information at risk by sharing user names and passwords with family, colleagues and friends and
  • they are potentially putting their personal information at risk by leaving themselves logged in to applications (e.g. email and social network) on their mobile devices.

Based on recommendations by security experts we should:

  • have a different password for every service/website/app we use
  • choose password of 8/10/12 chars long with a combination of letters, cases, symbols, numbers
  • never write down any of these passwords
  • never share any of these passwords
  • change passwords every X days
  • log out of any website/app when not using it

Is this possible?

I have 297 different passwords for web pages alone not counting routers, servers (ssh), etc. Do I know them all? Not really. The above recommendations are not feasible for the plethora of services we use today! Knowing them all would be mind blowing and time consuming. There are password managers that are of great help here. But this means that these passwords are written down and usually accessible with a master password. So one password to access all of them.

What about changing passwords every X days. This again would be an overkill. Having a calendar and change passwords for services we don’t even care about or use every now and then. Not possible.

What about sharing. Sharing passwords with a partner is reasonable for many people. While
some accounts can be shared among two or more (e.g. ISP, Netflix and
even a bank account), people often share their-only-services’ passwords
(e.g. email) in case of hit-by-a-bus scenario. Not everyone is prepared
to do it but many do.
Sharing with colleagues can happen in some cases
when several people cover each other or when they check the same
service
(e.g. an email account). I suppose the password sharing in this
group is way lower than between partners. And sharing passwords with
friends
… well … maybe if they fix your IT equipment …

And about logging out of web pages and apps. On the desktops where we are sole users I don’t see the point. Well I don’t see the point to logout of gmail (facebook, last.fm, twitter, you-name-it) on my mobile phone either. The point is to be logged in to get email/tweets/you-name-it in real time. This is why we have a lock screen.

So there is nothing surprising about this study. We can’t really manage the passwords the way security managers want us to. There are a few security issues we have to sacrifice to make our life easier.

I use different and strong passwords for every service but I know by heart just 5 of them. I keep all passwords in a password manager with a strong master password which I share with my wife. On my desktop computer my browser knows all these passwords (which are not synced on any other device). I have my screen locked on my phone so people can’t just access apps I’m logged in. And gosh, I probably changed some of these passwords over a year ago :/.

I don’t see the problem in users. Rather the problem lies in the technology and how AAA is currently designed and implemented. There are other methods of authentication like: hardware and software tokens, digital certificates, challenge-response, biometrics, out-of-band authentication, one-time passwords like TAN, etc. While some might be more secure they are harder to implement and impose additional burden on users.

Another solution are OAuth and OpenID. The problem with the former is that many services take advantage of accessing other pieces of information besides authentication token (and many users don’t know this). The problem with the latter is that its implementations are different and there is no uniform user experience. Besides, web pages don’t get anything in return and users are more or less anonymous to them which is now addressed with OpenID Connect. If big companies don’t push it forward (and why would the as e.g. FB has already Facebook Connect) it will not be easily adopted by general public. Besides a few successful stories (e.g. StackOverflow) OpenID doesn’t really thrive.

Do I have a better solution? Unfortunately not. Until then we are left with username/password couple as the less costly and easiest solution for the benefits provided.