{"id":345,"date":"2014-08-30T06:23:00","date_gmt":"2014-08-30T06:23:00","guid":{"rendered":"https:\/\/pim.famnit.upr.si\/wp\/?p=345"},"modified":"2021-11-17T11:17:52","modified_gmt":"2021-11-17T11:17:52","slug":"is-pasword-management-possible-the-way-we-are-told-it-should-be","status":"publish","type":"post","link":"https:\/\/pim.famnit.upr.si\/wp\/?p=345","title":{"rendered":"Is pasword management possible the way we are told it should be"},"content":{"rendered":"<p>I just bumped into this story about <strong><a href=\"http:\/\/www.net-security.org\/secworld.php?id=17273\">51% of internet users share their passwords<\/a><\/strong>. The&nbsp; research result showed that <\/p>\n<ul>\n<li>users are putting their personal information at risk by <strong>sharing user names and passwords with family, colleagues and friends <\/strong>and <\/li>\n<li>they are potentially putting their personal information at risk by leaving themselves <strong>logged in to applications (e.g. email and social network) on their mobile devices<\/strong>. <\/li>\n<\/ul>\n<p><strong>Based on recommendations<\/strong> by security experts <strong>we should<\/strong>:<\/p>\n<ul>\n<li> have a different password for every service\/website\/app we use<\/li>\n<li>choose password of 8\/10\/12 chars long with a combination of letters, cases, symbols, numbers<\/li>\n<li>never write down any of these passwords<\/li>\n<li>never share any of these passwords<\/li>\n<li>change passwords every X days<\/li>\n<li>log out of any website\/app when not using it<\/li>\n<\/ul>\n<p><strong>Is this possible?<\/strong> <\/p>\n<p><strong>I have 297 different passwords<\/strong> for web pages alone not counting routers, servers (ssh), etc. <strong>Do I know them<\/strong> all? Not really. The above recommendations are not feasible for the plethora of services we use today! <strong>Knowing them all would be mind blowing and time consuming.<\/strong> There are password managers that are of great help here. But this means that <strong>these passwords are written down and usually accessible with a master password.<\/strong> So one password to access all of them. <\/p>\n<p>What about <strong>changing passwords every X days<\/strong>. This again <strong>would be an overkill<\/strong>. Having a calendar and change passwords for services we don&#8217;t even care about or use every now and then. Not possible. <\/p>\n<p>What about sharing. <strong>Sharing passwords with a partner is reasonable for many people.<\/strong> While<br \/>\nsome accounts can be shared among two or more (e.g. ISP, Netflix and<br \/>\neven a bank account), people often share their-only-services&#8217; passwords<br \/>\n(e.g. email) in case of hit-by-a-bus scenario. <strong>Not everyone is prepared<br \/>\nto do it but many do.<\/strong> <strong>Sharing with colleagues<\/strong> can happen in some cases<br \/>\n<strong>when several people cover each other or when they check the same<br \/>\nservice<\/strong> (e.g. an email account). I suppose the password sharing in this<br \/>\ngroup is way lower than between partners. And <strong>sharing passwords with<br \/>\nfriends<\/strong> &#8230; well &#8230; maybe if they fix your IT equipment &#8230;<\/p>\n<p>And about <strong>logging out of web pages and apps<\/strong>. On the desktops where we are sole users I don&#8217;t see the point. Well <strong>I don&#8217;t see the point to logout of gmail<\/strong> (facebook, last.fm, twitter, you-name-it) <strong>on my mobile phone<\/strong> either. The point is to be logged in <strong>to get email\/tweets\/you-name-it in real time<\/strong>. This is why we have a lock screen.<\/p>\n<p>So <strong>there is nothing surprising about this study. <\/strong>We can&#8217;t really manage the passwords the way security managers want us to. There are a few security issues we have to sacrifice to make our life easier. <\/p>\n<p>I use different and strong passwords for every service but I know by heart just 5 of them. I keep all passwords in a password manager with a strong master password which I share with my wife. On my desktop computer my browser knows all these passwords (which are not synced on any other device). I have my screen locked on my phone so people can&#8217;t just access apps I&#8217;m logged in. And gosh, I probably changed some of these passwords over a year ago :\/.<\/p>\n<p><strong>I don&#8217;t see the problem in users. Rather the problem lies in the technology<\/strong> and <strong><a href=\"https:\/\/en.wikipedia.org\/wiki\/AAA_protocol\">how AAA is currently designed and implemented<\/a><\/strong>. There are <strong>other methods<\/strong> of authentication like: <a href=\"https:\/\/en.wikipedia.org\/wiki\/Hardware_token\">hardware and software tokens<\/a>, <a href=\"https:\/\/en.wikipedia.org\/wiki\/Digital_certificate\">digital certificates<\/a>, <a href=\"https:\/\/en.wikipedia.org\/wiki\/Challenge-response\">challenge-response<\/a>, <a href=\"https:\/\/en.wikipedia.org\/wiki\/Biometrics\">biometrics<\/a>, <a href=\"https:\/\/en.wikipedia.org\/wiki\/Out-of-band_authentication\">out-of-band authentication<\/a>, <a href=\"https:\/\/en.wikipedia.org\/wiki\/One-time_password\">one-time passwords<\/a> like <a href=\"https:\/\/en.wikipedia.org\/wiki\/Transaction_authentication_number\">TAN<\/a>, etc. While some might be more secure they are <strong>harder to implement and impose additional burden<\/strong> on users. <\/p>\n<p>Another solution are <strong><a href=\"https:\/\/en.wikipedia.org\/wiki\/OAuth\">OAuth<\/a> and <a href=\"https:\/\/en.wikipedia.org\/wiki\/OpenID\">OpenID<\/a><\/strong>. The problem with the former is that <strong>many services take advantage of accessing other pieces of information<\/strong> besides authentication token (and many users don&#8217;t know this). The problem with the latter is that its implementations are different and there is <strong>no uniform user experience<\/strong>. Besides, <strong>web pages don&#8217;t get anything in return and users are more or less anonymous<\/strong> to them which is now <strong>addressed with OpenID Connect<\/strong>. <strong>If big companies don&#8217;t push it forward<\/strong> (and why would the as e.g. FB has already <a href=\"https:\/\/en.wikipedia.org\/wiki\/Facebook_Platform#Facebook_Connect\">Facebook Connect<\/a>) it will <strong>not be easily adopted by general public<\/strong>. Besides a few successful stories (e.g. <a href=\"https:\/\/openid.stackexchange.com\/\">StackOverflow<\/a>) OpenID doesn&#8217;t really thrive.<\/p>\n<p>Do I have a better solution? Unfortunately not. Until then we are left with <strong>username\/password couple as the less costly and easiest solution <\/strong>for the benefits provided.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>I just bumped into this story about 51% of internet users share their passwords. The&nbsp; research result showed that users are putting their personal information at risk by sharing user names and passwords with family, colleagues and friends and they are potentially putting their personal information at risk by leaving themselves logged in to applications&#46;&#46;&#46;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7],"tags":[],"class_list":["post-345","post","type-post","status-publish","format-standard","hentry","category-6-pim-research"],"_links":{"self":[{"href":"https:\/\/pim.famnit.upr.si\/wp\/index.php?rest_route=\/wp\/v2\/posts\/345","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/pim.famnit.upr.si\/wp\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/pim.famnit.upr.si\/wp\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/pim.famnit.upr.si\/wp\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/pim.famnit.upr.si\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=345"}],"version-history":[{"count":1,"href":"https:\/\/pim.famnit.upr.si\/wp\/index.php?rest_route=\/wp\/v2\/posts\/345\/revisions"}],"predecessor-version":[{"id":637,"href":"https:\/\/pim.famnit.upr.si\/wp\/index.php?rest_route=\/wp\/v2\/posts\/345\/revisions\/637"}],"wp:attachment":[{"href":"https:\/\/pim.famnit.upr.si\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=345"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/pim.famnit.upr.si\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=345"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/pim.famnit.upr.si\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=345"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}