Stop Blaming Users For Bad Passwords

Another year, another vendor study about how users choose absurdly bad passwords to protect their precious online accounts. This year’s study came courtesy of Keeper, while prior years’ reports (for 2015, 2014, 2013, 2012, and 2011) came from SplashData, a password management service for small businesses. Spoiler alert, the most used password this year is the same as last year: ‘123456’.

Every time I see one of these “studies”, I die a little inside. It’s not because poor passwords aren’t a real problem – they are: proper authentication is critical to defending the mobile and desktop internet applications of today, and the Internet of Things applications of tomorrow. I hate these reports because they blame the victim, the user.

Oh sure, these articles might levy some small admonishment aimed at applications (“the bigger responsibility lies with website owners who fail to enforce the most basic password complexity policies”), but by and large the unspoken message is “look at how stupid users are for using one of these passwords.” These click-bait articles are designed to deliver a dose of Schadenfreude to the reader, and allow them to wallow in smug superiority while they giddily guffaw at gems like ‘123456789’ (“Oh look, some moron actually thought that was better than ‘123456’—what a dolt!”).

Everybody knows bad passwords are a problem. Everybody knows you shouldn’t re-use passwords across multiple sites. Everybody knows you should pick a password with a mixture of characters, but not a dictionary words (except, well, if you’re using a passphrase, in which case you should use dictionary words, but only the right way). Everybody knows all of this, and much more.

There’s just one problem: users just don’t care.

Just look at the stats over the last 5 years: some variant of ‘123456’ has appeared at or near the top of every one of these lists. Who’s the bigger idiot: the user for whom ‘123456’ keeps working and with little or no obvious adverse impact, or the apps and web sites that allow such bad passwords in the first place and ultimately suffer all the reputation damage or regulatory fallout?

These kinds of articles do little to advance awareness of a real solution to this problem, nor do they make much of an attempt to do so. It’s telling that such articles rarely mention the very real advances being made to address the problems posed by passwords, such as:

On that last item: there’s literally no reason to even ask the user for a password anymore. App developers can use both Touch ID and FingerprintManager to build password-less authentication schemes like FIDO (check out the video below). Right now. Today. Like, as I’m speaking to you. There’s even commercial SDKs that developers can just plug into their app to perform this function with minimal additional code.

Instead of blaming the user, how about apportioning some blame to the apps and their developers? How about calling out the applications that allow such ridiculously poor passwords? How about shaming sites that actively disable password managers? How about some link-love for sites like TwoFactorAuth.org, which catalog which sites do and don’t support strong authentication options, and enable users to demand better?

But of course, that’s not the purpose of these articles. The articles aren’t about getting rid of passwords. They’re about positioning a vendor’s technology as a solution to this problem. Yes, a password manager when used properly is better than nothing. Yes, adding SMS two-factor authentication will reinforce poor passwords.

But passwords are an addiction, and these bolt-on half-measures are methadone. Heroine is bad, they say, but let’s not be too hasty about going cold turkey.

It’s time articles like this called out apps and developers to kick the password habit.

Alipay's offices in Hangzhou, China

How Alipay Hacks Its Culture

If you’ve had the opportunity to work with a company in an Asian country (and China, Japan, or South Korea in particular), you’ve undoubtedly observed a marked difference in the role of hierarchy in their culture. These countries feature a high power distance index (PDI) where “lower ranking individuals of a society accept and expect that power is distributed unequally”. For example, China has an high PDI of about 80 versus the United States’ PDI of 40 and Western European country’s PDIs of between approximately 25 and 40 (see PDIs by country).

In high PDI cultures, authority is centralized and subordinates are unlikely to approach and contradict their bosses directly; unfortunately, elevated PDI has an adverse impact on innovation. Research on the correlation between power distance and innovation has shown “a strong negative relationship between Hofstede’s dimensions of power distance and GII innovation scores as well as a strong positive relationship between individualism and GII innovation scores.”

Translation? If you can’t tell the boss he’s wrong, then bad ideas proliferate while good ideas stagnate.

However, many organizations are trying to break with traditional attitudes, promote flatter hierarchies, and encourage innovation. I got to see one such effort firsthand during a recent project working with Alipay in Hangzhou (we were enabling Alipay to use the Samsung Galaxy S® 5 fingerprint sensor to authorize mobile payments).

The key to Alipay’s strategy starts with a simple idea: how do people address each other in conversation?

Here’s what “Kiss, Bow or Shake Hands” has to say about how people address each other in China in a business setting:

The Chinese are very sensitive to status and titles, so you should use official titles, such as “General,” “Committee Member,” or “Bureau Chief” when possible.

and:

Most people you meet should be addressed with a title and their name. If a person does not have a professional title (President, Engineer, Doctor), simply user “Mr.” or “Madam,” “Mrs.,” or “Miss,” plus the name.

Every time you talk with someone in your organization, you are being constantly reminded of both their rank and your rank in relation to them. Hence Alipay’s tactic to change the cultural status quo: remove this constant reminder of a person’s rank from daily work.

The first thing a new Alipay employee does when they join the company is choose a nickname (typically a character from Chinese history, literature, or popular culture). From then on, that’s how people know them. No more “Director <name>” or “Manager <name>”; now it’s “Zhu Bajie” (a character from a famous Chinese literature classic) or “One Night” (???).

In practice, what I observed in my time at Alipay seems to speak positively of their efforts. Unlike other projects I’ve worked on in Asia, the project at Alipay was punctuated by a completely different dynamic. There was the kind of constant communication, rapid-fire discussion, and open back-and-forth disagreements that would be strikingly familiar to anyone from Silicon Valley.

What small hack could you put in place to change the culture of your organization?

Page 1 of 20212345...102030...Last »