james mckay dot net
because there are few things that are less logical than business logic

Avoiding password re-use is not that easy

Another wrong argument that occasionally comes up in favour of plain text passwords is that you shouldn’t be responsible for the fact that your users do stupid things, like re-using passwords. Unfortunately, it’s not that simple.

In the eighteen months since I started using KeePass to manage my online passwords, I’ve found that it involves a certain amount of friction. For starters, it’s less user-friendly. Rather than just typing your user name and password straight into your browser, you have to switch to the KeePass window, find your website, and then paste. There are shortcut keys and a search facility to make things easier, but it is a bit of a learning curve. Furthermore, when you register with a new site, you have to fiddle about with the password generator in order to create a new password, and on top of that, some websites have undocumented limitations or bugs in their password forms. One well known website that I use allows you to set passwords of any length, but limits you to 20 characters in the login screen, for example.

That’s a relatively minor complaint, of course. A much more serious difficulty is synchronising passwords between different devices, not all of which may support your password manager of choice. KeePass for the iPhone is not yet available outside the USA and Canada, for example. Third party password managers may not even be an option on certain other Internet-enabled devices such as the PlayStation, Internet TV, and so on. Then there are situations such as a friend’s computer when you don’t have your password database on you; Internet cafes and kiosks; and locked-down workstations on corporate networks.

Clearly, avoiding password reuse requires a certain amount of discipline, sacrifice, and technical know-how. Even many relatively tech-savvy users view it as one of those things that “I must get round to someday” — a bit like taking up exercise or flossing your teeth. So where does that leave your non-technical users?

The overwhelming majority of non-technical users are shockingly ignorant about even the most basic aspects of web use. A couple of years ago, Google interviewed passers-by in Times Square, New York, and found that more than ninety percent of the people they stopped didn’t even know the difference between a web browser and a search engine:

The upshot of all this is that as a data controller, it is totally unrealistic to expect your users not to re-use passwords. They shouldn’t re-use passwords, and they should use a password manager, and they should choose secure passwords, and you should warn them of the risks. But to many of your users, if you try to explain the risks to them and what to do about it, their eyes will just glaze over and they will say to you, “Oh, I’m not a computer person. That’s all too technical to me.” They will re-use passwords. In so doing, many of them will entrust you with the login details to their e-mail, Facebook, PayPal, and possibly even their bank accounts. They shouldn’t, but they do. And with that in mind, you have a responsibility to do everything in your power to protect those details.


  • # Reply from Adam D. at 08:24 on 9 May 2011

    Take a look at my site. It contains a password generator that you access from anywhere. Keep a local copy on your phone too. Free. It’s just java script and a hash algorithm using the site name as the salt value. You can decipher my web site address from my email address.

  • # Reply from sohail at 10:20 on 9 May 2011

    Don’t browser plugins stop the need to change windows?

    Also, what do you think of LastPass? Assuming you don’t mind storing your data in the cloud with a proprietary system, I believe its browser/iOS integration is better.

  • # Reply from James at 19:11 on 9 May 2011

    Doesn’t LastPass require you to install software? That being the case it would be problematic on locked-down corporate machines, or in an Internet cafe for instance. Also, the thought of keeping all my passwords in the cloud makes me nervous, no matter how good LastPass are at security.

    The biggest problem is expecting your end users to use these things though. As I said, the “I’m not a computer person” type are a bit of a lost cause in that respect.

Comments are closed.