Corvus Consulting

It’s probably safe to say that my thinking about passwords has changed more in the last year than it has since I started using computers. From policies designed to counter identity theft to OpenID and OAuth, I can’t help noticing that password use online is not only changing fast, but that the change needs to be made more humanely to stick. So, I started to write a blog post, but it turned into three more posts, respectively addressing long term prospects for password safety, near term interface design changes to improve the password experience, and a method for making memorable but strong passwords that can be used right away.

Passwords as Practice

Have you ever had to explain to someone over 5 years old what a password is? Likely not, or if so then very rarely. The password is something that anyone who can identify a computer either understands or grasps with ease. Though we think of passwords almost exclusively in terms of electronic security, passwords are, of course, nothing new. Mechanical combination locks use passwords based on number sequences and mechanical positioning. Even physical keys are passwords of a sort, authenticating when the 3D shape of the metal that precisely moves metal pins aside and opens the lock. I’d be willing to bet that our childhood notion of ‘Access Denied’ is born in the rattle of a locked doorknob. After that, it’s the giant, flashing ‘Access Denied’ message seen in tv and movies, and never in real life.

But before all that, passwords were just words: the watchword, spoken aloud or shown in writing to prove legitimacy. Though simply a vocal sign, it’s certain that characteristics of the speaker, such as dress, accent, race or mannerisms, could strengthen or weaken the perception of legitimate use of the password. That is, in addition to having the password, you had to be convincing as someone who should have the password. This historical reality of person-to-person authentication is something that hasn’t carried into the world of computers, where anyone who submits a password is assumed to be its legitimate user.

The truth is, these aren’t exactly great days for the meat and potatoes account name+password authentication model. It’s a wholly useful model, but it’s been conscripted into serving a radically different network from what it was first implemented to protect. Today, passwords protect online assets of enormous value to individuals, corporations and communities: medical and financial records, online identities, interpersonal and professional communications. Misuse of just one such online asset can severely disrupt social, work and financial lives and destroy reputations.

At the same time that we realize the rising value of what passwords protect, those protected assets (our bank accounts, photos, socializing tools and so on) are being spread out across a widening number of online services. In the midst of so many different websites and accounts, people are using the same password over and over. Many services pop up and invite us to leave behind a name and password, even if it’s just to look inside. More recently, interaction between websites has made many web users familiar with giving their passwords to email accounts, photo collections and more to other websites, creating further duplication and spreading the risk around more. And where they don’t use the same password all over the web, people, being people, can easily forget theirs and create new accounts to work around inadequate password retrieval features.

It’s something of a perfect storm: as the value of what passwords protect goes up, they end up being given out more and more; defending against that reality are our outmoded practices for using passwords, hobbled by a lack of awareness or belief that it’s worth re-learning how to make a good password. This crisis of the password isn’t that it’s a bad idea, or that it’s a dead idea. Instead, it’s that as a technology, its material aspects (in this case, interfaces) and methods (how people use passwords) haven’t adequately evolved to meet a reality of high value distributed content that is our online life. The practice aspect of the password technology is simply out of date.

Web service providers are starting to recognize the need for stronger and more unique passwords. Many now have length and composition requirements to enforce less guess-able passwords into use. While well-intentioned, many of these password strengthening requirements are haphazardly implemented in the user interface, creating frustration and increasing the likelihood of a forgotten password later on. There’s evidence that the call for stronger passwords is getting through to some web users, but it’s a slow process to reach large numbers.

The options open to service providers and users for improving password technology as both computer code and human practice have, until recently, been fairly limited. There’s an ugly catch-22 in trying to bring users around to using stronger passwords. Where a service provider enforces more complex passwords, they risk having members forget and get frustrated, or bail on the service altogether. Nobody wants to downgrade the quality of user experience to keep it safe, but ‘no pain, no gain’ seems to often be the assumed posture where strong passwords are adopted as the new rule.

The good news under this big dark cloud that I’ve painted is that something better is achievable on three distinct scales: in authentication technology choices for software architects, in interface design, and in personal password choices.