One of my favourite bloggers Troy Hunt posed a question on Twitter yesterday asking whether a user should share responsibility for a weak password that they reuse across multiple services.
There was a lot of great discussion and debate, and I found myself opposing Troy’s views. It was getting late in the night and despite my inner voice screaming, “Don’t go to sleep, someone on the internet is wrong” Troy did say he’d have a blog post up explaining his viewpoint in more detail.
Having woken up, got some caffeine, and read his post, I am ready to put across my view as to why I think he (and anyone that agrees with him) is wrong.
But before I continue… let me just say, I have great respect for Troy and consider him a friend. So don’t be stirring up stuff 🙂 I see this as a natural part of a much-needed dialogue in the security industry. I also reserve the right to change my opinion at any point because I’m also aware I’m not always right.
Twitter polls are a great way to gather a ton of views quickly and easily. These are almost always biased though. Like the initial question Troy posed, it is giving a very specific scenario, which need three things to happen to materialise.
- The user chooses a weak password
- That password is reused across multiple services
- The user is compromised via credential stuffing
Basically it’s a IF 1, AND IF 2, AND IF 3, THEN – “does user bear some responsibility?”
Actually, if you omit point 1, and say a user uses a strong password, but reuses it and it gets compromised via credential stuffing, the same thing would happen.
This is an important point, because Troy gives the example in his blog that many online services give advice to users about strong passwords, citing Twitter, Amazon, Google, and Disqus.
Note, you’ll see all of these make reference to creating a strong password, and to keep the password confidential. In none of these examples is the user advised to not re-use the password.
And as we’ve already established, swapping out a weak password for a strong one won’t change the scenario.
So, we end up with password reuse being the issue. And the question is whether users are savvy enough on the whole to be aware of the risks of password reuse. It’s easy for me to look at my peers and friends that work in tech and say, of course everyone is aware. But if I look to my family, or friends that don’t work in tech, who are only casual users, I’d say they don’t really know.
Imagine having three different bank cards, and one of them gets compromised somehow, and you’re blamed because you used the same PIN on all of them. I think we’d not be accepting of that. For most people, that’s the analogy they have grown up with, and have taken onto the online world.
The matter of awareness
Now, I do agree with Troy when he says that ignorance is no excuse. But it would also be naive to not recognise the massive awareness gap for a large portion of the population.
If the average user really did understand the need for strong passwords and not reusing them, enterprises probably wouldn’t need to invest so much time and resources into continually running security awareness campaigns.
What we’re talking about is a wholesale cultural shift to get people to adopt new behaviours. This is not something that can be underestimated.
If you’re like me and grew up in the 80’s, you’ll probably remember going on car trips without wearing seatbelts and thinking that caring for the environment was the job of some long-haired hippies that had nothing better to do than to tie themselves to oil rigs.
Fast forward a few decades and it’s inconceivable that I would get in a car and not ‘clunk clink’ – and I’ll walk a mile with an empty paper wrapper because I want to make sure I drop it in the blue recycling bin.
But these behavioural changes took decades. There have been sustained awareness campaigns, coupled with increased enforcement to get to the point where it’s almost deemed socially unacceptable to throw the wrong type of rubbish in the bin.
I don’t think security has had the same amount of time, and perhaps it won’t even have the will or resources to continually invest in raising awareness, because the general trend seems to be a few people trying for a while before giving up, taking their ball and going home to grumble about the stupid users.
Things take time to change – and there are speed bumps along the way. But it’s important to persevere, but also to see what can be changed.
A matter of risk
I think one of the issues I have with the initial question that was posed (other than the fact it was a biased, complex, leading question) was that it lacked context. So let’s try to put some context around it by focussing only on password reuse potentially leading to credential stuffing.
- A teenager reuses her social media password across Snapchat, Instagram, and her school canteen digital wallet.
- The CFO of a multinational organisation reuses the same password on the account system, HR system, email, social media, and local pizza delivery outlet.
- A sales rep reuses one password for their online banking and CRM, and reuses one password for a dozen (minor) sites which he needs for registering to go to events.
- A mother reuses password for her email, childcare nursery, and online shopping.
Now, consider these users were victims of credential stuffing because one of their online accounts were compromised. Would you apply the same level of responsibility or ‘blame’ to each of them? Maybe you’ll ask if any of them have received any formal security training.
Personally, I think context is important, understanding that different people, and cultures, and environments have different needs and drivers is vital before making broad-brush statements.
Empathy is probably the better word.
Put the user first
To borrow from Simon Wardley’s brilliant maps, every map has an anchor (the point it’s built around). For a geographical map, the anchor is the compass (this is north of that etc.).
When we look at technology systems, the user is the anchor. Everything needs to be built around the user needs. Everything is there to support the user – and the underpinning technology becomes less visible to the user the deeper it goes.
For example, when a user goes onto Twitter, their ‘need’ is to post a tweet, share content, read other people’s views, share private messages and so forth.
Security is something they expect, are aware of, but for the most, isn’t really a need. Security is more of a need for the service provider than the user.
I think what my major grievance isn’t even the question as to whether we should be blaming the users or not – because that’s the wrong question. The question is, why are technologists, developers, and security professionals allowing such poorly designed features going to market.
I put this down to the “us vs them” mentality where security professionals somehow try to wash their hands of their own responsibility.
A few weeks ago Bruce Schneier wrote an opinion piece in the NY Times entitled Internet Hacking is about to get much worse, in which there was this gem of a paragraph.
Really? I mean, this is more of a feeling than any real research. How many people has Bruce spoken to when arriving at this conclusion? It’s the old IT Security mindset of “us vs them” – the lemmings that are the general population don’t care about security boo hoo.
I just can’t wrap my head around why we build poor systems, have poor security, allow bad stuff to happen, then want to point the finger of blame at a user that is operating within the acceptable parameters and magically sit on our floating chair wearing an infinity gauntlet.
- The user is your anchor – build security into and around their requirements.
- The user is your friend, they just want to do things easily.
- The user wants your help, they don’t want to get hacked any more than you do.
Be the security professional they need and deserve.