Wednesday, May 3, 2017

A Plea to Web Developers

There’s a growing trend on web sites that require a login, and it is getting annoying.  And I can’t see any real upside to the decisions that web site designers and developers are making.
What I’m referring to is sites that attempt to disable password managers.  They’ll use all kinds of tricks, ranging from a simple ‘autocomplete=”off”’ to JavaScript that clears the form, to building form elements dynamically so they aren’t picked up by browsers or password managers, among others. 

I believe that they are thinking that this increases a site’s security by preventing unauthorized logins.  You know, someone other than the authorized user logging into the site, being able to do so because the password is automatically filled in.  While that makes sense, the bigger issue is that they are actually reducing the site’s security with this behavior.

Why do I say that?  Because it forces people to use really, really bad passwords.

In today’s world, there is basically no such thing as a “good” password generated by a human.  People notoriously pick passwords that are way, way too easy to crack.  Even when we think we are being clever, some hacker somewhere has already been just as clever and coded the method that we think is unique into a password cracking library.  Basically every method you’ve come up with for creating a password, a hacker has already done it.

So the only good passwords are those that are generated completely randomly.  Using what we call a cryptographically secure pseudo random number generator.  Only passwords created by a PRNG can be considered secure enough to thwart hacking.  They should also be long too – 12 characters at an absolute minimum.  These passwords are virtually impossible to remember, especially considering that every web site we visit should have its own unique password.  Honestly, could you remember your passwords if every site’s was unique and they looked like x^HsNpeGo}V%Xd~, [lfGY%KW$4McJ(3l, or Jo@Rl-p4Vc7Esy?  I seriously doubt it.  So people using good, secure passwords use password manager software to generate and remember these kinds of passwords for them.

(I can honestly say I have no idea what my passwords are on 99% of the web sites I visit. In most cases I’ve never actually even seen them.)

Unfortunately it seems that many web site developers think you can remember these kinds of passwords.  Otherwise they wouldn’t be trying to disable password managers.  They are intentionally trying to force you to remember your passwords.  So they’re forcing people into using passwords like “monkey123” or “k3lly@96” which they can remember, but would be cracked by a hacker in a matter of seconds (or even milliseconds), and since people are bad at remembering passwords they’ll reuse the same passwords on multiple (if not every) site(s).

So while their intended effect is to prevent unauthorized logins, what they’ve effectively done is make their user’s accounts much easier to hack.  Not only are their user’s passwords bad, they’re probably the same as another site that has already been hacked. 

Intended effect: improved security, actual effect: horrendous security.  The law of unintended consequences strikes again.

So, please, if you are in charge of designing or developing a web site, resist the urge to prevent users’ browsers or password managers from filling passwords in for them.  The site will be far more secure if you actually allow users to use secure passwords.

(While I’m on the subject, having a site suggest a secure password when a user creates an account isn’t a bad idea either.  It should be displayed on the page so they can see what it is, as well as pre-filled into the password fields.  Most browsers and password managers will automatically pick up on data pre-filled into those fields and save it for the user.  Oh, and always use HTTPS for any page that requests or displays account data.)

P.S. You can always get a truly random password from my web site.  The passwords aren’t saved anywhere, and only you ever see it.

P.P.S. If you aren’t using a password manager, you should be.  The one I like is LastPass.  If you’re concerned about your passwords being accessible to someone, just choose a really, really good password for your account.  These sites include your account password as part of the encryption key, so nobody can get to your password data without it.  And you can make it even harder to crack by turning on Two-Step Authentication too.

No comments:

Google Search