Archive for June, 2012

Horrors of Password Management

June 14th, 2012 Comments off

I’ve seen plenty of commentary on the LinkedIn password hacking, but from the SaaS providers view there’s a few areas where there seem to be a really low bar for improvement. It’s made me step back and think about what we need to ensure for our systems. Here’s the first and most obvious one:

Password Change

I went through and changed all my passwords – LinkedIn, Facebook, Google etc. Finding where to change your password on LinkedIn and Facebook was horrendous. The most important thing security wise wasn’t easy to do. I had to walk a couple of people through how to find where to reset their LinkedIn password.

Suggestion #1 Maybe we should have some standard on a specific one or two click access to change your password. It should be the simplest thing to do for the most naive user. Most sites have standardized on having your name at the top right of the page, and clicking gets to some sort of account/profile info. How about always having password change info at the top of that page on your first click.

It also seems crazy that we spend so much time and effort on educating corporate users on the need to manage passwords, force regular changes etc. and none of this exists in the consumer space. There’s no reinforcing message between corporate and consumer spaces. LinkedIn can be excused to some extent, but Facebook is a de-facto identity provider for multiple sites and applications. You could set your password on Facebook and never change it again.

Suggestion #2 If we don’t want to force password changes, at least have some prominent message display periodically if you haven’t changed your password in the last 6 months or a year

Suggestion #3 If we want to educate users, we could have them self-select their security level, i.e. get the user to agree to password changes with a specific frequency, e.g. choose your security level – Low (remind me to change my password once a year), to high (force me to change my password every 3 months), even just asking the question forces a bit of reflection on the part of the user

Categories: Uncategorized Tags: