By Michael Olson | Posted on February 06, 2012
I recently sat down with Janrain Solutions Engineer Kevin Long to discuss the state of password security and how websites can better protect themselves and their users from security breaches.
Hey Kevin, thanks for sitting down with me to discuss the topic of password security. Given some of the breaches that have been well-publicized recently, I think this is a very timely discussion.
Kevin: The typical scenario involves a user visiting a site and finding compelling content that gives her an incentive to register. The user is then asked to create a new account and password, and in doing so, knows that she may forget anything very long, complex or one that is used infrequently. So, the user types a short password that is as close to the exact password they use everywhere else. The site then stores that password, and as a nod to security, may hash it or even add a little salt. This means that the user risks having her password stolen from the site, and the site assumes responsibility for storing and securing passwords.
Now, the typical result from our experience is that the user hates this process enough to either never start or abandon the process part way through, lie about who they are, or resentfully comply and expose the password they use everywhere. The latter result exposes the site to the possible nightmare of a password-revealing security breach.
Kevin: In the beginning there was the command line, and any one could walk up to any computer terminal and type commands that could be potentially harmful. The advent of usernames and passwords were a great boon to security. It was a system that was arguably adequate for the needs of the ’60s and ’70s. In the ‘80s however, modems, networks and the Internet changed first how we connected and then ultimately who was connecting. This at once created higher risk and greater usability demands.
In the rush to market, sites slapped the familiar user-name and password login prompts in front of retail, community, gaming and even entertainment sites. The rise of email giants and social networks adopted by the general public seems to have cemented the expectation of the familiar dialog in society’s psyche.
Kevin:Typically, they have tried one of three things:
Kevin: Being required to remember long, complex, or unique passwords is a huge burden for most people. People also don’t like being made to feel interrogated, which is often the case when asking complex security questions to prove a person’s identity.
As people, we are known to be slow, lazy and demanding. We have difficulty memorizing. We don’t want to be bothered with security at all, but we demand that sites assume the responsibility for security. This puts us in an adversarial position with the site before we even get through the front door.
A formal party or a nightclub might ask to see your credentials at the door, but one would look for other venues if everyone at the party asked to see them before they would talk to you or introduce you to their friends. In the real world we assume people are who they say they are because other people upstream vouch for them; starting with the host and or doorman.
Also, being required to do anything more than once, and not being recognized and rewarded for being a returning patron on a site can be a source of frustration for many people.
Kevin: For websites, having anonymous, masked users consuming, creating and sharing content isn’t ideal. Sites want to be able to recognize their active users and offer personalization to improve the experience. But asking users to create and remember a password for each site they frequent often results in low conversion and high abandonment rates.
Kevin: Social Login is the most viable solution to tackle this problem, and it is gaining real momentum in the market.
Kevin: I’ll go ahead and mention a few suggestions and best practices based on how our customers are achieving success:
Kevin: The best way is to outsource user management to a best-in-class SaaS provider. Get more than a login system; get a full-user management platform that provides security and service on the back-end as well as the front.
Kevin: Yes. Even when your site is built on a framework, CMS, or e-commerce platform that would seem to require them. Social login eliminates the need to store passwords on your site, because you are relying on a trusted, secure identity provider (such as Google, Yahoo! or Facebook) to prove that users are who they say they are.
Kevin: You certainly don’t have to go all the way. Tradition is strong and change is often resisted from people. You can accommodate traditional logins for your existing users and even accept new user accounts and traditional passwords, but I recommend leading with social login as it is both more secure and more convenient for people. The best practice that we recommend is to state those benefits in a prominent, plain and distinct manner.
Kevin: Yes, definitely. Leaders across many industries like Samsung, Intuit, Whole Foods, NPR, NASDAQ and others are showing the way by letting their users register and login with an existing identity from a social network or email provider.
Kevin: Science is on it! And when discoveries are made, you can bet that Janrain will be making them easy to integrate with your organization’s web presence. Meanwhile, we at Janrain created a suite of flexible user management products and have done some deep thinking that can help you apply these ideas today!
Kevin: Yes. If you’re interested in reading more about this topic, I’d recommend checking out any of these articles:
How to tell if your identity management is ready for the new data protection regulations…
We just released the latest member of the Janrain product family: Janrain Advanced Policy Manager…
Janrain Information Security Manager, Lisa Nicholson, shares her thoughts on why CSA Level 2 and…