Recently Google announced they were adding enhanced security to their lineup for your Google account. While I think this is a great feature, it’s still flawed by the same reasons traditional security is flawed; The end user.
Generally speaking, most users don’t care much for security. They don’t want to be bothered by complex passwords, difficult images to identify, or more steps to get to their stuff. That stuff could be their Facebook page, or their Hotmail email.
In an analysis of a popular site breach, there are some telling numbers. The first issue, the passwords were stored in clear text. This means that all you need is access to the database, and you can see the passwords. The analysis shows that nearly 50% of all the passwords contained trivial passwords, such as sequential numbers, dictionary words, or names. The worst offender being 123456, which was used on nearly 30,000 accounts.
I also see the same behavior at work. Not just with one or two people, but lots of people. We even have a complex password requirement, but people just tweak a common password to fit into that policy, for example if their kids name is Steven, the password might be Steven90, or Steven1990 (not a real example).
It doesn’t just stop there either. People use the same password on lots of sites. For example, their Gmail, Facebook, Hotmail, and MySpace passwords might all be the same. Tie that into the fact that a lot of the sites use an email address as the login information, chances are a compromised email account will result in a compromise of dozens of their favorite sites.
So how does this play out with Google, and their multi-factor authentication? As I mentioned on Twitter the other day, I suspect the only people that will really use the 2-factor authentication will be those that are heavily security minded, and technology folks. Sadly, these are likely to be the people that need it the least, as they already know the risks for passwords, and understand complex password rules.
So how does this get fixed? More education to every day users is a start. They need to be made more aware of issues. Main stream media needs to start picking up on site hacks, especially when it involves large number of accounts, and popular sites. Websites need to do more about enforcing stronger passwords, as well as using a hash of the password in the database, instead of the clear password.
When people start caring about password security, people will start caring about multi-factor authentication.
What do you think? Do you help educate your friends and family on strong password policies? What rules do you use for picking stronger passwords?