Dec 01 2013

Security in popular culture

Published by at 10:25 pm under General,Personal,Risk,Simple Security

One of the shows I’ve started watching since coming to the UK is called “QI XL“.  It’s a quiz show/comedy hour hosted by Stephen Fry where he asks trivia questions of people who I assume are celebrities here in Britain.  As often as not I have no clue who these people are.  It’s fun because rather than simply asking his questions one after another, the group of them riff off one another and sound a little bit like my friends do when we get together for drinks.  I wouldn’t say it’s a show for kids though, since the topics and the conversation can get a little risque, occasionally straying into territory you don’t want to explain to anyone under 18.

Last night I watched a show with someone I definitely recognized: Jeremy Clarkson from Top Gear.  A question came up about passwords and securing them, which Clarkson was surprisingly adept at answering, with the whole “upper case, lower case, numbers and symbols” mantra that we do so love in security.  He even knew he wasn’t supposed to write them down.  Except he was wrong on that last part.  As Stephen Fry pointed out, “No one can remember all those complex passwords!  At least no one you’d want to have a conversation with.”

Telling people not to write down their passwords is a disservice we as a community have been pushing for far too long.  Mr. Fry is absolutely correct that no one can remember all the passwords we need to get by in our daily life.  I don’t know about anyone else, but I’ll probably have to enter at least a dozen passwords before the end of today, each one different, with different levels of security and confidentiality needed.  I can’t remember that many passwords, and luckily I don’t have to since I use 1Password to record them for me.  

But lets think about the average user for a moment; even as easy as 1Password or LastPass are to use, they’re probably still too complex for many users.  I’m not trying to belittle users, but many people don’t have the time or interest to learn how to use a new tool, no matter how easy.  So why can’t they use something they’re intimately familiar with, the pen and paper?  The answer is, they can, they just have to learn to keep those secrets safe, rather than taping the password on a note under their keyboard.

We have a secret every one of us carry with us every day, our keys.  You can consider it a physical token as well, but really it’s the shape of your keys in particular that are the secret.  If someone else knows the shape of your keys, they can create their own and open anything your keys will open.  This is a paradigm every user is familiar with and they know how to secure their keys.  So why aren’t more of us teaching our users to write down their passwords in a small booklet and treat it with the same care and attention they give their keys?  Other than the fact it’s not what we were taught by our mentors from the beginning, that is.

A user who can write down their passwords is more likely to choose a long, complex passsword, something they’d probably have a hard time remembering otherwise.  And as long as they are going to treat that written password as what it is, a key to their accounts, then we’ll all end up with a little more security on the whole.  So next time your preparing to teach a security awareness class, go back to the stationary store and pick up one of those little password notebooks we’ve all made fun of and hand them out to your users, but rememind them they need to keep the booklet as safe as they do their other keys.  If you’re smart, you’ll also include a note with a link to LastPass or 1Password as well; might as well give them a chance to have even a little better security.

3 responses so far

3 Responses to “Security in popular culture”

  1. Marcoon 02 Dec 2013 at 10:45 am

    Just finished reading this entry, only to see that gizmodo post: http://gizmodo.com/internet-password-logbooks-shouldnt-be-a-thing-1474729611

    timing :)

    But I agree with your point. I’m glad that I finally got my mother in law to write down passwords! The alternative was not, using a password tool but using the same password everywhere. and of course that password was the bare minimum anyway. Something like theresa5. So in her case having the passwords written down on a piece of paper next to her home PC is way safer than using just one password all over the place. Sure, I’d love her to use one of the tools, but she simply isnt interested, because a) she doesnt see the need and b) as you said, it’s a new tool to learn which she doesnt want.

    hopefully tokens will become the standard and offer an easy way to secure authenticate online.

  2. Edwardon 09 Dec 2013 at 7:39 pm

    I write passwords down all the time. Also, I physically protect them as you suggest. But I learned a trick long ago as an additional security measure. I encode my passwords with additional information that must be removed to get to the actual password. So, for example, you take information that is sight recognizable by you, but to no one else, and you insert it into the password when you write it down. You can use your birthday, anniversary, last number of SSN, cars which have letters or numbers (911, Q45, etc), home addresses, etc. So, if my sons birthday were Sep 23, 1998, the password Leapfrog64Sports& I could include the his birthdate and write the password down as 09Leapfrog236498Sports& or perhaps Leapfrog0964Sports231998& Right now I’m managing 22 passwords. There’s no way I could memorize all of those.

  3. kurt wismeron 25 Dec 2013 at 10:59 am

    this is what happens when my rss backlog grows too large – took me nearly a month to get here.

    martin, i agree with you that we should be teaching users to think differently about passwords, and i even agree with your key metaphor. back in march i made a design for business cards with a big key logo on them with the intent that they be used for storing passwords on (http://www.secmeme.com/2013/03/password-key-per.html). i went with the business card form factor because those can easily fit into wallets, and the key logo was meant to remind people to treat them like keys and keep them safe instead of leaving them lying around.

Trackback URI | Comments RSS

Leave a Reply

%d bloggers like this: