Sep 03 2014
Recent events have me thinking about online backups. We have been telling users to backup their data for years and there are now multiple ways to back up your phone and computer to the cloud (“not actually a cloud in the sky” is my favorite quote of the year). Users are starting to make copies of everything they have on iCloud, in Dropbox and in Crashplan, just to name a few. They’re doing exactly what we’ve asked them to do. And now they’re starting to pay the price for doing what we told them they needed to do.
One aspect of building a consumer product that has a password is that users need to reset their passwords and they need to do so in an easy, secure and cheap manner. But you generally only get to choose two of those three. Which means that most companies do a fair job of setting minimum security standards for their password resets, but they choose cheap and easy (at least for the consumer) over secure. Which, from a business perspective, is the the proper decision to make, at least in the short term.
But is prioritizing cheap and easy over secure the right business decision in the long term? It might still be for businesses, at least until consumers start being more concerned about security than they are about having an easy way to reset passwords. Which isn’t likely happen any time in the near future, because the requiring a strong password reset function is hard for many security professionals to understand, let alone someone who just wants to get back into their online account.
Right now consumer focus is on passwords and their strength, without the users understanding what makes a secure password reset mechanism. Our reporters and news sources don’t understand the complexity of password reset functions that lead to account compromise, so when they boil it down and spit out the abbreviated version of the story on the nightly news, all that gets across is “Use a stronger password and this won’t happen to you!” Which isn’t the issue at all, but it’s what the public understands.
I’m sure some of the large organizations that are responsible for backing up photos and other files will strengthen their security following recent events. I’m equally sure that a lot more organizations won’t, since every increase in security requires an equivalent increase in support calls. There might be some incremental improvement in password reset functions, but overall things won’t change much. For businesses this might be the right choice to make.