I recently sat down with Janrain Solutions Engineer Kevin Long to discuss the state of password security and how websites can better protect themselves and their users from security breaches.
Hey Kevin, thanks for sitting down with me to discuss the topic of password security. Given some of the breaches that have been well-publicized recently, I think this is a very timely discussion.
Can you walk me through the process most websites go through to collect and store a password for a new user?
Kevin: The typical scenario involves a user visiting a site and finding compelling content that gives her an incentive to register. The user is then asked to create a new account and password, and in doing so, knows that she may forget anything very long, complex or one that is used infrequently. So, the user types a short password that is as close to the exact password they use everywhere else. The site then stores that password, and as a nod to security, may hash it or even add a little salt. This means that the user risks having her password stolen from the site, and the site assumes responsibility for storing and securing passwords.
Now, the typical result from our experience is that the user hates this process enough to either never start or abandon the process part way through, lie about who they are, or resentfully comply and expose the password they use everywhere. The latter result exposes the site to the possible nightmare of a password-revealing security breach.
It sounds like a flawed system. How did this paradigm of password management come to fruition?
Kevin: In the beginning there was the command line, and any one could walk up to any computer terminal and type commands that could be potentially harmful. The advent of usernames and passwords were a great boon to security. It was a system that was arguably adequate for the needs of the ’60s and ’70s. In the ‘80s however, modems, networks and the Internet changed first how we connected and then ultimately who was connecting. This at once created higher risk and greater usability demands.
In the rush to market, sites slapped the familiar user-name and password login prompts in front of retail, community, gaming and even entertainment sites. The rise of email giants and social networks adopted by the general public seems to have cemented the expectation of the familiar dialog in society’s psyche.
What have websites done to try to mitigate risks associated with password hacking?
Kevin: Typically, they have tried one of three things:
- Requiring more complex passwords.
- Requiring longer passwords or passphrases.
- Requiring additional authentication factors.
And why don’t these options work well for most people?
Kevin: Being required to remember long, complex, or unique passwords is a huge burden for most people. People also don’t like being made to feel interrogated, which is often the case when asking complex security questions to prove a person’s identity.
As people, we are known to be slow, lazy and demanding. We have difficulty memorizing. We don’t want to be bothered with security at all, but we demand that sites assume the responsibility for security. This puts us in an adversarial position with the site before we even get through the front door.
A formal party or a nightclub might ask to see your credentials at the door, but one would look for other venues if everyone at the party asked to see them before they would talk to you or introduce you to their friends. In the real world we assume people are who they say they are because other people upstream vouch for them; starting with the host and or doorman.
Also, being required to do anything more than once, and not being recognized and rewarded for being a returning patron on a site can be a source of frustration for many people.
So, traditional registration and password practices are a huge burden for most people. Beyond security risks, what challenges do websites experience as a result of requiring password creation from users upon registration?
Kevin: For websites, having anonymous, masked users consuming, creating and sharing content isn’t ideal. Sites want to be able to recognize their active users and offer personalization to improve the experience. But asking users to create and remember a password for each site they frequent often results in low conversion and high abandonment rates.
Alright, enough about the problems that exist today. Let’s talk about solutions – what are the most prominent ones that have been applied today?
Kevin: Social Login is the most viable solution to tackle this problem, and it is gaining real momentum in the market.
Speaking abstractly, what are some key user experience elements that websites can implement to delight their users and customers?
Kevin: I’ll go ahead and mention a few suggestions and best practices based on how our customers are achieving success:
- Notice who brought them to the party. For example, use the referrer as a clue and a recommendation for authentication. If a person was referred to your site from Twitter, prompt them to login to your site with their Twitter identity when the time is right.
- Let users flash their ID quickly and easily. In other words, let them login with a single click.
- Let users choose which identity to use when you first meet; accommodate choice by providing them with the option to login using their preferred identity, whether it is via Google, Facebook, Yahoo! or others.
- Assure users that you are keeping only the information you need to provide them with a great experience on your site.
- Assure them that what information you do keep is safe and secure and that you follow best-practices and use best-in-class services.
- Remember users when they come back to your site, and welcome them back with an optimal return experience. Don’t act as if you have not seen them before.
- Provide a highly-validated identity or multiple identities, honor that trust by allowing them to go longer between logins.
What’s the best way for a site to offer all this goodness?
Kevin: The best way is to outsource user management to a best-in-class SaaS provider. Get more than a login system; get a full-user management platform that provides security and service on the back-end as well as the front.
Can a site really operate without passwords?
Kevin: Yes. Even when your site is built on a framework, CMS, or e-commerce platform that would seem to require them. Social login eliminates the need to store passwords on your site, because you are relying on a trusted, secure identity provider (such as Google, Yahoo! or Facebook) to prove that users are who they say they are.
Do we have to go all the way? Can we offer social login and still keep our traditional username/password system?
Kevin: You certainly don’t have to go all the way. Tradition is strong and change is often resisted from people. You can accommodate traditional logins for your existing users and even accept new user accounts and traditional passwords, but I recommend leading with social login as it is both more secure and more convenient for people. The best practice that we recommend is to state those benefits in a prominent, plain and distinct manner.
What does this look like in practice?
Here is a screenshot from Samsung.com:
What does the flow look like?
Are sites doing this now?
Kevin: Yes, definitely. Leaders across many industries like Samsung, Intuit, Whole Foods, NPR, NASDAQ and others are showing the way by letting their users register and login with an existing identity from a social network or email provider.
What about the Future?
Kevin: Science is on it! And when discoveries are made, you can bet that Janrain will be making them easy to integrate with your organization’s web presence. Meanwhile, we at Janrain created a suite of flexible user management products and have done some deep thinking that can help you apply these ideas today!
Any recommended reading for those who want to learn more?
Kevin: Yes. If you’re interested in reading more about this topic, I’d recommend checking out any of these articles:
- When you must create a password, check out this guide to navigate that hazardous path.
- Michael Olson from our marketing team blogs about the past, present and future of OpenID, and how it was developed to address login and password challenges in the market.
- Google at Cloud Identity Summit says “Its time to eliminate passwords!”
- TechCrunch Article on OpenID/Google Account Chooser and Janrain Login Helper
- ZDNET says IBM passwords are to become fossils
- CreditCards.com talks to OpenID and asks: Can your social network protect against fraud?