Okay, this one is for the security community. I'm amazed and stunned how often our community arrogantly blames people for security risks, when it is ourselves that are only to blame. Let's pick on everyone's favorite flogging topic when it comes to people, passwords. You know, the topic where we blame users for being 'stupid' for constantly using such simple and basic passwords. We go through the trouble of teaching people to use long passwords, passphrases when possible, and then wonder why people don't follow our sage advice. We have even created cartoons on this.
Okay, lets say people learn and follow these steps. Now what happens? They can't login anywhere because the vast majority of websites will not support passphrases, or if they do they warn they are insecure. Seriously.
- Many banks and financial institutions allow only 6-8 characters with no symbols because they are still using and limited by mainframes. Don't believe me? Start with Charles Schwab and work you way from there.
- Many websites do not allow more than 16 characters, including security focused ones. Its actually hard to create a passphrase with multiple words that is under 16 characters. For example try creating a long passphrase at StrongVPN, a company that provides VPN services. Or try out PayPal that does not allow spaces.
- Organizations that do allow long passphrases will report it as insecure because it is not complex (lacking symbols, numbers, etc). See the attached image for an example. The password I entered was 22 characters long but only letters, so it was reported as weak.
I think it would be great if we as a community could stop blaming the 'stupid' user and get our own act together first. Or better yet bypass the whole password mess and go straight to two-step verification.