A Quick Rant on Password Security

A quick Google search for how to stay secure online will give you basically the same tips that everyone has probably told you. Let's talk about that for a minute.

It's not just the strength of the passwords

Okay, obviously strong passwords are incredibly crucial. However, everyone seems to miss the most important point: The largest problem we have is that people re-use passwords, not that they have weak ones. We have always drilled into people's heads that "longer passwords = better" and "use an @ instead of an A because it's more secure!" or "use an uppercase letter and numbers because it's more secure" but the fact of the matter is that no-one is cracking passwords anymore, or at least on any sort of reasonable scale. Most account compromises nowadays either come from phishing attacks or database leaks with terrible password practices. If a password is leaked once, and that user uses the same one on every site (or even just their email), it could have devastating consequences.

People trust internet companies too much

The fundamental problem with password security is that many people trust websites. Many non-tech-savvy users trust most websites and they might not know that entering the same password they use for their email on a less-secure site could have devastating consequences. However, it's impossible to tell which websites have proper security practices and who doesn't. Adobe, one of the largest software manufacturers in the world, recently had their servers compromised, and the massive company didn't hash their passwords correctly. How would a user know this? They wouldn't. And we can't ask them to.

This is our fault.

We have told users again and again to "use secure passwords", because "someone may crack your passwords", but the best piece of advice is to use different passwords and to use a password manager like 1Password

</rant>