Google password tips not strong enough
New advice from Google is useful if you’re new to passwords, but lacks the spine to make much difference.
Google admonished its users to be more careful with passwords
in a blog post on Thursday, but two security experts say that tech
giant should spend more time pressuring developers and companies to do
more to help their customers.
Google’s tips encompass password basics: use a different password for
each important service; make your password hard to guess; keep your
password somewhere safe; and set a recovery option.
“For the general consumer, I think it’s a fantastic start,” said Alex
Salazar, CEO of Stormpath, an authentication service for developers.
But, he said, “everything they said here isn’t news to people who
Mary Landesman, a Cisco senior security researcher with expertise in
passwords, agreed. “I applaud them for trying to spread awareness. I
think it was a little simplistic,” she added. “One of the biggest issues
that users face isn’t necessarily how strong their password is, but the
number of sites that are getting compromised.”
On the end user side, Landesman said that Google could’ve advised people
to choose passwords with spaces whenever possible, as explained in a famous XKCD webcomic
. The problem there, she and Salazar agreed, is that not enough sites let you do that.
“Here at Cisco we came across a group of passwords in the recent
WordPress brute force attempts, and a large number of them you could
call reasonable and very strong,” she said. “But if you’re re-using that
password, it doesn’t matter how strong it is.”
Salazar explained the problem further by explaining that when you use
the same password on a well-known, highly-secure site as a smaller site
with weaker security, all it takes to get your password to password to
the more important site is to hack the smaller one.
“I think that consumers should be more aware about the applications
they’re putting their data into,” he said. “This is the strongest reason
why you should be using different passwords for different systems.”
But they both had tough words for Google, too. In addition to educating
individuals about how to choose better passwords and how to better
protect them, Landesman said that Google ought to pressure developers
and companies to improve their own security practices.
“I think I would’ve liked to have seen a call for action to the industry
to do more to make it possible for users to be safe,” she said.
Salazar outlined three steps that Google didn’t take that it could still
choose to do. First, he said, Google could pressure companies to
implement systems that force people to choose passwords that are easy to
remember but hard to break.
“The companies and the websites that are specifying the passwords have
to enable users to do the right thing,” said Landesman. “You want your
password to be 12 to 14 characters, but not all sites allow that.”
From the company perspective, the problem there is the engineering cost:
getting existing companies to change their source code, run quality
assurance tests, and deploy the code.
The second suggestion Salazar had was that Google could be a much
stronger advocate for two-factor authentication, which it offers as an
option for its Google accounts. “I think it would’ve been very valuable
for them to promote their 2FA on this post,” he said. “You’re not seeing
as wide adoption for it as there could be.”
A third action that Google could take would be to publish guidelines for
developers, Salazar said. Google should be “talking about why it’s
important to not put your own customers at risk,” he said.
“We hear a lot of users are stupid and it’s their fault, but users
aren’t stupid and it’s not their fault,” Landesman said. “[Password
security] is tilted against the user.”