Scarecrow: Usernames, Passwords, and Bad Ideas that Won’t Go Away

You are here: Home >> Help/Info >> Articles >> Usernames, Passwords, and Bad Ideas that Won’t Go Away

Loading Dashboard....

Usernames, Passwords, and Bad Ideas that Won’t Go Away

by David Young

Published: December 11, 2011

Hi again, everybody.

I just had to defend Scarecrow’s use of old-style usernames and passwords (rather than letting customers log in via Google or LinkedIn or whatever). It’s a conversation I keep having, and maybe some of you guys do too. So here are my thoughts on the online password problem.

What problem? Well, how many accounts do you have on unrelated websites that all use the same username and password? Don’t tell me–I’m just going to assume the answer is “several.” Obviously this isn’t a good situation. If a hacker or unscrupulous employee gets your information, they may exploit it.

There are several proposed solutions. Browsers now track our usernames and passwords on the various sites we visit, so we’re somewhat more free to choose hard-to-remember passwords (though on that subject, this is interesting, funny, and useful).

Downside: they’re only stored on the computer we used to set up or access each site. There are various workarounds to share this information, but they won’t necessarily work on all the computers/browsers we use. In short, this is a hassle. Trusting some online provider to securely store all our credentials, so we can get to them regardless of where we are, has an obvious risk to it, too.

The obvious solution? A password manager. Please use one. Though if someone gets your login credentials for that…hmm.

(Here’s a story: A very savvy friend told me about the system he’d purchased to encrypt and save his passwords. I thought: Cool! And I congratulated him on solving the problem for himself. It sounded like a hassle to me, but this guy has access to a lot of systems that do important things, and I guess I admired him for taking this seemingly straightforward but actually rarely-accomplished step. So now, I told him, his various accounts were safe from each other! His response: “Um. Well. Actually now I have this really secure system that records the fact that I use the same username and password everywhere.” I thought about that. “Oh,” I told him.)

So some people think everybody ought to just cut it out, and use a single sign-on for most or all of the sites they access. By this I mean people like those who contribute to or use OpenID, which sounds like a great idea until you think about it a little, at which point it begins to seem like a semi-good idea. Basically the notion is that you’d only log in to the one system, and other sites would defer to its authentication protocol.

It sounds great, though. Really. The idea has been around for quite a while, and definitely has its good points. In fact, I think a lot of site developers, administrators and owners would benefit by adopting it. But if a user is going to store private information with you, you are then trusting the provider of the authentication service in two separate but critical ways. You are also asking potentially unsophisticated users to trust you more than they may be comfortable with. The problems, as I see them:

If the authentication service is compromised, so is your ability to protect your users. The more users choosing a given service, the more likely it is to be seen as a worthwhile target by hackers.
If there are several competing authentication providers, as a business owner you can either trust them all, or try to monitor all of their security issues, or trust only some of them. There are obvious issues with all three choices.
If the authentication provider decides it doesn’t like you or your business, or changes the way it operates without what you’d consider sufficient notice, it may have just taken your customers away from you.
If your customer’s login credentials have been hacked or otherwise discovered, you are no longer offering the protection you thought you were. (Scarecrow in particular is about recovering from such events.)
If your potential customers are not familiar with this sort of system, or don’t trust that a “login” link provided by your site will not give you access to their OpenID credentials, and thus all their other sites, you’ll either have to kiss those folks goodbye or…worst case in my opinion…also offer your own proprietary username/password system. And take a little credibility hit. Some folks may decide you’re just another “phishing” site. Ouch.

So people do stuff somewhat like this when they try to integrate with social networks. Even I may decide to make Scarecrow available as, say, a Facebook app? There are obvious benefits. But…there are downsides, too.

Another idea: since most people surfing online have an email address, why not use that as the username? That way they won’t have to remember yet another username!

Okay. So…what’s to be gained? There’s nothing magical about email addresses. Using them as part of your login credentials is precisely as bad (or good) as using any other username everywhere. Maybe a little worse, because it’s easier to guess by people who know you. In fact, come to think of it, that makes email addresses particularly troublesome.

What problem were we solving again? Uniqueness of usernames? Sheesh. Is it that hard to just, you know, check for uniqueness when users are creating their login credentials? In fact, even with all this rigmarole, don’t we have to check anyway? Just how many hoops should users be expected to jump through, again? Isn’t this whole practice really about–wait for it–making sure we grab an email address from our users? Whether they want to give it to us or not?

Hmm. Though, yeah, we really do need to be able to reach them. But do we need to make life easier for hackers?

Okay, remember those pure, solve-the-world’s-problems OpenID guys? There are things like Portable Contacts. What are they for? Sharing contact data across various sites via OpenID logins.

C’mon. That ain’t right even if it’s implemented as opt-in. Not at all.

Don’t get me wrong. I’m not saying I have a solution to all of this. I wish I did, but I don’t. What I’m saying is that Scarecrow is trusted with data that is important to our customers, and I don’t see a way around having to invest effort into protecting that data. It goes beyond username/password information, but it starts there.

So we may seem a little old-fashioned. Lots of recent college grads in Computer Science will not approve of the way we do things.

But I care about our customers more than I care about buzzwords and “standards.”

Okay. Now tell me how I’m wrong, and I’ll change my mind.

On VPN providers and “encryption”Is it really better to know?