At the beginning of every year for the last decade or so, a list of the
most used passwords is released. At the top of this list are passwords like “123456” and “12345678”. The biggest thing I’ve taken away from this, is that the average person is
not well versed enough in cyber security to be responsible for choosing their own password.
This might seem like a nanny state kind of thing to say, but we’ve seen online services take many steps to try and help people choose better passwords, like early on insisting on 6 digits, and later 8, but we can see from the list what people did with that.
Then some started requiring letters and numbers, and so we saw “abc123” and “qwerty123” start showing up in the top 25. Of course, we’ve seen the push for upper- and lower-case letters, numbers, and symbols, but no doubt people will come up with the most obvious
solution in time, my guess being: “Qwerty123!”. Whatever they come up with, it will likely be
beaten by a rainbow table in seconds.
I’ve written a lot on how the password shouldn’t be an option anymore, and that online services like banking and social media should be careful about putting convenience over security. Currently, two factor authentication (2FA) is a setting people can choose
to turn on for many social media giants, and though this is a great option, it should not be an
option. Many banks in Europe and elsewhere have done well in this space by giving customers PIN calculators, one-time password cards and apps, and other innovative methods of authentication, but there are still some that need to catch up and now,
many of the methods I’ve mentioned above aren’t enough or are considered too inconvenient.
This brings me to the title questions; whose responsibility is security when it comes to online services? As long as the password is an option, I believe the
responsibility is left to the user. You could say that people can pass this responsibility to password managers, but we are still leaving the onus on the user to make this decision,
just as we are with turning on 2FA. With two factor authentication, service providers can
take a lot of the responsibility away from the user such as the difficulty of having to come up with an
unbeatable password (and remember it) or the challenge of identifying phishing scams. With the right solutions, service providers can even reduce some of their own responsibilities because whether they like it or not, in the event of a breach,
no one will accept the response, “we hashed your passwords, so it’s on you if they get cracked”.
Passwords put a lot of responsibility on all involved, and as long as they are an option, especially the default option,
they’re going to get used, and the burden of being secure ends up resting on the user’s shoulders. All popular online services will have IT professionals involved, it’s almost stupid to say, but the point I’m making is that these specialists know their
field, they know the risks, and this is what creates the knowledge gap between the service provider and the average user. How can we look at these two groups; technology specialists and the average Facebook user, and think the latter should be left
to decide how best to protect their information or money?
It’s not just the standard password that displaces responsibility. Banks and other services are looking to one-time passwords
(OTPs) sent via SMS that puts some of the accountability onto the mobile operator, requiring them to protect the channel upon which the OTP is sent. This is a duty they’ve been shown to
fall down on several times, and with a
known vulnerability present in the SIM card, which is the end receiver on this channel, the end-user can find themselves in a position where they
never had a chance at protecting themselves.
We can never take 100% of the responsibility away from the user, but giving them the right tools, 2FA, can minimize what’s left up to them. I firmly believe it’s
the service provider who should take responsibility for what they can when it comes to the security of their customer’s assets. Of course, major online services and banks do put great effort into protecting people’s money and data, but it’s all for nothing
if they leave protection of the keys to those assets in the hands of user’s ill-equipped to prevent them from being used fraudulently. It’s not reasonable to expect ordinary users to be aware of the risks associated with basic authentication, but it is reasonable
for those users to expect their services won’t offer unsafe authentication options. An apology and advice to change passwords isn’t acceptable anymore.