Cr4p Passw0rd5

Monday 16th Jul 2012

I read this by Andy Clarke, and then this by Luke Wroblewski, about the crap passwords people use on various things. It got me thinking about the discussions I’ve read and taken part in, where the core argument ends up something along the lines of “People choose crap passwords! They need to do better!” In other words, “People don’t understand the system! They need to learn how to use the system!”

It’s pretty obvious where I’m going with this, bear with me, I need to vent. For passwords, we’re still in a blame-the-user mentality, seemingly because the whole thing of online identity is a non-trivial and long-standing problem. Passwords seem to be the only solution that works, so we’re stuck with it, and users need to, must learn to adapt to the system, or they lose. They lose their data, their security, their money, the provability of their own identity. That’s a pretty high cost.

In UI design we minimise hurdles, barriers, blockers, and try to make things easy and pleasant. Problem is, passwords are dull. Coming up with a good one seems hard. So we present the process as a minor thing - OK, you have to enter it twice, and it’s starred out, but it’s on a par with entering your email address. It’s presented so that the important thing seems to be to make sure you typed it right, not to come up with something secure. Don’t scare the user, make it seem less important, let’s keep the mood cheerful, guys!

None of that means the other extreme is a good aim either. We all know the insane password requirements of this or that other site, the one that demands we type something that looks like the cat walked over the keyboard, and that doesn’t work either, because you’ll just write it down somewhere.

I whinged about this problem on twitter, and of course that XKCD cartoon came up, which presents a much better idea for passwords (should the site allow spaces!) I don’t have a problem with the password method, but with the idea that ‘we have trained users’ to come up with a certain kind of password. We haven’t. We’ve trained users to regard passwords as an irritation, an annoying test that needs to be cheated to get around, so users type ‘password1’ because that meets the requirements of an algorithm. They don’t see, because they don’t know, and may not actually care about, the importance of passwords. Passwords are annoying! We’ve trained users to cheat, not to come up with passwords, of any sort.

And that’s because passwords aren’t the important thing. We’re spending time trying to fix the problems we’ve got with a bad solution to a problem, not the problem itself.

So I guess my point here is, stop bitching about users and their crap passwords, but about how we’ve not figured out a better solution than passwords yet. It’s really not a trivial problem, and I would never claim it is, but that’s not the users’ fault.