The war for the soul of the password
Obviously, whoever invented the password system was a jerk. And whoever started adding all those little rules for password creation is a sadist. Not the kind of sex-positive sadist with a flag for their kink and a set of consensual negotiation rules that ensure password creation is hot for everyone involved. No, we’re talking about the kind of sadist that simply likes watching people suffer as they’re told to add special characters, but not dollar signs or exclamation points because… reasons.
But our passwords are more than that. They’re how we prove that we’re really us. They are the cornerstone of our digital identities. And everyone wants a piece of them.
There’s a race on right now to control or reinvent our log-in processes. Companies are offering convenience and security in exchange for handing over critical pieces of our identities. You might call it a fight for the soul of our passwords.
MasterCard and Samsung have attempted “selfie security,” which was easily spoofed with photos. There’s big money being poured into biometric security research, where your device “reads” hundreds of different things about you, like gestures, sounds, and more. We’ll probably find out how it fails when we try to log in while drunk in our Halloween costumes.
Another entry in the verification race are fingerprint readers. Things like Apple’s Touch ID are fast and convenient — great for kids that want to place orders with a parent’s thumb when they’re sleeping or for police who want to unlock your phone without your consent (fingerprints aren’t protected like passwords are under federal law).
Then there’s the password manager bonanza. These apps manage all your annoying logins. But, the market is becoming so saturated that you need to be careful choosing one so you don’t end up with a pile of insecure snake oil.
That being said, you should really, really get yourself a password manager. In a world so insane we need dozens of different passwords just to pay our bills, get and keep a job, and manage our health care, this particular security invention is a lifesaver.
Most security professionals agree: Everyone should be using one. Which is why the password manager market is getting crowded.
Of course, you can just let companies log in for you. When you choose to “log in with LinkedIn” (or Facebook, Twitter, or Google), that third-party gets permission to use your account information. It’s convenient, you don’t have to remember a password or expose it while you type.
Sometimes, though, the third parties get extended permissions, like being able to alter your timeline. Occasionally they get caught abusing that access. It’s why you should always check your “connected apps” and clean out ones you’re not using, or don’t trust.
When you choose this route, it becomes Facebook’s responsibility to tell the site that yes, it’s you. Because while no passwords are actually exchanged, what you’ve really handed Facebook, or any of the others, is authority over your identity.
At its recent F8 conference (which is really more like a big in-person ad), Facebook took its quest to control your password’s soul to the next level. The company announced developer release of its “Delegated Account Recovery.”
Facebook presented its new tool as a solution to everyone’s headaches over forgetting passwords and the account recovery process. The company’s post explained that the tool was created out of the goodness of Facebook’s heart (they’re just “building experiences people love”). The company also used its post as an opportunity to lay down vague fears, uncertainty and doubt about the security of password recovery processes like reset emails.
On its launch, Facebook security engineer Brad Hill tried to explain to CNN Money how Delegated Account Recovery will make life wonderful for Facebook’s next billion users. Instead he just revealed how disturbingly clueless the company is about user experiences. He said it will “benefit people just beginning to use the internet, who may have Facebook accounts but not an email or phone number.” Except… you need an email address or phone number to create a Facebook account in the first place.
Basically, you’d connect all your accounts to Facebook, which would handle all the authentication for you. In the background, companies send tokens saying they’re legit login requests — taking away the need to verify your identity with individual sites and making Facebook the ultimate authority.
This is a terrible idea from a company still forcing people — mostly at-risk people who need the safety that comes from controlling their identities — to prove their identity to Facebook in order to recover their accounts. In this model, losing connected services is just another sword over the head of anyone in danger of being outed.
That should bother you, even if that’s not your problem.
It’s not like what it means to be at risk, to a Facebook employee, has slipped through the cracks of their thought process. It’s more like our personhood, behind data they trade for cash, somehow got stuffed behind a couch cushion. They’re not even aware they’re averting their eyes.
Besides, there’s so much to do, like solving security problems that don’t affect them or taking advantage of people who are being ground down.
But we seem to be somewhere else in our heads, too.
Because the architects of identity control are so busy fighting for the souls of our passwords, we need to be moving the needle on the discussion. Away from corporate controlled convenience and toward empowerment: Tools of autonomy.
At the very least, handing over account authorization to any company so bloodthirsty to gatekeep our identities should come with a warning label.
A big one, about losing our souls.
Images: Photothek via Getty Images (Password); Facebook (Delegated Account Recovery)
(22)
