evernoteYesterday, Evernote, the popular note taking and scrapbook app, was hacked and an unknown number of user credentials were stolen. Evernote carried out a precautionary password reset for all of their users, which, it has been remarked on elsewhere, looked a lot like a phishing scam in its own right.

Thankfully, since the last time this happened with twitter, I have had unique passwords for every service I use, so all I had to do was reset the one password (and re-link all my devices – damn I wish they’d use token based auth for their devices, but never mind). For all the faff of having to remember (or have written down) hundreds of different passwords, it is now far less faff than having to change each and every one of them when yet another web service gets breached.

As someone who builds web platforms and applications for a living, I do feel a certain sense of “there but for the grace of god”, so perhaps we shouldn’t be too hard on Evernote. They acted promptly once the security breach was discovered, and for me at least, the disruption was minimal.

However, once again, we have a service where many store important personal information (Evernote even encourage you to store tax information using their service) that doesn’t provide extra security. This is despite the fact that they have promised two factor authentication some time ago.

I really hope that this breach will prompt cloud services like Evernote, that store sensitive information on behalf of their users (or act as an authentication mechanism in their own right, as with twitter), to implement extra security (such as the aforementioned 2 factor auth) in their services.

failwhaleIt seems like just the other day when I had to change a whole bunch of my passwords thanks to LinkedIn having it’s password database stolen by crackers, and now I’m having to do it again. This time it was Twitter that dropped the ball, but I am at least grateful that they’ve publicised the incident so widely.

Username/Password systems suck, I’ve written about this before. We should, as an industry, aim to move past them as quickly as possible, and it’s nice to see some attempts at this (although, a lot of those attempts are attempts to centralise identity in one form or another).

Like most people, I did recycle passwords on a number of services, and yes I know this was bad, but I only have a limited space in my head and I don’t enjoy having to remember long strings of alphanumeric characters. The main issue I’m having with this latest breach, other than the hassle of having to go around and change a bunch of passwords again (which is largely my fault I admit), is that Twitter, like Facebook and Google, can be used as a way to log into other services via OAuth.

This is very handy, and means that you can quickly sign on to a 3rd party service without having to create yet another password to remember. However, the downside, is that this central identity MUST be secure. Facebook and Google both add extra security to their accounts by having 2-factor authentication systems in place, so, when you access your account via a new device, you have to go through an extra security challenge – typically, entering a code sent to your phone or from a key generator app.

Twitter, on the other hand, doesn’t have this extra level of security. This means that the crackers could have access to not only your twitter account, but also any 3rd party service you’ve used twitter to log in with.

This is a big deal.

Personally, I think that any service that provides OAuth logins to other services, but doesn’t provide 2-factor authentication, is being somewhat irresponsible, and I really hope that Twitter fixes this with the utmost urgency. I for one will be using my Google account more…

It is the second time in as many days that I’m having to log into things and change passwords because of some less-than smart design decisions various web companies made when implementing their password database (looking at you Linkedin and Last.FM).

While these companies have clearly made a dangerous snafu, lets not be overly harsh on them. There but for the grace of god go all software developers. The real problem is passwords, and until we find something better, this kind of thing will keep happening.

Lets look at it from a UX viewpoint as well a security one for a moment, because they’re both linked. People, myself included, are phenomenally bad at creating secure passwords and remembering them. Predictably enough, this results in the vast majority of users using one memorable (but as a result easily guessable) password for everything, and/or writing all their passwords down somewhere… both things that are a bad idea from a security point of view and often elicit derisive snorts from security professionals clearly blessed with an eidetic memory.

Moving past Username and Password

Computers should adapt to humans, not the other way round. Isn’t it time we stopped wasting time trying to patch a clearly broken system and build something else?

This is of course much easier said than done, and the two current alternatives to username/password authentication available – OpenID and OAuth – are not without their issues.

OpenID is nice and decentralised, but the UX is just awful. Sign in with a URL? Try explaining that one over the phone to your mum.

OAuth has the benefit of being super super easy for the user (one or two mouse clicks to log in), so long as you’ve got an account with a given site’s blessed identity broker (for all practical purposes either Google, Facebook or Twitter). This model nudges towards a centralised identity model which I find very uncomfortable.

This centralisation raises new issues of catastrophic single points of failure. Not only do you have the issue of the service being a prime target for crackers, you also have a far more insidious and arguably more likely problem, basically, what happens when the identity broker you use for your 1000s of accounts goes out of business?

Not to mention, all three of the main identity brokers still fundamentally identify you with a username and password. Google and Facebook have added second layer authentication to their accounts, but Twitter is yet to implement anything (so if you have a twitter account and use it for authentication anywhere make sure your password is really really good).

So, what can we do to make this better?

Myself, I’d like to move to some sort of two factor authentication (combining something you have with something you know), at least for really important accounts. More and more people have mobile phones so perhaps something similar to the Google authenticator model or SMS code authentication for new machine sign-in would be a start.

Whatever we use, it needs to be decentralised, secure, and fundamentally easy for people to use. Because if whatever fancy solution we come up with provides a barrier between the user and what they want to do, it will be useless. People will just work out ways of circumventing the security in order to get things done, or simply not use the service at all.

Today, the most secure password-protected system you can ever build can be defeated by one forgetful user and a post-it note.