I can’t be trusted. Neither can you.
If you have me make a password, I’ll do one of these things:
- Use the same password on other sites, because I don’t want to try and remember them all
- Make a fake email address and password just for your site, because I don’t trust you
- Make a new password for your site and forget it, then cause you to have to support resetting it for me
- Just not sign up at all, it’s not worth the emotional baggage
And if you decide to have me sign up with a new password, you’ll have to do these things:
- Make sure that you hash and salt the password in your database
- Make sure that you give me a secure connection to send my password over the wire when I first log-in
- Secure access to your web server, since it will be having my password in memory
- Create a secondary method of authentication, since I could forget my password
- All kinds of other stuff an expert on web security would know that I wouldn’t
I’ve become more aware of this problem, as my iTunes account was compromised somehow and someone charged some $50 gift certificates to it.
Of course I had to go change all my passwords for any accounts that shared that password, and that is a big hassle. Yes, I know I shouldn’t be using the same password for multiple sites, but it is so annoying trying to keep track of multiple passwords.
I am using LastPass now, we’ll see how that works out.
Just don’t do it
So rather than making people resort to a service like LastPass, just do the right thing. Let someone else handle the authentication for you.
There are plenty of solutions out there.
Personally, I don’t care which one you use. Most people are going to have an account on all three. I like to imagine that someday the world would be a perfect place where there is only one place you log in, but until that day, don’t pollute the space more!
If you really feel that you need to create a login system for your application, consider this:
Users like easy
More people will sign up for your site if they don’t have to sign up for your site. I can’t count the number of sites where I got halfway through the sign-up process and closed the web page, because I just didn’t feel like it was worth the effort.
On the other hand, there are many sites that had OpenID for a sign in or sign in with Facebook, and I quickly joined, because it was almost no effort.
Consider how easy it is to sign up for StackOverFlow.com, and how easy it is to log back in. Often I will google some search result and get to the site not intending to log in, but then I remember how easy it is and I just click the Google OpenID button and I am logged in. Just like that. I like easy mode for web sites.
Best security is to delegate
As a developer, I have a motto “I suck at security”. Unless you are an expert in security, (probably even if you are), you should have that motto too. It doesn’t mean not to learn about security. It doesn’t mean to not enforce security as best you know how. It just means realize that whatever you think you know, you still suck, and it won’t be good enough.
If you take that mindset you are much less likely to be over-confident and think that your mad cryptographic I-once-took-a-class-on-cryptography skills will be sufficient. If you take the mindset of “sucking” at security, you are going to want to delegate security to someone and somewhere else.
The best way to be secure is to give the responsibility over to someone whose job it is and knows it inside out. Don’t want to close credit card numbers? Good… don’t store them. Don’t want to risk your users passwords? Good, don’t store those either.
Vacation
Off topic here. I am taking a short vacation (no relation to iTune incident), so there won’t be blog posts on my usual schedule for a bit.
Making the Complex Simple 
Personally, I use Keepass (http://keepass.info/) to store all of my passwords. It is a small application and open source, which can generate passwords based on criteria you set. It is basically a desktop version of lastpass.
I tried to use lastpass for awhile but ended up going back to keepass, I think I just like the UI better.
In addition I store the database file it creates in a dropbox account so I can access it anywhere. I also make regular backups of the db just in case.
I even randomize my login name as well for banking sites just because I can.
It is rediculous how many sites want you to sign up for access. I think the last I checked I had over 80 logins in my database.
Oh, its also a great place to store product keys. I hate trying to track down software keys everytime I decide to re-install something.
By: Bryan on May 12, 2010
at 9:09 am
I am a bit wary of delegating the security over to someone else. I believe it raises your attack profile just as much as using the same password at all sites.
If one site gets compromised your info at other sites is also compromised. Look at the recent Facebook connect issue with yelp. Someone was able to circumvent yelps security and in turn gained access to personal Facebook information. Facebook was able to shut down access to yelp pretty quickly but who knows how much info could have been mined.
I think security is always going to be one of those annoying necessities and, ultimately in the end, it is going to fall upon the user to protect him/her self.
By: Bryan on May 12, 2010
at 9:23 am
You have a good point, but one thing to consider is the difference between personal data and private data.
Personal data is stuff you might not want people to have, but you it won’t be devastating for them to have. Anything you ever put out on the internet, you should consider that someone has access too.
Private data is stuff that will cost you money or real damage if someone gets access to it. Credit card numbers, social security numbers, passwords to accounts that contain data that has a monetary value.
From a developer perspective, we create a PR problem if we let personal data get out, but we create a financial problem that we will have to make restitutions for if we let private data get out. I would rather put the private data into someone else’s hands than be responsible myself.
It is always good to say on your site, “we never store any of your personal data.”
By: jsonmez on May 12, 2010
at 10:02 am