Part of my job these days is convincing people to get out of the password business and start “Federating”; that is to say, outsource the login mechanics to an “Identity Provider” (IDP) like Facebook or Google or Microsoft or Twitter (and there are lots more). I’ve given the sales pitch quite a few times now; here it is.
Scenario · You’re putting up a new app and need to sign in users, so you use whatever’s popular with the package you’re using: On Rails, typically Devise, on NodeJS Drywall or Passport, on PHP Usercake, and so on.
These things will take care of storing and checking usernames and passwords for you. But storing and checking passwords is a bad thing to do.
Why? · There are too many passwords. When someone rolls up to your app for the first time and you ask him or her to pick a password, here are some typical reactions:
She says “Oh, not another damn password” and closes the browser tab. Kiss a customer goodbye. This is a very common reaction and if you’re Mr Yet-another-password, it’s happening to you right now.
Oh, and if she’s on a mobile device, the chances that she’ll be willing to put up with Password Pain are dramatically reduced.
He picks a short, simple, easy-to-remember password, thereby making life easier for the bad guys.
She uses a complex high-quality password, and doesn’t have to actually pick it because it’s the same one she uses on all the sites she visits, including dog-grooming tips and money management. Thereby making life easier for the bad guys.
He types some random gibberish into the password field and doesn’t bother to remember it; the site will keep the session active for a few days, and when it asks him to log in again, he’ll hit “Forgot password” and get a password-reset email. Beats trying to remember. (This is the best outcome so far).
She uses a password manager like 1Password or LastPass or KeePass. It works pretty well for her — well, maybe a little awkward on mobile devices. But she’s had no luck at all getting her nontechnical friends and family to use it.
Which is to say, by playing the yet-another-password game, you’re decreasing the security of the whole Internet. You’re peeing in the swimming pool. It’s bad for your business, and Google’s business, and for the people using the Internet. So stop doing it.
That should be enough.
Not Convinced? · You still think you might want to do the password thing... so, you better make sure people pick good passwords. For an example, type “password rules” into Google and up comes Intel Password Rules, from which I could quote but let’s just screenshot instead.
When you impose something like this on human beings, you’re being mean to them. Which is not only evil, and bad for business, it just doesn’t work. So stop doing it.
Still Not Convinced? · Maybe these will help.
Are you smarter than those guys; the BBC, DropBox, LinkedIn, and so on? Are you sure? This could be you, very easily. The bad guys are out there, and they are probing your defenses every day. So once again: Get out of the password business, start federating, and don’t let this be you.
It’s That Easy? · Um, well, no. There are issues around federation: business, technology, and policy. I’ll write some follow-ups about them. The cost and effort is non-zero. But it’s something you’re going to have to do anyhow, so you might as well get started.