New advice from Google is useful if you’re new to passwords, but lacks the spine to make much difference.
Google admonished its users to be more careful with passwords in a blog post on Thursday, but two security experts say that tech giant should spend more time pressuring developers and companies to do more to help their customers.
oogle’s tips encompass password basics: use a different password for each important service; make your password hard to guess; keep your password somewhere safe; and set a recovery option.
“For the general consumer, I think it’s a fantastic start,” said Alex Salazar, CEO of Stormpath, an authentication service for developers. But, he said, “everything they said here isn’t news to people who understand security.”
Mary Landesman, a Cisco senior security researcher with expertise in passwords, agreed. “I applaud them for trying to spread awareness. I think it was a little simplistic,” she added. “One of the biggest issues that users face isn’t necessarily how strong their password is, but the number of sites that are getting compromised.”
On the end user side, Landesman said that Google could’ve advised people to choose passwords with spaces whenever possible, as explained in a famous XKCD webcomic. The problem there, she and Salazar agreed, is that not enough sites let you do that.
“Here at Cisco we came across a group of passwords in the recent WordPress brute force attempts, and a large number of them you could call reasonable and very strong,” she said. “But if you’re re-using that password, it doesn’t matter how strong it is.”
Salazar explained the problem further by explaining that when you use the same password on a well-known, highly-secure site as a smaller site with weaker security, all it takes to get your password to password to the more important site is to hack the smaller one.
“I think that consumers should be more aware about the applications they’re putting their data into,” he said. “This is the strongest reason why you should be using different passwords for different systems.”
But they both had tough words for Google, too. In addition to educating individuals about how to choose better passwords and how to better protect them, Landesman said that Google ought to pressure developers and companies to improve their own security practices.
“I think I would’ve liked to have seen a call for action to the industry to do more to make it possible for users to be safe,” she said.
Salazar outlined three steps that Google didn’t take that it could still choose to do. First, he said, Google could pressure companies to implement systems that force people to choose passwords that are easy to remember but hard to break. news.cnet.com