I support the movement to end passwords. For the average user, passwords are as insecure as they can get.
My (non-technical) family members keep using their birth dates, phone numbers etc as their passwords. I told them this is insecure, that they should use long random passwords, but their response is "I can't remember that". So I suggested writing it down, but they find that too much hassle. I managed to convince them to do it for some passwords, but they keep losing the paper (they just tuck away the paper somewhere and then forget where it is). Furthermore, they don't have computers, they ONLY use mobile devices, on which long passwords are awkward to type. So they revert to using phone numbers and passwords, with the attitude of "I'm not an important enough target, and if a hacker really targets me I am screwed anyway".
Some of them have difficulty grasping the concept of multiple passwords. To them, it's just "the Internet needs a password". If I explain to them that each website is a different vendor, they get confused. Just remembering which login username to use for a specific website (or whether it is a username or an emailaddress-as-a-username) is already difficult enough for them.
Mind you, we are talking about people older than 45. They have trouble using computers (even phones!) as-is, even before we get to the security part.
I ended up becoming their password store for their most important accounts. I setup random passwords for them, then when they need to do something (a few times per year) they have me login and do it for them.
The average user doesn't care enough about online security to really do something about it. They don't understand, or acknowledge, the risks. So we need to do everything we can to make security convenient.
> Mind you, we are talking about people older than 45.
I wish we could drop the casual ageism, age has nothing to do with it. You might as well tell me they're left-handed and that's why they can't "do" passwords. Difficult enough already (in social terms) without the blanket presumption we're all non-compos mentis as well.
And I wish that we could stop focussing on the ageism, as if that's the most important point or whether it's even a negative point. I used ageism to reinforce the notion that we should try harder to push for convenient security. It wasn't meant in a pejorative way.
Maybe your point was that ageism isn't acceptable in any form. We'll have to disagree there. I agree that pejorative ageism isn't acceptable, but doing away with ageism entirely is pretending that something real doesn't exist. Sure, not all young people are computer geniuses, and not all old people are computer illiterate -- I never said that, but that doesn't matter because focusing on that just detracts from the core point I was trying to make.
That's true, many non-technical friends I have around my age are not at all careful. But at least I've never encountered someone who thinks in terms of "the Internet needs a password" and confuses different accounts with each other. But frankly, it doesn't matter: I only mentioned age to reinforce to the reader that it is a real problem that deserves recognition and that we should try harder to do away with passwords and to strive for convenient security.
> Mind you, we are talking about people older than 45. They have trouble using computers (even phones!) as-is, even before we get to the security part.
As a 43-year-old sysadmin, thanks for warning me. I better find alternate employment in the next two years.
I wasn't talking about you, nor did I say all old people are bad at computers. When I said "they" I meant my family members, not the set of all people over 45. My accountant is over 45 and can use computers just fine. Why do you need to interpret things in such a black-and-white manner?
You set up a master password, but you don't really have to remember it: you can use a shorter PIN to unlock LastPass. (The phone itself acts as the second factor.)
I think you have to enter the full master password whenever you reboot the phone. But that shouldn't be too often.
I don't think I can teach them how to use LastPass if many of them already can't differentiate between accounts and just think of everything as "the Internet".
I can sympathize. Over Christmas I literally got my entire family into a room and used the TV as a projector with a Chromecast and walked everybody through why passwords are bad, why using the same password over and over on every site is REALLY bad, and why they should switch to a password manager like LastPass.
I even offered anyone who wanted to set one up to give me a call any time and I would remote in via TeamViewer and literally set it up FOR them.
My (non-technical) family members keep using their birth dates, phone numbers etc as their passwords. I told them this is insecure, that they should use long random passwords, but their response is "I can't remember that". So I suggested writing it down, but they find that too much hassle. I managed to convince them to do it for some passwords, but they keep losing the paper (they just tuck away the paper somewhere and then forget where it is). Furthermore, they don't have computers, they ONLY use mobile devices, on which long passwords are awkward to type. So they revert to using phone numbers and passwords, with the attitude of "I'm not an important enough target, and if a hacker really targets me I am screwed anyway".
Some of them have difficulty grasping the concept of multiple passwords. To them, it's just "the Internet needs a password". If I explain to them that each website is a different vendor, they get confused. Just remembering which login username to use for a specific website (or whether it is a username or an emailaddress-as-a-username) is already difficult enough for them.
Mind you, we are talking about people older than 45. They have trouble using computers (even phones!) as-is, even before we get to the security part.
I ended up becoming their password store for their most important accounts. I setup random passwords for them, then when they need to do something (a few times per year) they have me login and do it for them.
The average user doesn't care enough about online security to really do something about it. They don't understand, or acknowledge, the risks. So we need to do everything we can to make security convenient.