Comments for Bad News for OpenID: People Still Using Same Password Everywhere

Bad News for OpenID: People Still Using Same Password Everywhere

2009-02-24T13:50:40Z

A new survey from Gartner Research delivers some bad news regarding our online security practices: two-thirds of U.S. consumers use the same one or two passwords for all the websites they access. And they like it that way. Although people claim they're concerned about security, they still tend to use unsafe password management techniques rather than exploring new methods - be they new hardware, software, or new authentication frameworks like OpenID.

]]> Always Use the Same Password? You're Not Alone

Gartner's survey of 4000 U.S. adults in September 2008, once again demonstrated people's tendencies to opt for convenience over security. It's a trend that has stayed fairly consistent over the years despite the fact that an increasing amount of activity occurs online these days thanks to the growth of cloud computing.

According to Gregg Kreizman, research director at Gartner, "most consumers want to continue managing their passwords the way they do now." But the way they do now is nothing to brag about. It generally consists of one or two passwords which the consumer uses on every website they encounter.

What should be done about this? According to Kreizman, online product and service vendors should redouble their marketing efforts to illustrate the advantages and practicality of routine and stronger authentication for consumers. Another analyst, Avivah Litan, also notes that "enterprises with consumer-facing websites that require stronger controls than weak password authentication alone should continue to augment passwords with complementary mechanisms, such as device identification, geolocation and transaction verification."

Elephant in the Room: Facebook Connect

While these findings are relatively unsurprising, the study highlights one of the top issues when it comes to security: the human factor. For most people, convenience is key, even if it means putting their security at risk. Consumers would rather rely on service providers to protect their safety than change their own age-old habits.

Yet the one thing the study didn't address is what impact Facebook Connect will have on the user authentication ecosystem. Unlike OpenID (new sign-in boxes notwithstanding), Facebook Connect makes sense to the user. People immediately understand what it means to sign in using their Facebook account. What's more, the process is easier and faster than creating a new username/password combination for the website in question. That should prove well for its adoption and acceptance among consumers.

In addition, Facebook Connect solves problems that go beyond the security issue alone. Sites implementing the technology can gain access to your friend lists, too - a boon for social networking-type sites and those wishing to become more social. There's also the great, untapped potential of how Facebook Connect could make the Internet a kinder, more transparent place. When people have to be identified - and are not anonymous - the chance they'll engage in "troll-like" behavior (leaving rude, disruptive comments) is reduced. It could also impact sites that rely heavily on user reviews. No longer could marketers, business owners, and content producers game the system by leaving glowing - yet fake - reviews which are then hoisted upon unsuspecting visitors.

For those reasons and more, Facebook Connect could very well become the next big authentication methodology on the web. Personal opinion aside, it's hard to ignore the potential of this social networking giant.

But while Facebook Connect may eventually solve the security issue of a commonly used username and password among consumers, it's important to realize that it will introduce security concerns of its own. If this technology becomes ubiquitous, we'll have to face the consequences of putting all the power of authentication into the hands of one private company, which many fear do not have our best interests at heart - especially when it comes to privacy.

And that makes us think that perhaps a common, often-repeated password may not be such a bad thing after all.

Image credits: key - Mirko Macari; iphone - Krynowek Eine [el Eine]

Comment from TheMindRelaxer on 2009-02-24

2009-02-24T14:24:34Z

Whatever, as long as it's a strong password.. you'll be safe.

Comment from ZuDfunck on 2009-02-24

2009-02-24T15:02:00Z

People are lazy

No wonder we get scammed so often

At least we aren't hiding in the hills!

Afraid to come onto the Info Highway

Comment from Wood Flooring Guy on 2009-02-24

2009-02-24T15:10:47Z

Even using a strong password for everything is on the silly side. All it takes is a dishonest person to have a quick peek in a db the user is registered to then they have free rome of all the services your registered to.

Comment from Tara Kelly on 2009-02-24

2009-02-24T15:31:35Z

I run Passpack, an online password manager. Indeed, we've found the same to be true.

Consumers haven't truly taken stock off how much their passwords and access data are worth. They just want to ignore the issue. Like when you're sick and pretend not to be so you don't have to go to the doctor. ;)

New technologies, be they password managers or federated ID platforms, are going to have to take hold in the professional or business world first - where there's a clear idea of the worth of access data, the cost of not protecting it, and the costs of employees forgetting passwords.

Consumers may love Facebook connect. I doubt they would care much about the privacy concerns. I also doubt many enterprises would trust FB as the company SSO.

Comment from Grzegorz Balnis on 2009-02-24

2009-02-24T15:43:24Z

With OpenID I believe it is no different. Your OpenID identity provider is likely to be "one company", most likely a commercial entity. Difference is that you can choose. Would you those guys on http://openid.net/get/ more than Facebook? I'm inclined to trust somebody who has a lot to loose if they screw up, FB fits in.
Of course "open" is better than proprietary, but proprietary is better than nothing - thumbs up for FB. But it also creates dynamics for the open initiatives.
More thoughts on OpenID and some links here: http://gbalnis.wordpress.com/2009/02/01/does-openid-really-open-anything/.

Comment from Jim on 2009-02-24

2009-02-24T16:16:32Z

FacebookConnect makes the password problem even WORSE

Now look how much damage I can do (all over the web) by just compromising your single FB account.

Guess who the new attack target for hackers will be....

Comment from parça kontor on 2009-02-24

2009-02-24T17:19:14Z

thanks you..

Comment from Mitchell on 2009-02-24

2009-02-24T17:23:34Z

The problem is neither OpenID, Facebook, nor laziness.

And the solution is neither password strength nor continued fear.

The problem is _passwords_ and the solution is _stronger authentication._

@TheMindRelaxer, the vulnerability of a strong password is EQUAL to the vulnerability of a weak one if the threat is a keylogging trojan OR phishing (which are the two main threats.) Your recommendation is vapor.

The solution: choose one of the secure OpenID providers that secure the login with something above and beyond a password. Good choices are myVidoop.com (free) and myOpenID.com (paid.)

Let's look for solutions instead of fear. My grandmother died having never used a telephone using "logic" like the comments here.

Comment from aaronhockley.com on 2009-02-24

2009-02-24T17:31:27Z

I was going to comment about how the problem is passwords themselves, but Mitchell put it nicely. What he said.

Comment from Daniel W. Crompton on 2009-02-24

2009-02-24T17:40:31Z

That's fine, with OpenID the point is to have one password to rule them all. :)

Comment from Paul Pattison on 2009-02-24

2009-02-24T20:08:32Z

This is a very big problem because it means that if one popular service is compromised, that all other services may be compromised also!

Imagine a scenario where a malicious web service implements an innocent looking gmail/yahoo mail contact importer function just to harvest the login credentials. A certain percent of thoes email/password combos are also going to be used to log into fbook, paypal, myspace and the list goes on.

Or suppose a site that requires email/password regestrations is breached. If the hacker then takes every combo and trys automatic logging attempts on several of the popular sites without capchas then a percent of those combination will authenticate.

Comment from aaronhockley.com on 2009-02-24

2009-02-24T20:33:18Z

Daniel: you're missing the point. OpenID does not have to use a password. Secure solutions such as those mentioned by Mitchell don't use passwords.

Comment from Matt on 2009-02-24

2009-02-24T21:13:22Z

Our own research at Vidoop of over 2,300 people completed last year elicited similar findings to the Gartner study, specifically highlighting the increasing anxiety over security, balanced with a desire to receive the benefits of internet use. We however did not find that users 'like it that way'. They don't and they are getting more worried.

There was an emotional dam that was almost always breached when we asked about password management. We know from our data that by far the majority of US adults on-line are very frustrated with remembering and organizing passwords. We also know that the focus of their anxiety was largely financial value eg. hacking a bank account, BUT their attention is increasingly on social value eg. hacking into personal info, friends lists and health records. Finally we know that over a third of online adults have stopped entering a web site for fear of their IDs and passwords being compromised.

It is therefore a BIG problem (defined by size of population it affects + change in behavior it causes + commercial impact it has)and one we KNOW is not going to be fixed by password length, complexity or challenge questions.

The problem can however be resolved by an openID solution securing the login and authenticating the user without the hassle of conventional passwords - myvidoop is one way.

Comment from Alex22 on 2009-02-24

2009-02-24T21:47:26Z

This post was like a promo for Facebook Connect. If I did not know any better I would say that Facebook's own PR department issued this study and statement (they probably did..scary). I would never ever ever trust facebook with my photos and messages let alone my sign in info. Facebook is wicked EVIL...but to be honest I do hope they become the standard then every hacker can begin to target them exclusively and raise havoc on the service and it's sheep like users.

Comment from Khurt on 2009-02-24

2009-02-24T21:56:11Z

As Mitchell suggest, strong multi-factor authentication is the solution. Consumers are NOT going to create a new userid/password combo for every web site they use.

Comment from Mr. Obvious on 2009-02-24

2009-02-24T23:55:35Z

Duh.

Comment from rick on 2009-02-24

2009-02-25T00:06:41Z

Ok, how many incidents have there been of people having their login information hijacked? I know that in MMOs like World of Warcraft it's an issue... I imagine keyloggers are after bank information etc too. But where are the stories on this? We hear when a company loses millions of names... but I don't recall seeing any stories on the extent of the problem of accounts compromised by someone knowing the login information.

Until people feel there's a real risk of losing something of course we won't change. I use 3 passwords on the web - and in 15 years I've NEVER had an issue. Combine that with the confusion about so and so being an openID provider but not a consumer etc and the fact is that openID is a hassle and solves a problem that I don't need solved.

Finally, some of this is psychological. You can explain authentication until you're blue in the face, but for the regular web user having one set of credentials *feels* riskier. Like it or not, people relate this stuff to real world analogues like their keys etc...and who would have one key that opens every lock they use? No one.

Comment from Lucas Gonze on 2009-02-24

2009-02-25T03:05:46Z

Yes, some people love Facebook so much that that's the only account they need. But other people feel that way about Twitter, or Myspace, or Bebo, or Yahoo, Wordpress, Google, their NSA-secured account, and on and on. The web is such a big place that Facebook is really just another drop in the bucket.

And the idea that "People immediately understand what it means to sign in using their Facebook account", whereas they don't understand what it means to sign in using OpenID, just doesn't make sense, because the login flow would be *identical* in either case. The only difference in the OpenID case is that other accounts (like Myspace) could be used as well.

Comment from Greg Rolan on 2009-02-24

2009-02-25T03:34:23Z

Sorry, but Ineed to mention that you can use Glynx (www.glynx.com) for OpenID authentication - without needing any passwords. And no organisation holds your credentials - they are stored on your PC.

Comment from wayne on 2009-02-24

2009-02-25T06:30:13Z

Comment from forrester on 2009-02-24

2009-02-25T07:32:29Z

I agree with Rick above... for the majority of sites, there's not much downside if a password is stolen. The most popular sites I visit are probably cnn, nytimes, digg, reddit, slashdot, etc. If I lost my login/password at any of them, what would happen? Nothing. I'd just have to sign up again.

Count me among those who use the same password most everywhere. However, not all passwords are created equal. I use different ones for more important sites like banking, shopping, or my main email.

I wish I could read that Gartner study to understand what exactly was being measured. If I were in this survey, then it would show that I too am using a single password on 90% of the sites I visit. But am I being insecure? I don't think so.

Mostly, I think it's up to the users to understand security concerns and protect whatever they care most about.

Comment from Mike on 2009-02-25

2009-02-25T23:55:07Z

forrester: The issue is that if you use the same username/password combination for multiple sites, as the study suggests the majority of people do. Then, if someone hacks/keylogs/looks over your shoulder/phishes that combo from you, they can try that combo at any number of other sites.

Say you had a login at this site:
Username = forrester
Password = 4TheTree$

If you used this at all or the majority of sites you signed up with, then anyone who knows you use this combo here can then try this combo at all of the most commonly used webmail services, every online banking site, facebook, twitter, myspace, etc. and potentially have windows of opportunity for financial theft, identity theft, spamming on all of your channels, and all kinds of havoc.

Before usernamecheck.com went offline, there was a simple resource for determining where your username was registered at over 50 different websites. It wouldn't take a hacker much more work to write a similar script that does the same thing but also tries to authenticate using the same username/password at those and any other sites they would want to try to login to.

Comment from Janet Altman on 2009-02-25

2009-02-26T01:25:32Z

http://www.justaskgemalto.com talks about these kinds of issues and what you can do about it.

For myself, I try to manage my passwords like every one else. Not doing the best job.

Comment from Yawar on 2009-02-25

2009-02-26T03:21:56Z

Is anybody here using KeePass or a similar password manager? I'm finding the combination of KeePass, which generates and stores strong passwords, and Dropbox, which automatically backs up my passwords to a personal storage space on the Web, very useful. It did require a change of habits, but it's more than worth it.

Comment from ligress on 2009-02-26

2009-02-26T13:31:04Z

i still replicate my passwords here and there and although i see the power of connecting everything with fb connect, i'd prefer to connect everything with openid, which allows you more freedom as to what stands behind your identity. i don't really want to 'socialise' with the people on sites apart from reading their blogs perhaps and then finding out that indeed i might want to socialise with them, but not the other way around. and yes, i'd be careful about submitting ALL of my fb profile to a site...

Comment from Loans on 2009-02-26

2009-02-26T19:49:31Z

Nice info! Very cool post.I have looked over your blog a few times and I love it.

Comment from fjpoblam on 2009-02-28

2009-02-28T23:39:30Z

I have an OpenID. (In fact, I have more than one URL that I could use as an OpenID.) I'd be glad to use it, with a frequently-changed password of incredible strength.

But for one thing.

I have many EXISTING accounts far and wide across the web. Blogs. Forums. Shopping sites. Email. Website management for myself and for clients. And on, and on.

Not a single one of them will allow me to sign in to the EXISTING account with my EXISTING OpenID forever and forever, world without end, and forget the current username/password. My only recourse would be to establish a brand new account under the OpenID, and either re-enter or at least copy all info from the other account (and risk rejection due to existence of the other account).

For me, OpenID is not an option. At all.

Comment from brampitoyo.com on 2009-03-03

2009-03-03T08:06:58Z

Clearly, the fault doesnât entirely fall on the userâs hand. Yes, everyone should use multiple, secure passwords; but on the other hand, more sites should also adopt OpenID.

Just because one is an OpenID provider, doesnât mean that one supports signing on with it.

So, rather than being a bad news for OpenID, the fact that people uses the same password everywhere clearly establishes the case for a unified authentication systemâgood news for OpenID.

Comment from divx film indir on 2009-03-08

2009-03-08T16:00:06Z

provider, doesn’t mean that one supports signing on with it.

So, rather than being a bad news for OpenID, the fact that people uses the same password

Comment from chat on 2009-03-08

2009-03-08T16:01:51Z

Not a single one of them will allow me to sign in to the EXISTING account with my EXISTING

Comment from söve on 2009-03-18

2009-03-18T16:49:08Z

Comment from neon on 2009-04-06

2009-04-06T19:29:44Z

wish I could read that Gartner study to understand what exactly was being measured. If I were in this survey, then it would show that I too am using a single password on 90% of the sites I visit.

Comment from loop12 on 2009-04-09

2009-04-09T09:30:08Z

Some websites let you encrypt and store your passwords, e.g. http://loop12.com. It lets you encrypt your passwords locally in your browser and then have it stored.

Comment from neon tabela on 2009-04-27

2009-04-27T13:09:16Z

than proprietary, but proprietary is better than nothing - thumbs up for FB. But it also creates dynamics for the open initiatives.

Comment from cet on 2009-06-21

2009-06-22T06:46:31Z

sanbox