Security fatigue: problems in password paradise

________

[5 min read]

A new survey from the Pew Research Center paints a bleak picture of how Internet users feel about their online security. The report starts with bad news about passwords, the high profile tool in the toolkit: “69% of online adults say they do not worry about how secure their online passwords are.”

How does not worrying look in real life?

Consider the findings from Keeper, a vendor of password management software. It recently tallied its annual list of the world’s favorite passwords. The top 10 list opposite, taken from an analysis of 10 million sample passwords, illustrates pretty well what end-users mean by not worrying. These passwords are so terrible that the estimated crack time for the “safest” choice on the list (#6) is about 9/1000 of a second – for the others, the effective crack time is zero seconds. This preference for easy – and insecure – passwords goes hand in hand with a set of attitudes to online security that’s not easy to fathom.

To begin with, Pew notes a tension between lack of trust in institutions and reluctance to take personal action on security:

“[While] they express skepticism about whether the businesses and institutions they interact with can adequately protect their personal information, a substantial share of the public admits that they do not always incorporate cybersecurity best practices into their own digital lives.”

Internet users are right to feel skeptical. Site operators as varied as Target, Ashley Madison and Yahoo! have shown they’re not only lousy at network security, but irresponsible in disclosure and damage control. In December, Yahoo! admitted that hackers had breached its systems and stole information from one billion accounts – and had done so three years before management got around to discussing the attack publicly.

A second and more counter-intuitive finding concerns what people do in response to suffering from an actual online attack:

“Americans who have personally experienced a major data breach are generally no more likely than average to take additional means to secure their passwords (such as using password management software).”

What explains such quick dismissal of self-interest?

Despite being a part of daily life, I think most people find passwords not just difficult but, well, weird. The better they are, the worse they are, since what makes them hard to crack also makes them hard to handle. Unlike, say, car locks and safe deposit boxes, passwords work invisibly on assets that are also invisible. Even as we type them, they dissolve into rows of inscrutable little dots. Plus they’re often stored on remote servers, i.e. in the “cloud” – the perfect metaphor for a tool you can’t see or understand.

Perhaps this abstract quality is what prompts people to manage their passwords in another kind of remote cloud: their brains. Two-thirds of onliners (65%) say memorizing their passwords is their most used strategy, while 86% use memorizing as at least one approach. The way distant second? Writing passwords on a piece of paper, the most used method for only 18% of respondents.

Software developers look at this behavior and think they can put us out of our misery by selling us password management software – 1Password, Dashlane, Keeper, etc – the tools security experts recommend most highly.

The bad news, however, is that almost nobody uses them. A mere 12% of onliners say they use these applications at least sometimes, while those who say they use a password manager most often amount to a tiny minority of 3%. Pew cautions this is not niche behavior, as password software “is used relatively rarely across a wide range of demographic groups.”

There’s a useful lesson here.

People at the selling end of the consumer tech business see code as the solution to everything. If you have trouble remembering your passwords and that makes you unsafe and you’re generally miserable about it all, then you’re gonna love our software. What’s wrong with this logic is not how good the software is or how cheap or how user-friendly. The problem is that it’s software.

This mental fatigue extends far past security. It’s only part of the fallout from how mainstream consumers are taught to behave in the digital world – to expect everything we touch to be effortless, easy and user-friendly, even when it clearly isn’t. Vendors know their customers won’t take lessons, respond to scares or read the manual so they just pretend there’s nothing to learn in the first place.

Same deal with hardware. As a tech at the Apple Genius Bar once explained to me, customers come in with broken, manhandled $1500 machines they’ve never maintained or even cleaned, and leave with their repair ready for more abuse. Imagine treating a $1500 Weber gas barbecue that way.

The only way mainstream consumers are ever going to make peace with their devices – and their passwords – is by getting to know them better. Mystification is a terrible motivator, as I can attest after a decade teaching 20-somethings how their digital world works.

Getting this particular demographic to put down their phones, their ingrained habits and their fear of exploring technology (yep, you heard that right), is hard work for all. Like most people, students have been persuaded there must be an app for that – one that will allow them to learn how a data packet crosses the Internet without any effort on their part. Or while texting. Well, there isn’t and there won’t be.

I see a wholesale change in our approach to understanding digital technology as one of the most important educational missions of the next decade. I’ll be writing more about this educational challenge in the coming weeks and months.

(The Pew survey on cybersecurity is available here.)

D.E.

An uncertain future for higher ed (Pew/Elon 2016)

broadway-tower-b

Last month I wrote about the Pew/Elon experts survey on the future of the Internet. I included comments on the ubiquitous use of algorithms and the costs that entails. That was one of five questions on the 2016 survey. I answered two others: one on the future of education (#2) and the other on the effects of ever-increasing connectedness (#5).

My views on the future of higher education – especially in the liberal arts – have grown more pessimistic over the last year and a half. They’ve been shaped by the research and interviews I’ve done while working on a book proposal aimed at the uses and misuses of technology in the classroom. The working title, Turned off Tech, reflects the long-ago inciting incident: confiscating student phones and all other digital devices, the better to make the classroom a place to learn again.

phones-lab-3

Students adjust nicely to the idea that paying attention is a good way to find out how digital technologies work – as opposed to staring into a screen and expecting some miracle of osmosis. These days they’re much more concerned about what happens after they leave class and graduate. Many tell me that their 4-year degree was a painful necessity that will bring nothing by itself. Continue reading

More on the student ISP ratings: Bell’s Internet disaster (3)

bell-poutine-2

A new bundle from Bell: Internet access with poutine

~~~

I have bad news for Bell. On our campus, those steaming piles of french fries and gravy didn’t help convince any of my students that Bell has the “best Wi-Fi” or the best anything. And I have detailed files to prove it.

Poutine aside, why would Bell’s marketing department create an association between students resenting their roommates and students signing up for Wi-Fi? Well, first of all because Bell is counting on nobody actually knowing what the hell the “best” Wi-Fi would look like. Wi-Fi is a highly unpredictable technology whose performance depends on many factors out of Bell’s control, from the composition of walls to the type of data being transferred, the age of the router, the extent of bandwidth sharing and so on.

Meanwhile, there’s no clear value proposition for a commodity like bandwidth, except variations on “We’re the Best, period.” So Bell is betting that its brand equity will be enough to get people signing up, even as it’s getting its ass kicked in the Internet access market by Rogers. Bell has other trucks cruising around my neighborhood with another peremptory message slapped on the side: “Bell Internet. Perfect for laptops.Continue reading

Moronic multitaskers vs digital natives: the smartphone crisis

4520-summ-2015-phone-warn-skull

First impressions are important

“The single biggest problem facing education today is that our Digital Immigrant instructors, who speak an outdated language (that of the pre-digital age), are struggling to teach a population that speaks an entirely new language.” –Marc Prensky, 2001 (creator of the “digital natives” concept)

“Multitaskers are terrible at every aspect of multitasking.” –Clifford Nass, 2009

~~~

Almost four years ago, I launched a radical new approach to teaching my courses. I began confiscating student phones for the duration of every class.

blank-face-2Let’s pretend her name was Kathy. I kept issuing the usual pleas to her – and everyone – to stay off their phones, as it’s hard to participate in a seminar discussion when you’re typing Facebook likes. Kathy was worse than most, so I moved her to a seat directly in front of the lab podium. But even when I was hovering, she kept typing furiously, like I was invisible. She was the last straw. Neither my ego nor my pedagogy could take it any more.

phones-lab-2

Where phones go to facilitate the learning process (COMN 4520)

Around the time I started my full frontal phone attack, I posted the first of three items on dumb things you can do with smartphones, in September 2011. I took it for granted that thousands of other instructors faced the same problem every time they walked into a classroom. But I figured I had a particularly good reason for my phone strategy. I was teaching liberal arts undergrads how the Internet works. Continue reading

Netflix? it’s not the content, stupid, it’s the connectivity (2)

akamai-logo-large-globalgoodnetworks-645-305

~~~

Fresh evidence from Akamai about Canada’s lousy broadband speeds

Time now for some empirical evidence, featuring Akamai’s recently published State of the Internet report for Q2 of 2014. 

Akamai’s Intelligent Platform is a cloud computing technology that operates in some 90 countries around the world. Because of the scale and sophistication of its operations, it collects and analyzes huge amounts of real-time (not advertised) data about broadband speeds and related variables (based on roughly two trillion requests for Web content every day). Akamai includes in its analysis every country from which it receives requests for content from more than 25,000 unique IP addresses. Currently that’s 139 countries. Continue reading

Digital Canada 150: why the Tory plan is risky, not just foolish

digi-plan-pig-3

~~~

April 17 and a couple of updates

1 – Data caps. Not quite a breaking news update (on my caps comments at the end ofpost-dc150-caps-2 this post), since this story appeared in Ars Technica on March 13. “Time Warner Cable has been offering customers $5 monthly discounts in exchange for giving up unlimited data for the last couple of years, but almost no one has taken the company up on its offer.” In fact, only a few thousand of TWC’s 11.5 million customers have done so.

Here’s the deal: any TWC sub who wants to save the $5 a month can do so by cutting their cap from unlimited to… 30 GB! Jon Brodkin does the math and figures that three months of “excessive” Internet use and that sub loses a year’s worth of savings. The USA’s second most-despised ISP (after Comcast) has a story for that. CEO Rob Marcus claims his customers must value unlimited – duhdoy. Continue reading

What you don’t know about your ISP service will hurt you (2/2)

teksavvy_infographic-3Infographic released by TekSavvy in February, from omnibus survey by IDC Canada

~~~

(Please see previous post for the setup to this one)

In early February, TekSavvy released the results of five survey questions fielded by IDC Canada on its behalf, which probed for attitudes to Internet service among Canadians. In keeping with its White Knight role, the maverick ISP is not only going Ottawa one better on the research. TekSavvy also took the opportunity to launch a new tool to help customers navigate the decisions involved in choosing a particular access plan. They call it Find Your Plan and apparently people like it.

Tina-2I spoke recently about this initiative to Tina Furlan, TekSavvy’s Director of Marketing and Communications, and the brains behind last year’s dramatic rebranding. The two main questions on my mind concerned a) why her team decided to plunge into the research game, and b) were they surprised by the results. Tina points out that TSI’s subscriber base across Canada (for all services) is now close to 270,000. Naturally, with that kind of growth, its traditional customer base of younger, techie males has broadened into a more mainstream and technically unsophisticated group, the very end-users who are especially puzzled and frustrated by all the bafflegab ISPs usually throw at them. Continue reading

What you don’t know about your ISP service will hurt you (1/2)

teksavvy_infographic-3

Infographic released by TekSavvy in February, from omnibus survey by IDC Canada

~~~

How much do you pay each month for Internet access? What speed tier are you on? What’s the size of your data cap? Is it measured in bits or bytes? Can you complain to the CRTC about your ISP? Do you have any idea what I’m talking about?

We get the ISP we deserve

To the wonks with a vested professional interest in these questions, it’s hard to believe most people don’t know the answers – in fact, don’t know what the questions mean in the first place. Part of the puzzle comes down to a simple matter of caveat emptor: why would anyone pay year in and year out for a pig in a poke? Especially when that particular pig keeps growing in importance. We all pursue a wide range of critical activities online, like education, government services and job searching. We’re also spending more and more money on communications services (as the CRTC noted last fall, Canadian families spent an average of $185 each month on communications services in 2012 , up from $181 the previous year). Continue reading