5. My Password Doesn’t Work / Blaine Cook / ffconf 2017
- Articles, Blog

5. My Password Doesn’t Work / Blaine Cook / ffconf 2017


– Thanks. Thanks, Remy, for having me along. This talk definitely came out of a rant. So I feel like thinking about
passwords on an ongoing basis is my penance for starting the
o-auth thing that happened. So I’m sorry for that. I hope that this talk makes
it a little bit better. I’m not sure if we’ve got, oh, my laptop is off because it’s been
sitting here for so long. I’m just gonna enter my password. (laughter) So earlier this year, I work
at Conde Nast these days, I don’t think about passwords
in my day job, thankfully. But earlier this year, I was
in a totally amazing place, a totally amazing place called
Wadi Rum, which is in Jordan. You’ve probably seen it in various films. I think The Martian was filmed there. And Star Wars, the most recent one, had some scenes filmed there. It’s incredible. So I was hanging out here, we went on a tour with some
nomads out into the desert. So this was the nomad in
question, so he’s a Bedouin guy named Salim. And so he took us out into the desert and just showed us around
this amazing space. I just wanna point out, so he’s got sunglasses, he’s got a beard, he has a hoodie, and he was born in 1991, same year as the web, which
means that he’s 100% millennial. That’ll be important later. So we were out in the desert, I don’t know how well you can see that, but we were taking some
nighttime photography, some astro-photography and
just chatting about things. Talking about work, and how
life went and everything. So the next morning, we emerged
from the desert a little bit and we were having tea, as
you do in Jordan, a lot, I highly recommend it. So we were having tea with his buddy that runs the tour company with him. And so Salim said hey, can you help Salim? Which was also this guy’s
name, also born in 1991. Can you help Salim with his computer, like with his phone. He needs an email address. And I’m like okay, cool,
I’m doing tech support for a family in the desert. So he proceeds to, you
know, I figure like okay, he doesn’t have an email address. Turns out he did have an email address, he just forgot the password to it, so he needed a new email address. But the first thing I said
was you have an email address, we have emailed, that’s
how we set this up. And he was like no, no,
the white lady in town runs my email, my work email, I want my own email address. I was like okay, we can sort that out. So we debated a little bit and said we’ll set him up with a Gmail address. So he pulls out not one, but
two phones, flagship phones. An iPhone 7 Plus and a Galaxy 7 Edge. And he kind of lives in that
truck, or from that truck. But he’s got these two flagship phones. And he doesn’t have an email address. So that was sort of an
interesting starting point for me. And his iPhone didn’t have a SIM, so he had already configured
tethering to get internet on his iPhone from his Android,
so he’s not illiterate. But so we get him set
up with a Gmail account. And that went fairly
smoothly, it was all good. And then send a test email,
he receives the test email, everything is going fine, like okay great, you have an email address. Takes his phone, and he’s
like it’s not working. What do you mean, it just
sent you a test email, it’s definitely working. So I send him another test email. He receives it, he gets the test email, everything is fine. I’m like okay, let me see your phone. If it’s still not working,
clearly there’s something that I’m not getting. So it’s asking for his email
address and his password. And he doesn’t understand
the difference between his iTunes app store account
and his Gmail account because he shouldn’t have to. The idea that you should understand when someone asks for your
email address and your password, that those might be
hundreds of different things is something that we’ve internalised, but it doesn’t make any sense. So we have totally failed as an industry. This is an epic level of failure. So right, let’s recap. So we have Salim, he’s a millennial with not one, but two feature phones, and he can’t set up his
iTunes app store account after setting up tethering. So shades of earlier talks
going on here, I think. But it gets worse. (laughter) So I’m like okay, we need to
set you up an iTunes account. And I have literally pages of notes on how bad this process was. And this is Apple, they have trillions of
billions of dollars, hundreds of billions of
dollars, and it’s terrible. But as Remy was just saying, one of the things that they
do really badly is this. So to have an Apple account password, you have to have a password
that must be at least eight characters long, including a number and an uppercase letter
and a lowercase letter, don’t use spaces, the same
character three times in a row, your Apple ID, or a password
you’ve used in the last year. Right, okay, so that’s gonna
be really easy to sort out. Because this guy doesn’t
remember the password to his previous email address. So first step, he needs a
number in his email address, so I was like okay, we can sort that out. If you like it, you
should’ve put a one on it. (vocalising) So Beyonce would be in trouble because you literally can’t put a ring on it. And like, we spent all of this effort trying to tell people that they need to have secure passwords with complicated forms and
all this kind of stuff, and we don’t support Unicode
emojis in the passwords, and part of the notes that I have on going through the sign
up process with Salim is that the Apple sign up form was entirely not localised. So it was in English, he couldn’t read it, I didn’t speak Arabic, he was a smart guy, so we figured it out, but
it was really, really hard. He’s living in the desert, so (speaks foreign language) billing address, right, because
he needs a billing address. His address is (speaks foreign language) which worked, thankfully. And don’t even get me
started on John Appleseed, like oh my god, that is, not
only did they not localise it, they made it as stereotypically American as they possibly could. So taking a step back a little bit, what did Apple actually need? What they needed was a
way to identify someone who is downloading an
app from the app store in a repeatable way. That’s it, that’s all they needed, because they weren’t
taking payment information, he was only downloading free apps. And they’re just trying to prevent abuse or you know, other things. So it literally took us five
or six minutes to set this up start to finish and it was like this really,
really frustrating process. And he now has to remember
that he capitalises the first letter of his password and sticks a one on the
end of it from now on. So they’ve really mucked this up. And unfortunately, I;s not just Apple, it’s like literally everyone on the web. So we have a lot to answer for. So I’m just gonna sort
of walk through what, because I think we’ve internalised this, we don’t think about it anymore, but I think it’s important for us to sort of come to terms
with like, the basics. So obviously, we can’t use
face ID or fingerprint auth on the web, don’t try, please don’t try. That would be bad. So we’ve done this 1000 times, but when someone new comes to a website, this is their experience. So sign up now, great, well I’ll punch in my email
address and my password. And oh, right, I signed
up to this website before, didn’t remember, okay, so we
still have the sign up button because we might wanna use
a different email address, I guess. So we’re gonna click the
little link in the corner that’s always tiny and
hidden, and click sign in, so now we’re gonna sign in. And it’s asking for the same thing it just asked us for. So type in the same
thing we just typed in. And it says incorrect password, because, well, we didn’t use that password when we signed up. Which password did we use? Well maybe it was that one. No, it wasn’t that one. Maybe it was that one. No, it wasn’t that one. At this point, we’re hoping
that no one has this code running in production where they’re logging plain text passwords before they decrypt it, because we’ve just phished ourselves and all of our passwords that we use, which people do every
single day all the time all across the web. So we do the tried and true method of resetting our password. So we type in our email address, hit send, go to our email account. We see our password reset email. This is all assuming a fairly high degree of internet literacy. Remember, most people
would’ve just totally failed a long time ago. So we get this message
and we click the link, we follow it back to the site
that we were originally on. And now we get to reset
our password, great, I love that part. So we choose an acceptable password and we hit reset password. And then they ask us to sign in because they apparently
don’t know who we are. So we type in our email
address and our password again for like the sixth time. And yay, we get to use
the site, it’s amazing. So that took five minutes. And there are, I have these conversations probably too often,
there are a lot of people who only use email password
reset links to sign into things because they just can’t
figure out any other way. So let’s take an abstract look at what actually happened in that process. So the user comes to the website and they say I don’t know my password. And the website says I can’t let you in. And that’s good, you
know, it’s good that we don’t give access to people who aren’t us to our private data. So that’s good, we got that part. Now, the next part is okay,
so here’s my email address, we’re gonna reset our password, and the website sends, sends the code to our email. And then we go to check our email, and then we get the super
secret code from our email, and then we send it to the website. So the website then says great, great to see you, I know who you are. Now, the only thing that we’ve
done in this entire process is verified that the user has
access to their email account. So all of that password
stuff is irrelevant because if you’ve set a
password that you can change by having access to the email account, it’s pointless to have the
password in the first place if like, 60% of your users are gonna go and reset their password
anyways, it’s just annoying. And I think we need to have a conversation about why we do this. So I think crypto-culture,
security culture has a problem. It’s framed security as hard, you know, cryptography is hard, but the people who hold
the reins to what counts as good security and not have sort of established a cultural niche that says that unless
you are a crypto-wizard, you can’t do this. And the way that they determine success is by being good at cryptography, so the way that security is good is by being good cryptography. That has very little to do with users. So by the way, this image is literally the first google result,
google image result for cryptographer. So I’m not just making this up. People who are into cryptography are really into cryptography. I don’t blame them,
cryptography is kind of cool. It’s pretty remarkable what we can do with cryptographic technology. And I believe that it does
have an immense impact on our society. And I think that it will continue to have an immense impact on our society. But I think a lot of
cryptographers think that crypto by itself will have that impact and that’s just wrong. I think we determine how crypto, and we need to determine
how crypto interacts with our societies. And that’s hard to do sometimes. Because I’m gonna go live now,
to security on the internet. (yelling) And it’s important to
note that there are like literally infinite numbers
of people in orange shirts going for your stuff. (yelling) Don’t worry, you can do
it, you can stay up there. Do it. See, Look at all those
people with their crypto. (yelling) No, that didn’t work. It turns out crypto can’t
keep all of the hordes at bay. So this was really cool. So this is a blog post by Moxie Moonspike, who is really awesome, does
all sorts of amazing work, about some stuff that Signal, which is a super cool
encrypted end to end messenger. End to end encrypted messenger, that provides the basis for the technology that drives the WhatsApp
end to end encryption. And he’s talking about
basically doing contact, like anonymous contact discovery by using a secure enclave part that’s in modern processors,
but doing it in the server, not in your phone, so that he
can’t access your contacts, which is crazy and insane, and this blog post is amazing to read the immense stuff that they do. But I don’t think it’s that
practical for most things. I think it’s a lot like haute couture. You know, it’s pretty cool. It’s really, it’s really,
really interesting. I didn’t know anything about
fashion, I still don’t, but I work basically at Vogue these days, and this world is super,
super interesting, but like, most people want Levis or H&M. It’s kind of irrelevant. And so there’s a really
Interesting series of books called Object Lessons that are just about
everyday things as objects. And this guy, Paul Martin Eve
wrote a book called Password, so talking about passwords as an object, so of course, I read it. And he says, and I think this
is really important insight, the reason hat the term identity theft is favoured over any of the alternatives is that it absolves institutions in the digital world
of their responsibility for the inherent flaws in
their authentication systems. So when we look at Equifax, Equifax says oh, that’s identity theft because someone came and stole it, not like oh, we just left it out there. What do you expect? Because that would be fraud or somehow they would be responsible, but they externalise
that and blame people. So we’ve essentially created this culture of like, blaming the
victims of security flaws. And I think that’s a real problem. So part of what that means is that we end up with
solutionism like this where you end up with really,
really poor approaches to security. Like, security questions are
pointless, never ask them. United’s sign in is almost this bad. I really like the next one,
yes, that’s definitely secure because it’s unique. (laughter) Yeah. (laughter) Perfect, right? But don’t get it wrong, because then you would’ve,
like, you’re to blame because you haven’t taken
your security seriously, you should’ve used like a
password manager or something. Apple’s approach here, they
would make a lot more money if they did this because then people could
sign into their stuff and spend money, it would be amazing. I asked a question a few months ago, my followers on Twitter are highly biassed towards security professionals, and only 30% lied and said that
they never reuse passwords. But like, 70% of other people were like oh yeah, I totally reuse passwords. I totally reuse passwords all the time. Password managers suck. I mean, they’re good, we
live in a broken world and they sort of help us
deal with that broken world, but they really suck. They don’t work, because they don’t, like, if you change your password, often times, they’ll just lose the changed password, or create a new account,
now you’ve got six passwords and you’re like I don’t know which one, so I’ll just use the email reminder link. And if you managed to get a layperson successfully using a password manager, what you’re going to end up with is someone with a database
of all of their most secure and most valuable things on their computer and then their computer is going to die and they’re not going to
have access to any of it and then they’re just gonna
reset it by email anyways. So 2FA, 2FA is great, it’s
like, for primary email, it’s really, really good. Danny O’Brien is the international
director for the EFF. So he’s like I can’t use this stuff, he’s been doing online internet
security for like 30 years and he can’t figure it out, how is anyone who is not in this room going to figure it out. So it’s been a lot of like,
uh, rant, negative stuff. But yeah, I think there’s a
lot that we can do, though. So I think there are a lot
of really amazing people, Chelsea is one of them, there’s a woman, Sarah Gold up in London who is doing really amazing work, and there are too many others to list. But we need to think differently about how we address online security. And if we get this
wrong, if we stop caring, it’s not, in Chelsea’s case, it’s not just people’s
ability to communicate, but it’s actually people’s
lives are at stake. So we need to figure this stuff out, we need to make it better for everyone. And I think we got this. So security is hard, passwords suck, all of our tools are
terrible, what do we do? So this is, I’m just gonna
go through a few things that I think that, I mean, I hope in this room if you’re, actually hands up, who manages a website that has a sign in form? So quite a few, that’s good, that’s good. So I hope some of you take this and do some stuff with it. So first of all, don’t require an account. If you don’t need the
account, don’t require it. So the place that Jen works
does really really well. So this was in an incognito window, it was the first we’ve
ever been to Glitch. And I just signed in, signed in. and now I’m using the product. And there, I’m done using the product. It’s like 24 seconds. The conversion rate on that is amazing. So if you don’t need the
sign in, don’t use it. If you don’t need the sign in right away, if you don’t need a user account to interact with the user when they first land on
their site, just wait, because they’re gonna reset their password by email anyways. So just let them use the site and if they’ve entered
someone else’s email address, I think that’s probably okay because that’s not gonna
actually help them. The other thing is databases are magic. You can look up users in
all sorts of different ways. So you know, when we go through that like, what’s my username on this site? I wish there was a way I could find out what my username on this site is. And we go and we type in the email address and then it sends us a
link to the username, you could just tell
them, it would be fine. Use long-lived sessions. So don’t get people to enter
their password all the time. This is one of the ones
that security people get wrong a lot. Because if someone is
entering their password a lot, if they’re used to entering
their password a lot, then they get phished. And that’s, especially for
people that are at risk, like Podesta, if they’re using
to entering their password, there are going to be consequences
for those sorts of things and I don’t mean this kind of session. I mean that kind. (laughter) Right. So I think the other thing, and this one, I’ve worked
a lot on, as I mentioned, I started the o-auth
project many years ago, which was I think, was
good, bad, I don’t know, I have a lot to answer for. But you know, use delegated authentication because it works. So I’m just gonna explain, because I think it’s really
confusing for a lot of people how delegated authentication works and what it means. But really, all we’re doing
is verifying an email address. So here is our diagram from earlier. Do you remember? We get the secret code,
we pass it through email, and we send it back to the website, so it’s basically just confirming that the person has access
to their email address. Now here is delegated authentication, so it’s exactly the same thing. The only difference is
the website is now talking to an authentication provider. And the authentication provider gives the website a secret code, rather than the website
giving a secret code to the authentication provider. And the user asks the
authentication provider what’s the secret code using redirect rather than going and checking their email and potentially having
to sign in to their email and potentially getting phished. So other than that, I’m glossing over a lot of technical details, obviously, but there are libraries for that. It’s the same thing, you can
think about it the same way. So I think we have built
a lot of user experiences that I think put people off of doing this. So often, you’ll see something that looks exactly like this. So we’ve got, you know, from the interface complexity perspective, we have sign in with
Facebook, sign in with Google, we can use email or
username or a password. We can stay signed in
or not, we can sign in. And then if we’ve forgotten our password, username or email, or if we want to reopen our account, all of the options are open to us. I mean, it must be really exciting to feel like you’ve got so many options, but it’s really confusing and it’s really terrible
for our users and for us. So if we simplify this,
we can do this, right? You say sign in. I’m gonna ask for your
email, so ask for the email. And then you’ve got a button. And when they type in a Gmail address, you say hey, I see you
have a Gmail address, would you like to sign in with Google, because that’s what
you’re gonna do anyways. They click sign in with google, and this is the, this case is the one where they’ve signed up before. The initial sign up
step has one extra step that I’m glossing over here. So if they’ve ever
visited the site before, they hit that sign in with Google button, and the next thing they
see is the signed in site. So it’s like literally one step. I had a startup a couple years ago and we built this, and it
worked really, really well. So I’ll get to some
numbers in a little bit. But I just wanted to say you
can build this, it does work. And so that people don’t get upset with me for telling everyone don’t
worry about password managers, don’t worry about 2FA,
all that kind of stuff, secure your primary email. Because if someone gets
into your primary email, all of the stuff that I’ve been saying means that they get access
to literally everything. So I think that’s a really
important thing to keep in mind. But one of my hopes is
that we’ll get to a point where we talk about security and where literally us have approaches to web security, that means
that we can teach users a very, very narrow bit
of how to be secure, it doesn’t mean like,
become a cryptographer, it just means like, secure your email. And I think we can actually teach that. So if there’s one thing
that you take from the talk, it’s that authentication
on the web in 2017 means securing your email, or it means just verifying your email. And that means securing your email. The second thing, like, if you can, there’s two things that you got, it’s that we can take advantage of this. We can use this to make
everything better for people. Now, one of the things
that comes up a lot, certainly comes up for me when talking about security stuff is like, what about the money, right? You’ve got a functioning sign in form, it works, people are signing
in, they’re using the site, why do you need to change it? And I just wanted, a couple of examples, so I mentioned my startup, we looked, because we were doing experiments
with the sign in stuff, we looked at sort of the performance, our conversion performance. And there was a little bit of a panic when the initial numbers came in. One of the cofounders came
and said we’re losing 63% of first time visitors to the site, they’re not getting through to full signed in, signed up users. I’m like I think you just said we have a 37% conversion
rate on brand new visitors. So if your numbers aren’t that, you can definitely get there. And Jared Spoole has been
talking about some of this stuff for a long, long time. Talks about this 300
million dollar button. So by reducing barriers
to getting access to a large online retailer that sells everything on the planet, they were able to just on the
conversion rate change alone, basically generate 300
million dollars more a year of revenue. So that’s something. And then I found this from Heap Analytics. And the top one there is if you have third party sign in, it’s by far the best way
to improve your conversion. And if you need, like if you
start asking for extra stuff, you just decrease your conversion rate. So in the same way that the
Chrome team will talk about not asking for permission
to location services before you have a reason to do so, I think we need to apply
that to sign up as well. And yeah, so hopefully you
can take those to your boss, or if you are the boss,
you can get more money. Right, so passwords are really boring. I’m so bored of talking about passwords, but I think they’re
really, really important. I think I agree completely with Bruce, the web isn’t just ours, it’s everyone’s. And even if 1991 feels like ages ago, the internet is still very, very new, and we’re just beginning
to develop the tools that give people agency
and autonomy on the web and on the internet. So we have some of those tools. But there’s a lot that
are yet to be invented. And there’s a lot that
I didn’t cover today. One of the things that I hope some of you are thinking about in that Gmail example is that if we move to everyone
signing in with Gmail, they’re only going to have
more of a stranglehold on what it means to be online. And the same thing is true of Facebook and a number of other companies. But we need to figure
out ways to address them, address that, and right now, they do have a stranglehold, but we need to figure out ways that we can give people more agency and make it easier for
them to engage online. And we’re not gonna get there
by victim blaming our users. And by cryptoshaming people. We need to get there together, we need to get there one step at a time. So I hope you go and implement
some of these things. And I hope it was interesting even though it was about passwords. Thank you so much. (applause)

About Earl Carter

Read All Posts By Earl Carter

2 thoughts on “5. My Password Doesn’t Work / Blaine Cook / ffconf 2017

Leave a Reply

Your email address will not be published. Required fields are marked *