Better passwords are possible with better security leadership

Are you enjoying the annual parade of the worst passwords?

This year it’s not just the trade media lamenting the terrible state of passwords. It’s capturing national headlines. It pops up on local media with the admonition to “change your password.”

Now it includes a never ending spate of social media commentary that amount to a collective sigh. Then the poor conclusion that people are just too dumb. This annual parade of negativity prompts a smug question:

“When are people going to learn?”

Before jumping on the bandwagon, give me a chance to reframe the challenge. And to show you why it’s your leadership opportunity.

Instead of asking “when are people going to learn?” ask “When are we going to learn to serve people better?”

Is this a failure of people? Or of the security community?

The theme this year seems to be, “Again? Didn’t we have this conversation last year?”

Yup. We sure did. And the year before that, too. For at least a decade or longer. Except we’re conflating “complaining publicly” with “conversation.” We sidestep root cause analysis in favor of confirmation bias. A chance to decry our “people problem.” And renewed calls for a “post password age.”

Passwords aren’t going away.

And they don’t need to. What if the failure we lament is actually a signal that we missed the opportunity to serve people?

A password is a component of authentication. A common mechanism to allow an individual (identity) to authenticate themselves to systems. They need this access to process and act on information. Identity, authentication, and authorization is vital to how we protect systems and information.

Passwords are powerful they are easy to use. They are easy to change – useful in a variety of situations. They are ubiquitous, too. And that’s part of the reason passwords seem like a problem.

How the drive for complexity turned into obscurity. And comedy.

Consider how the collective industry explains the need for complexity. Or is it length? What about handling password resets?

The only constant here is the confusion.

Almost no consistency between applications, organizations, or experiences. Befuddling and archaic requirements mixed with minimums and even maximums. Oddly worded guidance and warnings.

This is maddening to most of us.

But it’s comedy gold for the local networks. Everyone has a password joke. And a strategy to contend with it. Designed to get back to getting their work done. That means the headlines intended to guide (or is it goad) action turn into comedy. From late night programs to social media, everyone has a password joke.

And bad passwords. Openly and freely admitted. Almost like a badge.

So what happened?

Part of the problem with passwords is that we never really taught people how they work. I don’t mean the technical details. Just a high-level functional overview. Connected with the value of a password to their work instead of an inconvenience to endure.

The direct impact is the introduction of friction. Lots of it. It erodes our value, increases the cost of connecting to people, and makes it harder to fix.

Then we got caught in a cycle.

We created longer lists of steps to guide people. We confused them on “best practices.” Then we implemented technology to “prevent” poor password choices. Driving people to find routines that worked — but might not increase the strength.

We pushed them into password reuse.

The risk of password reuse is real: why won’t someone do something?

We created the conditions. Our efforts to increase complexity drove the need for reuse. Our efforts to promote password hygiene disconnected people from the process. Instead of investing time to understand, they found a way to get by. 

We missed early opportunities to break down the complexity. To offer understandable insights and guidance. Instead of offering people password managers, we argued over their security. 

I’ve invested a few hundred hours into understanding passwords. On exploring ways to translate the complexity of passwords into understanding. To develop – and test – how to teach people how to manage, use, and protect their passwords.

Success comes from investing the time to distill to clarity. The caveat is the need for technical accuracy explained in a functional way. It means an investment in communication over technology. Success comes when bringing people together and offering them a hands-on opportunity to learn.  

But when I ask companies the value of solving this problem… crickets. Is it worth $1/person? $10? I’m still trying to figure this out. 

I don’t mean slapping together a few slides to tell people. Or part of an annual program. What if we actually offered people a pathway to understand. A way to act. And then supported them with password managers and other programs to make it easier.

This is our opportunity.

One more thing: where did they get the password list(s)?

Where did the lists come from anyway? 

From authentication systems that weren’t protected. Poor implementations combined with missing maintenance. It’s the system that the password depends on. Not the password itself. 

Misplaced focus on the password. And miss the real tragedy of the system.

It doesn’t have to be this way.

Headlines and stories like these highlight our need to change. To translate our complexity into comprehension for others. To design usable systems. To support people with technology that makes their jobs easier — while protecting information.

We need leaders to stop lamenting symptoms and start leading solutions.

It’s time for the security leaders to emerge and lead the change we need

Addressing passwords — even if you want to replace them — is a leadership opportunity. It means ending the steady diet of negative information. Rejecting the “evidence” that people are the weakest link. And embracing the notion that we’re in this for the long haul (the infinite game).

The operative question is “are we better today than yesterday?”

The exceptional leader asks “are the people around me better today than they were yesterday?” Then see to it that the answer is yes.

In that effort, invest in how you and your team communicate. Install and protect better systems. Integrate user design into the process. Reconsider how we explain and teach people to create, manage, and use passwords. Offering them access to password managers. 

Solve the problems we can today so we’re able to focus on what tomorrow brings.