Why should everything be dumbed down and idiotproofed these days? Why not educate people instead? Blame people not passwords.
Passwords managers are good and free and every new phone has one built in. There is no excuse for using weak passwords anymore.
Over years of trials security teams at places like Google have managed to successfully phish even people on those security teams. The verdict is in on whether this UX provides acceptable security.
>Why should everything be dumbed down and idiotproofed these days? Why not educate people instead? Blame people not passwords.
Because taking a holistic look at an entire system and attempting to improve it is better than relying on each and every individual. Take aviation for example. If there is a plane crash and it is found that the pilots ignored a warning indicator, they look and see if the warning was prominent enough, if it is properly prioritized, and if it is something that can be corrected at the system level. Pilot training is only one of many factors they look at, and human error is taken as an inevitability.
In aviation, pilots are highly trained and highly regulated. With accessing services online, it is basically universal access by all people of all skill and intelligence levels. Making a system more inherently secure is the only reasonable solution.
Because even I, somebody that cares about all of this a ton, sometimes copy paste passwords out of my password manager because nothing else works. Because temporary read-only backend compromises shouldn't lead to catastrophic and persistent security breaches (because passwords are provided in plaintext inside TLS, and TLS is often terminated at the edge). Because educating people for a complex and moving target like the details of authentication seems like a losing proposition at best, and like victim blaming at worst.
So no, please don't blame people, blame bad authentication mechanisms (including passwords) and those that hang on to them despite better alternatives.
> There is no excuse for using weak passwords anymore.
Weak passwords are only a small part of the problem. You can get phished with even a 256-bit equivalent random string.
I agree that enabling stupid people to keep being stupid is just kicking the can down the road. However I think we should blame identity providers, not passwords and not users. Passwords work when the identity provider doesn't have ALL of them, and users shouldn't be expected to be trustworthy.
We just consolidated everybody's login into one platform. One monolithic database that contains the PII of EVERYONE.... What could present a bigger, better target than that? It's literally too good to pass up. Previously an attacker would have to compromise half a dozen vendors in order to completely pwn someone. Now they just need access to one.
Additionally, password managers are dangerous. Not a single one or them has been able to go more than 12 months without reporting a significant hack. Just another consolidated attack vector.
Like VPN providers. Why would I scourge the internet to gather browsing history of a target when the user has already consolidated that information into once place for me?
