Daily Archives: May 6, 2022

  • Today is “What drives me insane about passwords” day

    May 5th was World password day. A day that Microsoft wanted us to ditch our passwords completely and move to authentication apps, fido keys and other tools to move us away from passwords.

    But I’d argue that all of these solutions haven’t addressed that there are times I need to have access to someone else’s account for purposes of administration, management, use case that is not being addressed well at all.

    My girlfriend and I recently discussed this issue. She is currently doing what she calls “case management” for a relative. Where she must manage the doctor’s appointments, assist with the bank accounts, help out with log ins for another person, someone who is remote to her and not local. Often she doesn’t want to have rights to the actual account or the bank account, but merely view rights.  She wants to be able to manage – but not BE the person when it comes to log ins. And often she finds this so frustrating that businesses from banks to medical offices can’t handle this secondary log in possibility.

    Then there is the issue of multi-user two factor. I’ve seen this often with Managed service providers and even in my industry. Often there is an invite sent to a specific person. But that person may not be doing the actual work of the project. So you end up sharing out the credentials which totally loses accountability.  These vendors need to not charge per user, but understand that sometimes in firms we assign someone else to do the actual work.

    Or let’s take the case I often see in small businesses – two people work in the business, the access is tied to the one person’s phone – but another person in the office is actually working on it. So you have to get the code that was sent to the other person’s phone in order to get into the thing.

    Now let’s take the hassle of migration and backing up two factor applications. Case in point: Microsoft authenticator application.

    “Before you can back up your credentials, you must have:

    A bit of a pain in the rear.

    Google authenticator appears to me to be easier – you can actually go into the app and export out the app. So you can place it on a backup device such as an Android tablet or iPad.

    But all of these claims about how passwordless is going to make things easier, no it’s going to make things different is all. Mind you, making sure your password is long, strong and written down either in a password application or literally WRITE THEM DOWN on a piece of paper that you then keep safe.

    But bottom line, on this day AFTER password day. I do want you to do better on passwords, too often we use really lousy ones. But I also want our vendors to realize that THEY need to do better as well.