Should security be left to the customer?

At the beginning of every year for the last decade or so, a list of the most used passwords is released. At the top of this list are passwords like “123456” and “12345678”. The biggest thing I’ve taken away from this, is that the average person is not well versed enough in cyber security to be responsible for choosing their own password.

This might seem like a nanny state kind of thing to say, but we’ve seen online services take many steps to try and help people choose better passwords, like early on insisting on 6 digits, and later 8, but we can see from the list what people did with that. Then some started requiring letters and numbers, and so we saw “abc123” and “qwerty123” start showing up in the top 25. Of course, we’ve seen the push for upper- and lower-case letters, numbers, and symbols, but no doubt people will come up with the most obvious solution in time, my guess being: “Qwerty123!”. Whatever they come up with, it will likely be beaten by a rainbow table in seconds.

I’ve written a lot on how the password shouldn’t be an option anymore, and that online services like banking and social media should be careful about putting convenience over security. Currently, two factor authentication (2FA) is a setting people can choose to turn on for many social media giants, and though this is a great option, it should not be an option. Many banks in Europe and elsewhere have done well in this space by giving customers PIN calculators, one-time password cards and apps, and other innovative methods of authentication, but there are still some that need to catch up and now, many of the methods I’ve mentioned above aren’t enough or are considered too inconvenient.

This brings me to the title questions; whose responsibility is security when it comes to online services? As long as the password is an option, I believe the responsibility is left to the user. You could say that people can pass this responsibility to password managers, but we are still leaving the onus on the user to make this decision, just as we are with turning on 2FA. With two factor authentication, service providers can take a lot of the responsibility away from the user such as the difficulty of having to come up with an unbeatable password (and remember it) or the challenge of identifying phishing scams. With the right solutions, service providers can even reduce some of their own responsibilities because whether they like it or not, in the event of a breach, no one will accept the response, “we hashed your passwords, so it’s on you if they get cracked”.

Passwords put a lot of responsibility on all involved, and as long as they are an option, especially the default option, they’re going to get used, and the burden of being secure ends up resting on the user’s shoulders. All popular online services will have IT professionals involved, it’s almost stupid to say, but the point I’m making is that these specialists know their field, they know the risks, and this is what creates the knowledge gap between the service provider and the average user. How can we look at these two groups; technology specialists and the average Facebook user, and think the latter should be left to decide how best to protect their information or money?

It’s not just the standard password that displaces responsibility. Banks and other services are looking to one-time passwords (OTPs) sent via SMS that puts some of the accountability onto the mobile operator, requiring them to protect the channel upon which the OTP is sent. This is a duty they’ve been shown to fall down on several times, and with a known vulnerability present in the SIM card, which is the end receiver on this channel, the end-user can find themselves in a position where they never had a chance at protecting themselves.

We can never take 100% of the responsibility away from the user, but giving them the right tools, 2FA, can minimize what’s left up to them. I firmly believe it’s the service provider who should take responsibility for what they can when it comes to the security of their customer’s assets. Of course, major online services and banks do put great effort into protecting people’s money and data, but it’s all for nothing if they leave protection of the keys to those assets in the hands of user’s ill-equipped to prevent them from being used fraudulently. It’s not reasonable to expect ordinary users to be aware of the risks associated with basic authentication, but it is reasonable for those users to expect their services won’t offer unsafe authentication options. An apology and advice to change passwords isn’t acceptable anymore.