I’ve expressed this opinion before, but some recent experiences and discussions have only served to reinforce my opinion: The technology industry, as a whole, has utterly failed the average user when it comes to security. It doesn’t matter how many improved security features Apple, Google, Microsoft, and company add to their products. It doesn’t matter how many earnest blog posts are written extolling the virtues of strong passphrases, password non-reuse, and two factor authentication. It doesn’t matter how many wonderful password manager applications are written. The bottom line is, for the average user, “security” is a complete mystery and an utter pain in the ass.
Take, for example, a situation I encountered a few weeks ago. A teenage family member received her first iPhone and it fell to me, as the “tech guy” to set it up for her. The first hurdle we met was setting up the iPhone’s passcode1. I initially did the responsible thing and suggested turning off “Simple Passcode” and, at a minimum entering a numeric passcode greater than four numbers. Of course that was met with a blank expression slowly transforming to one of utter horror. I took a deep breath, surrendered to the inevitable, and told her to go ahead and use the four digit code she used on her last phone.
Next we proceeded to setting up a new AppleID/iCloud account. As you can guess the password ended up being the bare minimum that met Apple’s (lax) standards and was—no surprise—almost identical to her existing Google password. By the time we reached the point of deciding between two factor authentication or secret questions I was so demoralized that the best I could do was to try to ensure the questions and answers weren’t trivially obtainable from her Facebook page.
So, what’s to be done? That’s the billion dollar question, and it’s one for which I certainly don’t have an answer. As far as I can see, no one else does either. That’s why I say that we in the technology industry have collectively failed on this issue. The danger is real, it’s only getting worse, and I don’t think anyone is close to a solution yet.
This was an iPhone 5, so no TouchID. ↩