Why do US government websites insist on such weak passwords, and what can I do about it?
This is more of a political than technical question, but it drives me nuts to be forced to adhere to requirements that result in weak passwords on sites that demand my financial information. Government sites seem to be the worst.
Why do they do this? Is there anything that can be done about it?
Thanks,
Larry
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Referrer: forum-search:websites that 'require' weak passwords
Comments
-
@larryhorton: Wow. That's a doozy of a question! Without being able to say for certain, what we typically find is that password restrictions are a technical limitation due to obsolete (security-wise) infrastructure. But rather than getting into technical reasons or getting too political, I think it's even more helpful (and potentially less controversial) to think in terms of economics.
Government and financial institutions tend suffer from this the most, lagging behind due to significant overhead of replacing older systems (both individually and as a whole). There's usually a lot of bureaucracy involved in both, so even if there's a desire to modernize, there's an institutional resistance to doing so. There are good reasons for this, but this still has an overall negative impact on security (e.g. databases being breached, or at risk of future exposure).
Banks in particular seem to be improving in this regard in recent years, likely because in spite of inertia (or lack thereof), there's a very real business incentive to improve security, lest they risk being the next in a long chain of companies falling prey to hackers, and subsequently facing lawsuits and eroded customer trust.
Governments, on the other hand, while arguably a type of business, aren't generally run like one. In most cases the "share holders" (i.e. citizens) and "customers" (i.e. tax payers) are one in the same, and generally are unable to "vote with their wallets" by going elsewhere (i.e. emigration); there's simply too much friction involved. While it is possible to leave a country to settle in a new one, this is usually a last resort, as the costs of staying where you are are largely less than relocating to another — never mind the question of legality.
So in summary I'd say that the incentives just aren't well-aligned, economically speaking, for governments to be even as concerned about this as the financial sector (even though, overall, the latter doesn't seem particularly security-focused either). To be fair, governments often have a lot more to worry about that banks, but given that the security and privacy implications are potentially even greater I do hope that we see some real movement on this.
Anyway, thanks for bringing this up! It's something I've always found fascinating — albeit a rather morbid curiosity. :)
0 -
LOL I think 'morbid' pretty much sums up the outcome of any contemplation of government in general.
Thanks, Brent, for your thorough and thoughtful response to my question. Much of what you said are things I'm aware of, but you put it all together in such a concise (and detached!) manner. And, of course, you filled in some gaps in my understanding.
It's funny you mentioned emigration as a response to the dilemma. My wife and I are considering New Zealand—not out of reaction to the political challenges the U.S. is currently facing, but more from a desire for an atmosphere more attractive to us than anything We may experience here in our lifetimes. It remains to be seen how serious we are. The idea was instigated more by the possibility of job opportunities we aren't finding here.
But, once again, it really comes up to a choice of running from our discomfort, or remaining detached as we choose to stay where the karma is and focusing, instead, on transcending it and leaving this plane altogether! If my choice alone was all that counted, the latter is my orientation, but my wife is more strongly motivated in terms of career.
So that's our personal little soap opera. Thanks again for taking the time to paint a clear picture and bring some equanimity to my question, Brent. That the contrast between the quality and user simplicity of 1Password, with what I sometimes encounter in online business and government is so stark, is what makes me unwind occasionally. Well, it's one of the things....
I've been a 1Password user since 2011, and I truly appreciate AgileBits' very conscious product and evolution. It's amazing to recognize how deeply I depend on 1Password, on a daily basis. It's a very big piece of my workflow. Thank you, and keep up the good work!
0 -
LOL I think 'morbid' pretty much sums up the outcome of any contemplation of government in general.
@larryhorton: Ha! I'm glad we can have a bit of a laugh about this. Maybe that means there's still hope. :lol:
Thanks, Brent, for your thorough and thoughtful response to my question. Much of what you said are things I'm aware of, but you put it all together in such a concise (and detached!) manner. And, of course, you filled in some gaps in my understanding.
Wow. Thank you! It's my pleasure. And that's very kind — especially the part where you said I was concise. :lol:
It's funny you mentioned emigration as a response to the dilemma. My wife and I are considering New Zealand—not out of reaction to the political challenges the U.S. is currently facing, but more from a desire for an atmosphere more attractive to us than anything We may experience here in our lifetimes. It remains to be seen how serious we are. The idea was instigated more by the possibility of job opportunities we aren't finding here.
I was thinking of it more in terms of the economic comparison. For example, if my phone company gives me shabby service, I can leave them for another. Borders make that much trickier though. Perhaps we're just kindred spirits. While I've never yet been to New Zealand and would like to go someday, I've recently relocated elsewhere. I think "atmosphere" is a good word for it. :chuffed:
But, once again, it really comes up to a choice of running from our discomfort, or remaining detached as we choose to stay where the karma is and focusing, instead, on transcending it and leaving this plane altogether! If my choice alone was all that counted, the latter is my orientation, but my wife is more strongly motivated in terms of career.
Well, I can see both sides of that. Setting our spirits free is important, but so too is keeping ourselves in food and shelter. :tongue:
So that's our personal little soap opera. Thanks again for taking the time to paint a clear picture and bring some equanimity to my question, Brent. That the contrast between the quality and user simplicity of 1Password, with what I sometimes encounter in online business and government is so stark, is what makes me unwind occasionally. Well, it's one of the things....
You're welcome! I too came to 1Password because of the attention to detail, and it's high praise like that which sets a high bar which inspires us every day. :blush:
I've been a 1Password user since 2011, and I truly appreciate AgileBits' very conscious product and evolution. It's amazing to recognize how deeply I depend on 1Password, on a daily basis. It's a very big piece of my workflow. Thank you, and keep up the good work!
Likewise, thank you for your support! Without it, we wouldn't be able to make a living doing what we love...and take part in this interesting discussion. :love:
0 -
I think it's because too many older people are involved with the government security. They think "back in my day, 5-8 characters was enough and we don't need any more"
My car insurances website I think was 16 only. It's a joke.
0 -
@prime: Ha! I'm sure that's true in some cases. But from what I've seen personally, even once the old folks are gone, it is awfully hard for the younguns to turn that boat, no matter how passionate they are about security. While I think it's fair to say that a lot of institutions are moving far too slowly in this area, it really is just a matter of time. And once security becomes and institutional core value (it will have to, or they'll simply go away) it will be equally hard for them to abandon it easily. So, hope. :)
0 -
@brenty, I agree, companies are moving too slowly, or they make it harder in come cases. The big example that you guys made an open letter to the banks so people can use password managers to auto fill the username and password. It's like they mean well, but they have no clue whatsoever. It's sad that our email accounts are probably more secured than our government accounts and bank accounts.
0 -
It's sad that our email accounts are probably more secured than our government accounts and bank accounts.
@prime: I think that just about sums it up. There are some good ones out there to be sure, but most of us sadly don't have a lot of choice when it comes to our bank or our government. :(
0
