3. A security warning from Virgin Trains East Coast

The pitfalls of designing security messages for your lawyers rather than your users

I received an email from Virgin Trains East Coast this week and after reading it I felt slightly disgruntled. Not because it was particularly offensive, but because it was preaching password security methods that will not work for 90% of normal people (not an actual statistic). I’ve been working to communicate tech ideas to non-technical people for most of my working career. Whether that is through usable experiences, clear marketing messages or simple technology explanations.

So when I see it done poorly it sticks out like a Burmese cat at Crufts. (If you have better analogies please add them to the comments below — be clean).

To give you an idea of why I was perturbed, here is what was written and my thought process as I was reading:

There's been a lot in the news recently about data security and here at Virgin Trains East Coast we're as concerned as you are that your data is safe and secure.

Oh good, I’m glad this company is as concerned as I am!

We've made some changes to tighten up on the password rules for our customers' online accounts and we'd like you to do your bit now by changing your password to make sure it fits our new criteria.

OK, this should be easy enough.

Make sure your new password: - is at least 8 characters long

OK, we start off well, most people understand that a longer password is more secure. 8 characters is still quite weak though, a brute force algorithm could break it quite quickly, so there’s more advice.

- has at least one upper case letter, one lower case letter and one number. Using symbols (such as ! $ or %) helps increase the strength of a password.

OK, I get the need for capitals and numbers possibly. It’s increasing the information capacity per byte to 62 (26 small letters, 26 capital letters, 10 numerical digits), so adds to the entropy of the password (difficulty of guessing the password, sorry for the technicality). But it also adds to the complexity of remembering the password. Randall Munroe of XKCD made a great point that a longer password is more secure and easier to remember than all those random strings.

Also as many psychologists would point out our ability to create random strings is terrible because we have a skewed belief of what random is (try flipping a coin 10 times and see if it’s what you expected).

- is different from any other passwords you use online

Are you taking the piss! I have 200 different accounts and everyone of them needs to be different! Even most IT geeks I know will only have 5 passwords that they use in tiers of increasing importance:

• Crap trial services
• Retailers with standard one-off payments
• Retailers who store credit card details
• Banks
• Email Serious point — ensure email is your most secure password because a malicious user can access all other services through the forgotten password function with access to an email account

I understand the need to use password managers, but even I hate the idea of paying £40 for what is basically a “secure” notepad. Trying to convince the average web user that they have to pay £40 for a password manager is beyond the realm of what I’m willing to consider in this scenario right now, so on to the next and final point.

- isn't obvious - don't use things like your name or date of birth, and don't change incrementally like Password 1, Password2...

Really, so people don’t just have to use a different password, but each one has to be imaginative. Back to humans inability to create randomness and seriously, who has the time to do that.

(I actually spent 2 hours coming up with a recent password for one of the services I use).

There is no way I’m doing that (again) every time I use a new online service.

Arrgh!!! To finalise the whole sordid email, they end with this:

don't forget to keep your password fresh. Remember, passwords should be like underwear: changed often and never shared!

That’s just great, I’ll just quit my job and spend the rest of my life creating fresh innovative, random passwords for the hundreds of services I’m signed up to.

OK, Calm down…

These instructions seem like they are just to cover Virgin’s ass legally rather than as practical advice for their customers.

I can just imagine the line of lawyers in their pin-stripe suits and spats (I’m sure they’ll be dressed like 1930’s New York gangsters), telling the top brass: right we’ve covered ourselves if there are any breaches due to weak passwords, suckkaass!

There has to be a better way

Ohhhh, there is a better way. Why are we promoting in-human password policies when there are solutions so simple that they seem obvious.

No need for advanced password systems when a simple two stage authentication makes it so much easier and forgoes the need for human unfriendly passwords. Weaker passwords are more acceptable if combined with another form of authentication. The entropy (difficulty of guessing the password, again sorry for technical talk) is much higher when we have multiple passwords.

Multiple passwords — in the words of Mr T.: I ain’t getting on no multiple password plane fool.

Ahh, but that’s where you are in luck Mr T. To make things even easier everybody carries around an ID device with them. A mobile phone can be used for the second password authentication. Online services can send an SMS, email or a notification through their app containing a 4–8 digit code.

Even better you don’t have to do it on the log-in screen, just at the point of purchase. Simply add the message — “We take your security very seriously. To confirm your identity before purchase please enter the 6 digit number we sent to your Email/SMS/mobile app.”

Holy burnt toast Batman, that is so simple. Why are retailers not doing that!?

A good question Robin, and one that is very relevant as computing power becomes greater. Eight characters is probably already not enough to be secure against concerted brute force attacks.

So in my next email from Virgin Trains East Coast, I’m expecting the advice:

- Ensure your pass-phrase is a minimum of 65 characters

I’ve already nailed my pass-phrase:

The ginger horse (23 months old) trotted merrily towards the lustrous green pasture?

Or maybe I’ll go with:

A winged lamp floats in a *angry* manner over my confused and irritated head!

Nah, it will never get to that.

Surely?!

Originally published at ofkris.com.