We probably will stop one day, but that day isn't yet for many services. There are people who would be unable to use those services if that can't set the password to either the same or a variant of one they always use.
In the tech wold we often forget that there is a wide disparity in people's ability to use tech. Take my father, there is no way he could use a password manager, or two factor, it's just never going to happen. He has a notebook of passwords, that's how he works and he won't change.
We cannot change everyones behaviour, no matter how much it would be better for them. That's a very well learnt lesson, over and over.
The world in 30 years time will be very different, the eldest generations will have grown up with passwords and the internet. Many will have been using password managers, 2 factor, other authentication systems and devices for much of their lives. It's going to be a slow, trickle down change, from "high tech" services down to everyday sites and systems.
I'd wager that >99% of all burglaries are looking for physical possessions which can be sold for a quick buck. Not looking for random notebooks of passwords. So locking it in a safe might not be optimal because it will be like putting a spotlight on it.
Something like 90% of burglaries are looking for car keys. That's why I keep my keys by the front door in eyesight on anyone who comes in. I have insurance, and don't want a thug wandering around my house.
I have the opposite approach when parking my car in San Francisco, I just leave the doors unlocked so they don't smash my window. I don't mind if they want to rummage around and find nothing but some old taco bell napkins.
This reminds me of a quote from James Mickens regarding computer security.
"Unfortunately, large swaths of the security community are
fixated on avant garde horrors such as the fact that, during
solar eclipses, pacemakers can be remotely controlled with a
garage door opener and a Pringles can. It’s definitely unfor-
tunate that Pringles cans are the gateway to an obscure set
of Sith-like powers that can be used against the 0.002% of
the population that has both a pacemaker and bitter enemies
in the electronics hobbyist community. However, if someone
is motivated enough to kill you by focusing electromagnetic
energy through a Pringles can, you probably did something to
deserve that. I am not saying that I want you dead, but I am
saying that you may have to die so that researchers who study
per-photon HMACs for pacemaker transmitters can instead
work on making it easier for people to generate good passwords."
My point being if someone's motivated enough to break into your house to steal your passwords in order to steal your life savings, that's probably an outside scenario, given most B&Es are junkies looking to score enough for their next high.
This is potentially a false equivalency. If storing passwords in a notebook is a common enough pattern, they become something a thief might start looking for. I don’t have the statistics, but would imagine that since “junkies” skew younger as a demographic, a good portion of them is computer literate (or knows someone who would be interested in buying accounts).
> If someone breaks into my house I’d rather they just got my TV and some belongings rather than my life savings
I think this is very unlikely. For one, the notebook does not contain all the information - say "Bank1 Password" - which bank is that? What's the username? What about 2FA?
Secondly, surely the whole point if a safe is that it's bolted down and hard to burgle / steal?
> Take my father, there is no way he could use a password manager...He has a notebook of passwords
Your father does use a password manager: a slow, very inconvenient one. If you could teach him to reach for ctrl-c/ctrl-v instead of a pencil, it would be easier for him.
It would be easier for you, who (I suspect) has, like most of us here on HN, a good understanding of what happens on a computer, how to control that, how to manage their software, how to be aware of what is on the foreground when and taking input when. How to recognise various applications and seeing the difference between materially different ones that try to look the same.
Your notebook will look markedly different from a website that tries to imitate your notebook. Your password manager will only look markedly different from a website imitating your password manager if you have a certain level of awareness and acuity of what happens on-screen and what it means. I think GP's father doesn't have that awareness, and never will, by choice. They choose to spend their energy elsewhere.
Younger generations had no choice and will have spent that energy already by the time they're 12 years old, and have these problems less.
I think you sell older people short on what they are and aren't aware of. I think it's more that they see computer technology as a necessary annoyance of the modern world and not anything helpful. They used to manage their bank balance on a ledger in the back of their checkbook, and that seems easier to them than having to sit down in front of the computer or use an app on a small screen that's constantly throwing popups in their face, either ads or little "helpful tips" about this month's new features.
I'm getting close to 60, but I've been programming and working with computers since in was in 6th grade. When I was in my 30s, paying my bills meant sitting down at the table once a month with my checkbook, stack of bills, and book of stamps. Open a bill, write a check, put a stamp on the envelope, repeat. It took maybe 15 minutes and was very easy. Compare that to opening a different website, with a different username and password and maybe TOTP code or SMS code, for each bill I need to pay. It's slower and more complicated.
There is no online payment method I've seen that seems easier to me than just writing a check. Of course I rarely write checks these days, so I use the apps and websites and feel annoyed every time I do.
Yeah and I do use autopay for some very predictable things like utilities. I'm not totally comfortable with giving someone access to draw from my checking account whatever amount they claim I owe, but realistically these days a paper check becomes an ACH payment so I figure there are non-zero chances for error that just cannot be easily avoided.
Well a check is authorization to withdraw a specific amount (which you can verify is reasonable) after a specific time (which you can verify the funds will be good).
I highly recommend setting up autopay via your banks bill pay system. Less organizations having your account info is a good thing, and it’s super convenient for bill tracking.
I am not at all claiming that all people above a certain age have difficulty with these things! Though it is usually people above, say, 40 who feel this way — and this is not a negative thing: it may well be just because they remember that a different way existed. I.e. most people with tech difficulties are older, but many older people have no tech difficulties.
Though you are also correct that dealing with "technology" today requires a certain level of pain tolerance. Good UX exists but is rare, and authentication is still a mess basically everywhere if you don't want to do OAuth and centralise it to the behemoths. "Poweruser apps" can be extremely empowering, but always have a steep learning curve, sometimes very steep; they can help making your dayjob much easier, but typically help nought with, say, filing your taxes or paying your bills.
The first was about having difficulty, the second about not liking it. Again, the (fuzzy, approximate) implication goes only one way: having difficulty breeds dislike, but dislike does not imply difficulty.
EDIT: you are correct I didn't word my original message correctly. Perhaps you have a point.
> I think it's more that they see computer technology as a necessary annoyance of the modern world and not anything helpful.
They are correct aren't they? None of the modern software is made to serve and help the user. It's made to serve advertisers and be promotion vehicles for product managers.
I am a computer guy. I am constantly and continuously irritated by all the crap in software. I see how my non-techie mom struggles, and it's several orders of magnitude worse for her.
> There is no online payment method I've seen that seems easier to me than just writing a check.
How I paid bills in Thailand:
1. Bill comes in the mail, with a QR code. Bill says I owe 413 ฿ for power.
2. I scan the QR code with my phone.
3. Message comes up from my bank saying, "You want to pay 413 ฿ for your power?"
4. I tap yes. Bill is paid.
Apart from autopay (mentioned by someone else) it doesn't get simpler than that.
> I think GP's father doesn't have that awareness, and never will, by choice.
This! I mention password managers, two factor or just try and get him to improve his passwords and his eyes glaze over and can see him beginning to nod off. Probably somewhat my fault for always bring them up after a meal when he's probably already half way to napping...
I wasn't trying to imply an actual password manager is as easy as a sheet of paper. I just meant that a simple text document would work as well, with find and replace, and the ability to easily make a copy of it for backup.
My point wasn't that an actual password manager would be easier. My point was that a text document on the computer would be as easy/easier to keep track of than a piece of paper.
It might reasonably be argued that it's less secure, since it's pretty hard to hack an air-gapped sheet of paper. But it's not harder to use.
>> Take my father, there is no way he could use a password manager...He has a notebook of passwords
>Your father does use a password manager: a slow, very inconvenient one
Writing down certain passwords can be very convenient. No hacker on the internet is going to access the piece of paper on my desk.
I consider myself computer savvy and I still write down some passwords on paper instead of having them stored on an internet connected computer. (I believe burglars really don't care about passwords. And it is very easy to obscure the written passwords.)
It is when they are all a variant of each other. I can't imagine him successfully writing down a bunch of none alphanumeric characters and not giving up.
Please pay attention to the use of pass-PHRASE. Pass-phrases are well understood at this point as far as what they are and how to generate them securely. A key point is that they’re much longer so have plenty of entropy to resist cracking attempts.
The article is discussing the merits of letting users generate their own passwords at all. So unless you can guarantee the website will generate nice pass phrases, you’ll have to account for weird characters too.
A password manager can generate nice passphrases. Really, generating a nice and secure passphrase is no different from a nice and secure password at this point. It's all about entropy and byte mapping.
Sadly you still have many sites that have stupid password rules like requiring numbers and "special characters" -- but no spaces, and no, periods don't count as special characters, and blah blah blah. Point being, the ideal of a simple phrase that's easy to remember gets thrown out the window when you have to deal with all the different rules.
I’m getting very confused about the comments here that are trivially refuted. So make a passphrase like: Correct6$Horse7&Battery and be done with it. That’s still easy to write down and remember while transcribing.
Nobody’s arguing that passwords/phrases should only be remembered and never written down or stored in a password manager. That ship sailed a long time ago.
> Take my father, there is no way he could use a password manager, or two factor, it's just never going to happen.
Have you tried the “passkey” integration on Apple devices? If so, do you think your father would be able to use that?
To me, it seems such a simple UX that I can’t imagine even the most technically illiterate being unable to use it. In the Apple ecosystem, there is literally no configuration for the “password manager” it’s just integrated into the Apple Account. You’d go from a notebook of passwords to just one (the main Apple ID password, for recovery etc).
Obviously “passkey” is not available in most sites yet, but I imagine that once it is, the switch might be pretty painless for the non-tech savvy. Assuming the other device manufacturers can provide similar seamless integration.
Gonna be eagerly waiting for the time when we can finally change our behavior at will, be it neural implants or nanomachines or whatever other method of direct intervention to the brain.
I find there are generally two reasons people use analogies. The first is to make a concept easier to understand. The second is to subtly change what is being argued in order to make their position seem stronger. I did the second for years without realizing what I was doing, and still fall into the trap.
Or the third to to illustrate the argument in another context.
I usually avoid analogies of HN as you are often called out on the technicalities of them. And you are right that can often damage an argument.
However, I have argued that changing peoples behaviour, even when their current behaviour is bad for them, is often impossible despite all evidence, from the beginning.
> Or the third to to illustrate the argument in another context.
This is still case 1.
I actually agree with you that some people with bad security habits will never change their behavior, but do you really feel that someone using passwords in a notebook because that's what they're comfortable with is in the same class of behavior as someone addicted to nicotine?
Feel free to have the last word here. 1 on 1 HN threads more than 3 deep rarely result in productive conversation. Cheers
I find there are generally two reasons people pick apart argument structure rather than deal with an argument's content. The first is to point out fallacies or rhetorical devices which are invalid or illogical. The second is because they realize their position is too weak to confront it directly.
You don't seem to be 'simply' doing anything. Everything you have posted besides the first comment about phishing is some kind of dodge which uses obvious manipulation tactics, for instance saying 'I do that myself sometimes', which is a cop method for encouraging confessions, or 'you can have the last word' works to actually let you have the last word. Stop doing that.
You're ascribing a ton of ill will here, and I hope you'll give me a little more grace, but on the other hand maybe there is some truth to your words. I'll see if I can communicate more clearly and authentically in the future. Thanks for the opportunity to introspect.
* to respond to something you don't agree with, in this case a metaphor, perhaps just write "I don't agree with that metaphor" or "let's stick to realistic examples"
* try not to dissect motives unless necessary. The person you responded to made a good point that people will do things against their interests out of habit or convenience -- why does use of a completely legitimate tactic need to be singled out?
* technical people who work with non-technical people (or even who deal with non-technical families and friends and children) are highly accustomed to describing things in simple metaphors
I realize that I have been uncordial and somewhat aggressive with you in this instance, but it made me particularly irked to see someone profess such an amount of self-awareness while showing a profound lack of it.
Either you are (a) just not in your groove mentally at that moment, (b) not as centered as you like to think you are, or (c) playing some kind of game, either consciously or unconsciously. Either way I figured my approach would get a response and hopefully a correction.
I look forward to our next encounter and genuinely hope it starts off on a better footing because you seem like an interesting person.
Good sir, if we're going for fantasy/conspirological themes, we have to go deeper than this distasteful banality.
People and technology and aristocracy are for the memes. It's just one huge anthill where the ideas evolve, living on biological (and then technological) foundations.
Power hubs (be it aristocracy or any other form of government) is just a convenient mechanism for spreading ideas - politicians and millionaries are just superspreaders (in their respective ages, but they're losing it to the technological platforms - and of course there's a struggle). So is technology. So are people. It's all an evolutionary process - just notice how designed systems rarely win, nearly always giving to chaotic blind evolution - whatever catches more brainspace truly matters, not what works best. If the memetic winds will blow in a certain direction, LLMs may make us obsolete, but not in the way we think they would.
This comment is sponsored by "You think the moon is real?" meme. Sorry (not sorry).
Nobody gets to decide what's more or less sensitive. Younger generations can argue being rendered homeless due to mass housing affordability issues is also insensitive.
It is incredibly useful to powerful people to keep at this generational war narrative, as it keeps people who might otherwise work together from doing so with an aim of crushing the power of the wealthy.
The fact is, anti-human attitudes to both housing and technology are harmful everywhere. Nobody has to "win" at the other side's expense here.
Some games are zero sum and some aren't. Everyone is more secure if a large bank replaces 2FA over unencrypted SMS, even though some may be inconvenienced.
Leveling down on everyone's security in exchange for usability for a segment of the population is not a realistic long-term strategy.
Ah, that’s fair. My comment is phrased as though I’m presenting a fact. Perhaps “the things which are seen as insensitive” is better phrasing.
I can agree that people are often over-sensitive but I wouldn’t expect that calling a person deadweight is likely to garner their thoughtful attention, precisely because it is disrespectful. Indeed, it would be foolish of me to expect them to start (or continue) listening to my words.
Maybe you have better luck in New York but I bet you could find people (read: strangers whom you’ve never met or spoken to) there who are personally offended when you call them deadweight. If you’re walking somewhere and you see someone whom you think is homeless, do you let them know they’re deadweight to society? Do you think one is being over-sensitive if they become offended after they are simply called “stupid”? It might be worth explaining an opinion more instead of using such terminating cliches.
Maybe because the one commenter used the phrase “insensitive opinion” there is a misunderstanding. I’m not trying to suggest that the opinion is insensitive, only the way it’s expressed. This opinion can be presented in a friendlier way, despite the topic. (It may also be worth pointing to four words in my initial comment: “regardless of the veracity”.) One can be tolerant of opinions while being intolerant of name-calling in a way that is compatible with not being the “tyrannical minority”.
I let people set their own password. This is like canary letter for them to know if anyone accessed their data. If sysadmins need access they take it and go through a new password rotine with the user.
I also have no password requirements (other than non-blank)
I do this because I see it as user centric. I have never had a problem.
One environment requires no privacy expectation. That environment we use simple nouns all in the same category.
All the environments are full SSO they only need to login.
In the tech wold we often forget that there is a wide disparity in people's ability to use tech. Take my father, there is no way he could use a password manager, or two factor, it's just never going to happen. He has a notebook of passwords, that's how he works and he won't change.
We cannot change everyones behaviour, no matter how much it would be better for them. That's a very well learnt lesson, over and over.
The world in 30 years time will be very different, the eldest generations will have grown up with passwords and the internet. Many will have been using password managers, 2 factor, other authentication systems and devices for much of their lives. It's going to be a slow, trickle down change, from "high tech" services down to everyday sites and systems.