My wife has the good fortune of living with a security and risk pro who also happens to be a US Army intelligence officer, so she’s been previously scolded about lax security practices. I also point out how “hacking” scenes on TV and in movies are comical and inaccurate. Note: Said wife was not consulted about whether this was definitely annoying — but based on eye rolls, I assess with high confidence this to be true.
The good news is that she understands how one data breach could affect multiple online accounts, so she doesn’t reuse passwords. The bad news is that, like all of us, my wife was unable to remember every unique username and password combination. And with the average American consumer having over 200 online accounts and growing, this is a problem that is not going away.
Her solution to this problem: “Simply” reset her password each time she needed to log on to an account. The approach is inefficient but pragmatic and certainly better than reusing passwords.
The trade-off is user experience: Every day, she requested multiple password resets. My wife is the smart one, graduating summa cum laude from a top-50 national university. I barely “got out” of Georgia Tech. She’s a better risk manager. I joined the Army in the middle of multiple wars and was deployed overseas. And yet she thought password managers were untrustworthy and too complicated.
Watching her constantly reset passwords drove me bonkers and made me feel that I could fix this and make it better using a commercial password manager product. This was, of course, well received.
First, I had her create an account, but she wasn’t ready. So she forgot the master password, meaning that her account was permanently locked when she received a new work laptop. Truthfully, getting locked out forever probably helped her gain trust in the technology. I had to figure out another way.
Have “strategic patience”: One of my features (or bugs, depending on your perspective) is tenacity. I wasn’t going to give up. I couldn’t give up on my wife’s security practices. But you cannot force any user — including a significant other — to make a big change to their user experience. It creates friction, conflict, and inevitable resentment. Users must come to the realization themselves and then make an appropriate choice.
I then began a campaign on extolling the benefits of password managers. “Wow. I have stored over 250 credentials. How do I have that many?” “Hey, I can securely share the Wi-Fi password with you.” “I used this funny XKCD cartoon about creating a long, rememberable password in a presentation at work today.” My efforts paid off, and she was ready to try again. We created her new account and I let her write her new master password down on a sheet of paper that she initially locked in a file cabinet and did not tape to her screen (win!). The paper is now in our safe deposit box. Now all new website credentials are stored in the password manager. As she resets passwords for old accounts, they get added to the password manager. She is also using it on her smartphone, which is protected by a biometric-based device lock. She can log in quickly from any of her devices with the confidence that every username and password combination is unique.
That’s how a password manager could save your marriage. It also reinforced how hard it is for end users to change security habits — which is a great lesson for security leaders to remember.