An open letter on user account security to Condé Nast, AT&T, and...well, lots of companies

Account security isn't that hard so why do you guys make it over-complicated?

Dear Condé Nast and AT&T and ... well, it's a long list of misguided Web sites and services ...

I wrote at some length a couple of posts ago about how AT&T wasted my time and how a lot of that lamentable, annoying, and fruitless interaction was due to their account management systems which, I can only assume, were designed by sadists bent on the destruction of America. But let's be quite clear, AT&T is not alone in screwing up the user experience online.

I just got an email message from Condé Nast  encouraging me to install their Bon Appetit app on my iOS devices.

Before I eviscerate them let's be clear; I love the magazine. Bon Appetit is one of favorite vehicles for delivering food porn ... the recipes are excellent and the photographs are so good that they make me feel hungry even after dinner. So, when I got their plea I went and checked it out and, lo and behold, I had already installed the app. It's quite possible that I might have never got around to actually setting it up but whatever, it invited me to log in and the lure of gustatory entertainment was enough to motivate me ...

I checked Roboform -- my preferred app for storing logins -- and tried the password  I had saved on the Web with the app. No luck. I then tried logging in on the Web and I got in but was asked to change my password. OK, I guess I can do this though I wasn't sure why it was necessary and ... DAMNI! Now I couldn't login in with the new password!

OK, Mark, relax ... count to to te. I requested my password expecting that it would be a reset method but nope, and I got an email that showed me the actual password I had originally set with not a trace of the new one they had demanded that I create. Idiots! 

Alright, so I now logged in again and here's one of the things I don't understand: Why do they do a CAPTCHA  test for every login? Sure, I know that automated cracking software can try a gazillion passwords if allowed to but, guys, have you ever heard of rate limiting? Apparently not ... just put the burden of testing on the user and to hell with their convenience.

Your obsession with CAPTCHA simply means I can't use password management systems like Roboform to login and even my stupid bank (yes, I'm talking about you, Wells May-You-Rot-In-Hell Fargo) doesn't make logging in that hard. But you, Condé Nast, apparently think that protecting my accounts for Wired Magazine and Bon Appetit requires verification that Fort Knox would be proud to have.

OK, so now I know what my password is but does it work in the Bon Appetit iOS app? Of course not! 

Look Condé Nast, AT&T, and Commenity Bank and, and, and ... it's not that hard for the god's sake! When I set up an account, validate the account by whatever data points you need (though remember, the gummint says you shouldn't use my social security number but you all do and the gummint does bugger all about you blatantly doing what they say you shouldn't ... sigh), then allow me to set a practical password and you should rate limit my logins and lock my account after too many failed attempts. That's reasoable.

But hold hard! What is a practical password? Well,despite what you thin it's not a minimum of eight characters with at least one upper case letter and at least one digit and a symbol excluding some random set of characters your lazy, feckless programmers have concocted with some bullshit reason to exclude. Most of these schemes result in totally unmemorable passwords that aren't hard to crack ...

Allow me to digress and quote from an XKCD cartoon strip (the most brilliant geek cartoons ever, might I point out) that a password such as Tr0ub4dor&3 which many services require something like is not only a bitch to remember but has just 28 bits of entropy. This means that it will require just a measley 3 days at 1,000 guesses per second to crack. 

On the other hand a password such as correcthorsebatterystaple has 44 bits of entropy and will require 550 years at the same 1,000 guesses per second to crack and it's a damn sight easier to remember. Which scheme would a sophisticated, informed, and user-oriented comapny use?

But do any of these sites understand this? Nope. They use overly complex systems of verification images, multi-stage logins, CAPTCHAs, and weak, unmemorable password rules to make users' lives harder rather than easier while at the same time leaving their users less secure. 

So, AT&T, Condé Nast, Commenity Bank, and the rest of you, please, please, please get your acts together. Learn something about security and how to make it work in the real world of users because you have a choice; lead the industry or follow. And if you choose the latter your business will assuredly suffer ... and I will do everything I can to make sure that you do.

Login with your thoughts below or send a note to then follow me on, and Facebook.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Must read: 10 new UI features coming to Windows 10