Passwords and the Knowing-Doing Gap

Not so secureWe know that we need secure passwords. They should be long, funny-looking and impossible to pronounce. We should use different ones at every website or system we use.

We know that we like our private information to remain private. We feel pretty strongly about keeping control of our identities, money, and information. We know this is critically important; just the thought of losing control of any of it invokes an array of passionate emotions.

Yet, many of us continue to use weak passwords, and we use the same passwords for multiple systems, even though we know that this is perhaps the single most important thing we can do to protect ourselves.

Why is that? And how can we do better? Here’s my take.

Convenience trumps security

I’ve used simple passwords and the same password for multiple services. It’s the path of least resistance, and in too many cases (for me) convenience trumps security. And I’m not alone (in fact, just like I feel like a fantastic parent after watching an episode of Nanny 911, I felt much better about my security habits after seeing the following).

Gawker 2010

The big password story of 2010 was the security breach at Gawker Media. Over one million user IDs and passwords were compromised and leaked to the Internet. Gawker Media operates a number of sites, interestingly geared toward a pretty-tech savvy audience (the kind that “should know better” about password security). An analysis of this data reveals the most popular password to be….

“123456”

Followed by equally simple runners up like “password” and “12345678.”

Hotmail 2009

Microsoft’s free email service taps into a more general audience. They also suffered a breach, in 2009. An analysis of the 10,000 password leaked in that incident reveals the most popular password to be….

“123456”

Yep. The same as on Gawker, with a runner up list of similar simplicity.

Solving the problem

There are a couple of keys to improving one’s security posture, and probably an even larger set of benefits if these approaches were applied to other areas (they’re very transferable).

Just Do It

Nike’s ad campaign hit on the secret long ago. Doing something requires doing something. This sentiment is a cornerstone of closing that knowing-doing gap in a book written by two Stanford professors (the book is called The Knowing-Doing Gap: How Smart Companies Turn Knowledge into Action).

This Fast Company article Why Can’t We Get Anything Done reviews the book and gives a pretty useful synopsis. For a more personal spin on the lessons in the book, check out this article by famed life coach Martha Beck The Knowing-Doing Gap, How to Stop Procrastinating.

Last summer I decided to finally start doing something about my own security levels. Here’s the solution I came up with: How I Solved My Password Management Problem. I did something. And felt a good sense of accomplishment, and more secure. Now I’m working on a better solution. Better because it’s easier. And that’s key.

Shape The Path

The path of least resistance wins so often with good reason – it’s easy! This, I think, is why we do what we do with passwords, even when we know better.

So, how can you shape the path to security to be easier? How can we take away that excuse?

In their book Switch, Chip and Dan Heath show that shaping the path by making (sometimes surprisingly small) changes in your environment can yield huge benefits to changing behavior. This is where my new password management solution, Lastpass.com, shines.

It’s taking some effort to get setup, but in the end I should be able to have unique and secure passwords for all my accounts, be able to easily change them regularly, and find them when I need them, just like how I’m able to work with Keepass. But, Lastpass goes one step further – I can also have the convenience of the “remember me” tricks of today’s web browsers. All synchronized across all my computers and mobile device, and all done securely and automatically.

Just do it, but make it easy on yourself too

We need to do stuff in order for things to get done, so simply setting things in motion is the critical first step. Building on the momentum is next, part of which is shaping the path – removing obstacles, adding convenience. Maybe this is the one-two punch to finally make change happen for improved password management, and more.

Photo credit: mrkathika