A while ago, I needed to log into PayPal on my Android phone. I opened the app, entered my username and password and received a “Try Again” prompt. It was a password that I thought was pretty good, one that I had committed to memory, and one that, a few weeks earlier, I had begun phasing out. I opened 1Password, in which all my logins are stored, and copied the 22-digit password, but returning to PayPal I found that pasting it into the open field was impossible.
Rote password memorization is so much a part of our digital culture these days that it’s an often traumatic experience to change it — which is why so many people don’t. Millions of users every year are defrauded or hacked due to weak passwords that they couldn’t be bothered to change.
Yesterday, TD Canada Trust’s Twitter account responded to a user concerned about his inability to paste a string of text into the recently-updated app’s password field. The community manager’s response was not only myopic but, considering how important it is to secure one’s banking app, dangerous. The public response was rightly severe.
Read the response from TD’s official Twitter account. Done? Let’s analyze it.
“For your security” – This person knows what’s best for my security. He or she is not suggesting — they’re telling us what’s good for us.
“Your password should be committed to memory” – No, it shouldn’t. The problem with human memory is that it is fallible and lazy: better passwords shouldn’t be memorable because they should be hard. Hard for a computer to crack and impossible for a human to guess.
“Rather than use a password manager” – A password manager has been one of the best additions to my workflow since, well, ever.
Before 1Password I used LastPass, but both of them are based on the same idea. You should have a single password that allows entry into the rest of your secure data. While that may seem inherently insecure — why would you rely on a single password to gateway myriad others — these services don’t store your password anywhere. If you forget your password, you’re forever locked out of your database. The databases are also heavily encrypted, and can be synchronized across devices and platforms using Dropbox.
The main benefit of a password manager like 1Password is the ability to generate and store randomly-generated passwords, most of which are made up of indecipherable combinations of letters, numbers and symbols. It’s a lot more difficult, both for a human and a computer, to crack a 22-symbol password that looks like TD8iJJrBTNcthxeZPo2bXd than a 12-letter password made up of a couple words familiar to the owner.
This benefit extends to mobile platforms like iOS and Android, on which both 1Password and LastPass are available. The ability to easily and quickly recall passwords has been enhanced by the integration of biometric access — on iOS specifically, Touch ID — that negates the need to type and retype a password to enter one’s vault. 1Password even integrates with some third-party apps directly, so users don’t have to jump back and forth between screens.
TD Canada Trust, and all companies that rely so heavily on guarding customer information with passwords, should be embracing managers like 1Password, Dashlane, LastPass and PasswordBox, welcoming the presence of biometric sensors like Apple’s Touch ID and Samsung’s Finger Sensor, and commit to making it easier and safer for customers to take advantage of their services, on mobile and the web.
It can start by making it possible to paste passwords into their mobile apps.
Update: TD has promised to change its ways. It responded to our tweet of this article, saying, “We recognize the importance of features like copy/paste for our mobile app and we are working to resolve this. Stay tuned.”
@MobileSyrup We recognize the importance of features like copy/paste for our mobile app and we are working to resolve this. Stay tuned.
— TD (Canada) (@TD_Canada) March 20, 2015