Users never remember their passwords or security answers. How can I get them to remember, but follow good security practices?

Question

I work at a library where I teach computer literacy classes, especially for the elderly. Among other things, we have classes where people set up e-mail or other online accounts. For many of them, this is their first exposure to passwords. About once a month, I'll have a conversation like this:

Patron: Can you show me how to do e-mail again?

Me: Sure. First, go to the e-mail provider's website. Good. Now type in your e-mail address and password.

Patron: I don't remember my password. I didn't think I would have to remember it.

Me: Your password is important. It lets the e-mail provider know that you are who you say you are and not someone else. Fortunately, we can try to reset it. Click that link there. It's asking security questions that only you would know. Looks like it's asking what your favorite book is.

Patron: I have no idea.

Me: Well, let's have you put in a couple of guesses.

Patron: None of these are working. Can we call Google and ask them to help?

I've had several patrons locked out of their accounts permanently because of this. I've tried having them write down their passwords. Not good security practice, and quite often they lose it (or worse, can't read what they wrote). They've tried to get me to remember their passwords for them, but as a library worker, it would be inappropriate for me (and that has all the problems of asking family members to keep your passwords). Yet nothing seems to help with having them remember their password.

Regarding security questions, I've instructed them to choose security questions that won't change. So don't choose "what's your favorite food?" but instead choose "where did you meet your spouse?" A few months ago, I actually had someone forget that too! They couldn't remember if they put the city, the name of the restaurant, or whatnot, and they never figured it out.

I had one patron who independently decided to put their e-mail password on a post-it note on their computer. I felt like screaming inside because that's an egregious security issue, but at the same time I was overjoyed that they didn't forget it any more. I didn't know if I should say anything about it.

So for users who chronically forget their passwords and security answers, what can I do to help them remember, yet still follow good security practices?

Answer 1

For an average user that is unlikely to be the subject of a targeted attack, then the main risks to consider are those posed by automated attacks and bulk leaks of account details and password hashes when various websites are inevitably compromised.

The key mitigations for these are

a) passwords of sufficient complexity (generally at least 8 characters, not a simple word and not based on public able available information about you)

b) passwords are not reused on different sites.

For most people with many accounts the above two largely rule out memorisation of anything but passwords for one or two accounts, with the rest stored somewhere. An encrypted password manager is a good choice, but written down is equally effective for the above risks, provided they can store it somewhere where access is limited to prople they reasonably trust.

For many home users, a simple notebook with all of their passwords written down and stored as home is simple to understand and effective at mitigating the main risks they face.

Answer 2

Short of using password managers, the most reasonable solution that balances security and usability involves plain old memorization.

Tell them to log in those accounts a couple of times (or more) a day. After a few weeks, they will probably remember the password.

As an aside, this may help the elderly to reinforce their long- and short-term memory, which is very useful, not only for security purposes.

Answer 3

Perhaps the majority of your customers don't actually need the level of security you are assuming for them. Security is about risk and impact so you need to set it at the right level.

Maybe get them to use something that they have on them such as their bank card - they could use the bank sort code for example. Or the street they live on or the the bus number they take to get to the library, you get the picture. Whilst this would never normally be considered for a password strategy you need to find something that works rather than something that meets an arbitrary security level.

Alternatively, get/make some credit card sized cards and get them to write their passwords on there and slip them into their purses. They are much less likely to forget those.

For security questions, try to always use the same pattern. If locations for example, always get them to use City and get them all to use the same or maybe one of a couple of questions. Then you will find it easier to tease the information back from them.

Just don't assume that security "good practice" necessarily applies to this subset of people. After all, I imagine that you are trying to encourage them and help them to enjoy the use of computers. To improve security for them, you've first got to encourage them to use computers. After that you can work on strategies to help them understand the implications. Just steer them away from doing anything that requires high levels of security on email.

Answer 4

If it is not already the case, let the user choose and write his own security question. Instead of selecting automatically one in a premade list and typing a nearly random answer, user will first have to think about a question which imply concentration. Concentration help to remember things as well as this will activate writing memory while typing it.

Answer 5

This is a great question, because it's such a common problem.

First, one of the best ways to help them is to have them write the sites and passwords down on a piece of paper with a pen or pencil, and carry the paper in their purse or wallet. This is actually quite secure for most people because a hacker cannot hack paper that is folded up inside their wallet. It would be nice to recommend they make an occasional copy of the paper to keep at home, just in case their wallet is lost or stolen, but in practice nobody will remember to do that.

Next, I recommend people think of a passphrase of four or more words, not just a single password. This helps people select longer passwords, which makes the job of cracking passwords exponentially more difficult. "mygrandbabyricardoiscute" is a much better password than "grandbaby" or "ricardo", and is just as easy to remember. It's not "correct horse battery staple" strong, but it's still effective enough.

Next, to keep from having so many passwords, have people divide up their IDs into not very important, important, and very important categories:

Not very important: Twitter, Facebook, blogging, chatting. It's usually OK to pick one shorter password that you can remember for all those sites. Never buy anything or use a credit card with a not very important password, and never give your real birthdate or other personal details to a not very important site. Instead, use something like 1/1/1940 (or the first day of the decade of their birth.) Of course if the site gets hacked or the password is lost, they have to remember to change it everywhere.

Important: Email, shopping, ordering, AppleID, SamsungPay, Amazon or any site that gets your credit card number. Pick a unique longer password for each of those sites and write it down on the paper you keep in your wallet.

Very important: Banking, retirement accounts, health accounts. Pick a long unique password for each of those sites, write those passwords down on a separate piece of paper, and never log on anywhere but at home. Keep the piece of paper at home, too.

When possible, use PayPal, Apple Pay, Google Wallet, Amazon, or other third party payment system instead of entering a credit card number directly on a shopping web site.

Answer 6

As shown in this xkcd comic teach them this better way to come up with passwords that are much easier to remember.