Do apps encourage insecure passwords?
I use a password manager system for all my passwords. It generates new, secure, looks-like-the-cat-found-the-keyboard passwords for me when I sign up for various services, stores them, and lets me access them and auto-login by only having a single, secure master password myself. On Android, I have a plugin capable browser that lets me use my password manager just like I do on a PC. On iOS though, and on other apps of all platforms, I have to manually copy and paste passwords from the password manager app into whatever I’m trying to log into. It’s annoying, time consuming, and frankly promotes insecure passwords.
Most apps work by having you log in when you first start the app after installation, and then you’re set “for life”. A few apps however have an extra layer of security – in the developers’ eyes – that requires you to enter the password every time you log in,. Apps with payment services, for instance PayPal, often do this. The problem with doing this is that it forces users to use passwords they can remember on the go, which normally means either passwords that are inherently insecure (dictionary words, pet names, “password”) or passwords that are being used elsewhere too. I have no freaking clue what my password is for 95% of what I’m signed up for, because I have a password manager for that. For the remaining 5%, things like PayPal or online banking that I need to access on the go, I luckily have a good enough memory to be able to remember a handful of cat-on-keyboard passwords to stay secure. Most people though, in my experience, very quickly revert to insecure/repeated passwords.
Of course there is another type of insecurity in play when you have apps that do log you in automatically. Remote wipe, unlock codes, and the fact that I never lose anything (I don’t drink, don’t go to parties, which seems to eliminate pretty much all chance of accidentally “misplacing” stuff) means that I’m not worried about anyone accessing apps I have on my devices. Many people never bother with such precautions though, and while it normally results in more innocent things like “faceraping“, it can sometimes result in a stolen device with automatic login on a couple of dozen services.
For me personally, having apps that doesn’t allow you to automatically log in is a far bigger security risk than those that do, because it adds yet another password I actually need to remember (or be stuck copy/pasting when I need it). That’s not the way it should be. Luckily, it seems that this issue is reaching some companies. My bank just moved from requiring a generated code from one of those calculator looking things to simply requiring a 4-digit pin code for logging in with a mobile device. It’s a lower level log-in, allowing you to transfer money between own accounts and such, but prompting for the more secure code if you start transferring money to other people. In my opinion, this is a system that others should adopt. PayPal, for instance, could allow you to automatically log into a level of security that allows you to see transaction data and withdraw money to your own registered account or even between registered friends or something like that, but require a password to start sending money to others. This way, they avoid annoying people so much they change all their passwords to 1234 just to avoid having to remember 20 different secure ones.