Archive

Archive for the ‘Security’ Category

An Open Letter to Costco: Please Fix Your Password Handling

June 9th, 2020 No comments

(Editor’s note: This originally happened in early March, just before the ongoing COVID-19 pandemic lockdown began in earnest.)

To whom it may concern at Costco: The process for connecting one’s membership card to their online Costco.com account through your official mobile app is nothing short of an overwhelmingly under-engineered mess: a combination of unintuitive workflow, security practices which serve only to epitomize mediocrity, and business logic decisions that, frankly, are so obviously wrong that they should probably be outlawed.

Okay maybe I’m exaggerating and getting a little ahead of myself here. Let’s begin this once more without the vitriol:

Dear Costco,

We need to talk.

I’ve been a long-time member and nearly-weekly customer of your local warehouse for many years; and I recently made the mistake of losing my membership card. It should have been in my wallet, but it was not. The specifics of my idiocy are not relevant here: suffice it to say, I no longer had my physical card. I was unaware of this until last weekend when I arrived at my local Costco warehouse for my weekly grocery run and found that slot in my wallet to be bare.

“That’s no problem,” I thought. “I have all my membership details stored in my 1Password and can easily just get a replacement card at the membership counter. No big deal.”

This is where the an attentive audience might have heard the record scratch, and a narrator say: “It was a very big deal.”

Upon reaching the customer service desk, the representative was very polite and asked me to provide my photo ID so that she could give me a replacement. Unfortunately for me, my license expired last month and even though I successfully renewed it, its slot in my wallet was filled only by a temporary paper license from the DMV until I earlier today received the new permanent one in my mail. Without that photo identification, I could get only a temporary paper card that would allow me access to the warehouse, but then I would only be allowed to pay in cash.

…Cash? …In 2020? Are you actually serious?

To be fair, I do carry a small amount amount of cash on me for emergencies; but as this is my usual weekly bulk grocery run, I can assure you that this small cash cache would have been woefully insufficient for what I was going to buy. And I am not going to the ATM just for groceries. (Again, it’s 2020 after all.)

With a spark of insight, I realized, “That’s no problem. I can just add my card to their official mobile app and use the card that way.” Once again, the record scratch and narrator here are all but audible.

Adding the card to the official app seemed to be fairly easy: Once I had input my membership number and some identifying information — ZIP code and name and such — I was shown a notice that told me something along the lines of: “You need to visit a Costco warehouse to complete the verification in-person.” (I apologise here; I forget the exact text. Had I known at the time what I know now about this process, I would have been more diligent about taking screenshots and whatnot.) This seems reasonable: You want to ensure that the person adding that account is actually a member on that specific account. I understand.

I walked back to the customer service desk and requested the noted verification. The representative there took down my email address and said to follow the instructions in the email to confirm my account. Again, something that seemed, at the time, quite reasonable.

A couple of minutes later, I checked my email and instantly realized that this was to be the last reasonable part of my afternoon: The email I received had a link to complete my account setup and the following information text:

If you have an existing Costco.com account, you will need to create a new password. This will verify your membership number and link it to your Costco.com account.

This is utterly ridiculous. I asked the representative why I need to change my password to confirm my email address, and although she was very polite about it, she simply told me she wasn’t sure, but recommended changing the password by simply changing the last character of my current password to something else, like an @ symbol or some such.

First of all, this necessity to change password is a severe flaw in your design. I should not need to change my account password just to verify my email address. There are many good and obvious correct solutions to this problem; and any software engineer with basic experience in this area would suggest one of them here. For example, one possible user-friendly way to do this would be to have the user log in (if not already) and then input some secret single-use passcode that is sent to their email (like a one-time password or random alphanumeric token that they could copy/paste or some such). This could be made even easier by by having the email contain a login link with that code as a query parameter: it would require only one click from the user!

Please note that this is the way almost every major website that handles accounts does email verification: no password change required. Why? Because forcing users to go through yet another hurdle in your software means you will have fewer users. The math is quite simple: The less difficult you make your software to use, the more that people will use it.

Secondly, the entire purpose of me going in-person to this customer service representative was (presumably) so that she could put in my email address and membership number into their computer so that their automated system could send me the email for password reset. This is yet another piece of your workflow that is incomprehensibly flawed: I should not need to verify my email address in-person. I know this is the case because once she had the email sent, I was able to do everything else through my phone with zero other human interaction.

I’m already logged in to my Costco account, and that is keyed by my email address. Just like in the method I described above, Costco should be able to easily verify my email address by sending me some unique code or token that I can enter in a form or via some special URL.

Costco, you should not need to have me verify my email offline. It’s yet another hurdle in your software that I have to jump over, just to use what should be one of its most basic features.

Thirdly, forcing password changes like this serves only to promote insecurity. Not only does this make users more prone to using weak passwords to begin with, but it also encourages them to change passwords in a way that is very predictable — and hence, insecure. See Lorrie Cranor’s FTC blog post for a lot more details and linked studies. Her particular post deals more so with password expiration policies than single-instance forced password resets, but the crux is the same: Forcing a password reset when there is no good reason to do so inherently promotes insecure passwords.

With a heavy sigh, I figured I had no choice and so created a new password entry in my 1Password and set about to change the password so as to confirm the account. Lo and behold, I could not use 1Password’s auto-fill functionality to put in the generated random password. This is a bit frustrating, to be sure, but not every text input in Android yet supports this. And frustrating as it may be, clipboard is always an option. So that lack of auto-fill was almost never a showstopper… until now.

Not only could I not auto-fill the password, but Costco’s official mobile app and their website both prohibit copy/paste functionality in the “New Password” fields. For someone who tries to be reasonably secure online, this is a usability nightmare. By denying the ability to use both paste and auto-fill functionality, Costco, you are adding yet another hurdle to your software, this time in the form of a terrible dilemma: do your users trade away security for ease of use? Of course they should not have to. Being both easy-to-use and secure is the raison d’être for credential-management tools like 1Password to exist at all. NIST themselves even specifically recommend pasting from password managers:

Verifiers SHOULD permit claimants to use “paste” functionality when entering a memorized secret. This facilitates the use of password managers, which are widely used and in many cases increase the likelihood that users will choose stronger memorized secrets.

“Digital Identity Guidelines: Authentication and Lifecycle Management” (NIST Special Publication 800-63B) by Paul A. Grassi, et al. DOI: 10.6028/NIST.SP.800-63b

Okay, okay, so it’s not all bad, right? Just change my password and continue on? It’s only a one-time thing, after all. If only it were that simple. After creating a new random password and spending a solid three minutes meticulously typing it in twice to double-check it, I clicked “Update” so save the new password…only to see an error page appear and be prompted for a new password once more:

Password must include the following:
• Use between 8 and 20 characters
• Include at least one letter
• Does not contain blank spaces or the following special characters: < > ” \ . ,

This is yet one more hurdle your users have to jump over just to get basic functionality out of your software: in order to get through this quickly, most users will simply choose easily remembered (and therefore, easily guessed) passwords that meet the bare minimum of these guidelines. Moreover, by restricting the length and character possibilities of the password options, you are limiting the complexity of it. Once again, the math is straightforward: the longer and more complex the password, the more secure it is. The math here is once more nearly self-evident: the greater the entropy — that is, overall complexity — of the password, the greater the difficulty in guessing it through brute-force, dictionary attacks, or other means.

Thankfully 1Password has a “memorable password” option, so instead of a random character string which would be difficult to input from memory, I could create a password that’s a sequence of words and numbers (e.g., “Correct1Horse2Battery3Staple4“) which made it slightly less irritating to remember and type in, but my fourth point remains: Password restrictions promote insecure passwords. In fact, Jeff Atwood of Coding Horror summed it up quite nicely in four words: Password Rules Are Bullshit.

So in closing: Costco, please fix your password-handling and account-verification user experience flows. These are at least 4 flaws I found in barely one hour of using your app; and I can only imagine what other usability or security obstacles I could probably find with more time and effort. These flaws are ones not of code, but of architecture.

It’s perfectly fine — we all make our share of mistakes! But mistakes are made to be learned from, not repeated and left unchecked. If left as-is, these are and will be harmful to your customers from both perspectives of usability and security — two considerations that while seemingly disparate, should always go hand-in-hand. Not only does it promote insecure password usage, but in making your workflow actively hostile to the user, you are pushing away potential users and discouraging people from using the app at all.

Please fix these. Your users will thank you, because it will be easier and less counter-intuitive. Your IT staff will thank you, because it will be more secure. Your customer service staff will thank you, because they will not need to deal with as many account reset and usability issues.

And of course, I will thank you, because you will have acted positively on constructive criticism to enhance my experience with your software.