Archive

Archive for June, 2020

An Open Letter to Costco: Please Fix Your Password Handling

June 9th, 2020 3 comments

(Editor’s note: This originally happened in early March, just before the ongoing COVID-19 pandemic lockdown began in earnest.)

To whom it may concern at Costco: The process for connecting one’s membership card to their online Costco.com account through your official mobile app is nothing short of an overwhelmingly under-engineered mess: a combination of unintuitive workflow, security practices which serve only to epitomize mediocrity, and business logic decisions that, frankly, are so obviously wrong that they should probably be outlawed.

Okay maybe I’m exaggerating and getting a little ahead of myself here. Let’s begin this once more without the vitriol:

Dear Costco,

We need to talk.

I’ve been a long-time member and nearly-weekly customer of your local warehouse for many years; and I recently made the mistake of losing my membership card. It should have been in my wallet, but it was not. The specifics of my idiocy are not relevant here: suffice it to say, I no longer had my physical card. I was unaware of this until last weekend when I arrived at my local Costco warehouse for my weekly grocery run and found that slot in my wallet to be bare.

“That’s no problem,” I thought. “I have all my membership details stored in my 1Password and can easily just get a replacement card at the membership counter. No big deal.”

This is where the an attentive audience might have heard the record scratch, and a narrator say: “It was a very big deal.”

Upon reaching the customer service desk, the representative was very polite and asked me to provide my photo ID so that she could give me a replacement. Unfortunately for me, my license expired last month and even though I successfully renewed it, its slot in my wallet was filled only by a temporary paper license from the DMV until I earlier today received the new permanent one in my mail. Without that photo identification, I could get only a temporary paper card that would allow me access to the warehouse, but then I would only be allowed to pay in cash.

…Cash? …In 2020? Are you actually serious?

To be fair, I do carry a small amount amount of cash on me for emergencies; but as this is my usual weekly bulk grocery run, I can assure you that this small cash cache would have been woefully insufficient for what I was going to buy. And I am not going to the ATM just for groceries. (Again, it’s 2020 after all.)

With a spark of insight, I realized, “That’s no problem. I can just add my card to their official mobile app and use the card that way.” Once again, the record scratch and narrator here are all but audible.

Adding the card to the official app seemed to be fairly easy: Once I had input my membership number and some identifying information — ZIP code and name and such — I was shown a notice that told me something along the lines of: “You need to visit a Costco warehouse to complete the verification in-person.” (I apologise here; I forget the exact text. Had I known at the time what I know now about this process, I would have been more diligent about taking screenshots and whatnot.) This seems reasonable: You want to ensure that the person adding that account is actually a member on that specific account. I understand.

I walked back to the customer service desk and requested the noted verification. The representative there took down my email address and said to follow the instructions in the email to confirm my account. Again, something that seemed, at the time, quite reasonable.

A couple of minutes later, I checked my email and instantly realized that this was to be the last reasonable part of my afternoon: The email I received had a link to complete my account setup and the following information text:

If you have an existing Costco.com account, you will need to create a new password. This will verify your membership number and link it to your Costco.com account.

This is utterly ridiculous. I asked the representative why I need to change my password to confirm my email address, and although she was very polite about it, she simply told me she wasn’t sure, but recommended changing the password by simply changing the last character of my current password to something else, like an @ symbol or some such.

First of all, this necessity to change password is a severe flaw in your design. I should not need to change my account password just to verify my email address. There are many good and obvious correct solutions to this problem; and any software engineer with basic experience in this area would suggest one of them here. For example, one possible user-friendly way to do this would be to have the user log in (if not already) and then input some secret single-use passcode that is sent to their email (like a one-time password or random alphanumeric token that they could copy/paste or some such). This could be made even easier by by having the email contain a login link with that code as a query parameter: it would require only one click from the user!

Please note that this is the way almost every major website that handles accounts does email verification: no password change required. Why? Because forcing users to go through yet another hurdle in your software means you will have fewer users. The math is quite simple: The less difficult you make your software to use, the more that people will use it.

Secondly, the entire purpose of me going in-person to this customer service representative was (presumably) so that she could put in my email address and membership number into their computer so that their automated system could send me the email for password reset. This is yet another piece of your workflow that is incomprehensibly flawed: I should not need to verify my email address in-person. I know this is the case because once she had the email sent, I was able to do everything else through my phone with zero other human interaction.

I’m already logged in to my Costco account, and that is keyed by my email address. Just like in the method I described above, Costco should be able to easily verify my email address by sending me some unique code or token that I can enter in a form or via some special URL.

Costco, you should not need to have me verify my email offline. It’s yet another hurdle in your software that I have to jump over, just to use what should be one of its most basic features.

Thirdly, forcing password changes like this serves only to promote insecurity. Not only does this make users more prone to using weak passwords to begin with, but it also encourages them to change passwords in a way that is very predictable — and hence, insecure. See Lorrie Cranor’s FTC blog post for a lot more details and linked studies. Her particular post deals more so with password expiration policies than single-instance forced password resets, but the crux is the same: Forcing a password reset when there is no good reason to do so inherently promotes insecure passwords.

With a heavy sigh, I figured I had no choice and so created a new password entry in my 1Password and set about to change the password so as to confirm the account. Lo and behold, I could not use 1Password’s auto-fill functionality to put in the generated random password. This is a bit frustrating, to be sure, but not every text input in Android yet supports this. And frustrating as it may be, clipboard is always an option. So that lack of auto-fill was almost never a showstopper… until now.

Not only could I not auto-fill the password, but Costco’s official mobile app and their website both prohibit copy/paste functionality in the “New Password” fields. For someone who tries to be reasonably secure online, this is a usability nightmare. By denying the ability to use both paste and auto-fill functionality, Costco, you are adding yet another hurdle to your software, this time in the form of a terrible dilemma: do your users trade away security for ease of use? Of course they should not have to. Being both easy-to-use and secure is the raison d’être for credential-management tools like 1Password to exist at all. NIST themselves even specifically recommend pasting from password managers:

Verifiers SHOULD permit claimants to use “paste” functionality when entering a memorized secret. This facilitates the use of password managers, which are widely used and in many cases increase the likelihood that users will choose stronger memorized secrets.

“Digital Identity Guidelines: Authentication and Lifecycle Management” (NIST Special Publication 800-63B) by Paul A. Grassi, et al. DOI: 10.6028/NIST.SP.800-63b

Okay, okay, so it’s not all bad, right? Just change my password and continue on? It’s only a one-time thing, after all. If only it were that simple. After creating a new random password and spending a solid three minutes meticulously typing it in twice to double-check it, I clicked “Update” so save the new password…only to see an error page appear and be prompted for a new password once more:

Password must include the following:
• Use between 8 and 20 characters
• Include at least one letter
• Does not contain blank spaces or the following special characters: < > ” \ . ,

This is yet one more hurdle your users have to jump over just to get basic functionality out of your software: in order to get through this quickly, most users will simply choose easily remembered (and therefore, easily guessed) passwords that meet the bare minimum of these guidelines. Moreover, by restricting the length and character possibilities of the password options, you are limiting the complexity of it. Once again, the math is straightforward: the longer and more complex the password, the more secure it is. The math here is once more nearly self-evident: the greater the entropy — that is, overall complexity — of the password, the greater the difficulty in guessing it through brute-force, dictionary attacks, or other means.

Thankfully 1Password has a “memorable password” option, so instead of a random character string which would be difficult to input from memory, I could create a password that’s a sequence of words and numbers (e.g., “Correct1Horse2Battery3Staple4“) which made it slightly less irritating to remember and type in, but my fourth point remains: Password restrictions promote insecure passwords. In fact, Jeff Atwood of Coding Horror summed it up quite nicely in four words: Password Rules Are Bullshit.

So in closing: Costco, please fix your password-handling and account-verification user experience flows. These are at least 4 flaws I found in barely one hour of using your app; and I can only imagine what other usability or security obstacles I could probably find with more time and effort. These flaws are ones not of code, but of architecture.

It’s perfectly fine — we all make our share of mistakes! But mistakes are made to be learned from, not repeated and left unchecked. If left as-is, these are and will be harmful to your customers from both perspectives of usability and security — two considerations that while seemingly disparate, should always go hand-in-hand. Not only does it promote insecure password usage, but in making your workflow actively hostile to the user, you are pushing away potential users and discouraging people from using the app at all.

Please fix these. Your users will thank you, because it will be easier and less counter-intuitive. Your IT staff will thank you, because it will be more secure. Your customer service staff will thank you, because they will not need to deal with as many account reset and usability issues.

And of course, I will thank you, because you will have acted positively on constructive criticism to enhance my experience with your software.

Here We Are. #BlackLivesMatter

June 2nd, 2020 No comments

I speak to you, the chosen ones.
With all our strength, we stand aligned.
[…]
We’re breaking the walls from inside…
…so rise to the sound of Revolution.

Excerpt from “Revolution” by Kamelot, from their album “Haven” (2015).

I’ve been pondering what to say that hasn’t already been said about all the series of unfortunate events that seems to be the trend in the United States. I have neither the courage nor the logistics to be part of the protests in person; but staying quiet about them feels like tacit approval of the very system they are protesting against. And this, at least, I cannot do.

However, it is difficult to know exactly what to write here. I want to help, but I don’t want to mistakenly “help” in the wrong way: I want to incite change, not just more anger. I want to promote equality and education, not violence and vitriol.

These recent events are merely the culmination of many decades of injustice and intolerance; and the ideal solution would be change in the underlying systems which allow these to continue so pervasively. But in addition to these systemic failures of justice, there are lot of other aspects of our leadership structure and personnel that are detrimental also; and I’d like to mention those in this post too. I contend that no one issue here is more important than the other. Rather, all are individually important for their own reasons; and I am remarking on them grouped together here only for the sake of attempting to express my thoughts more completely.

In the year 2020, we have at the forefront of sociopolitical power in our country and many others, people with very little competency and nearly as little accountability. And they are more often than not kept in their high offices by corporations and lobbyists who can effectively win any election just by throwing enough money at it, rather than by any merits of candidacy. Third-party candidates almost never succeed — even if they are exceedingly qualified and capable — solely because they are of a third party.

In the year 2020, during a global viral pandemic, we have a significant number of people who, despite such claims being thoroughly debunked by every reputable medical organization, are advocating against the safety and efficacy of vaccination, even though a SARS-CoV-2 vaccine would be — once properly developed — the only truly safe and effective way to return to some semblance of normalcy.

In the year 2020, when science has graced us with the capabilities of astronauts being able to live and research on the International Space Station long-term, collaborating between many nations to further humanity’s knowledge, and when we can video chat in real-time between these astronauts in orbit and people on both sides of the the planet simultaneously using pocket-sized always-connected devices that can also quite literally show us the breadth of all human knowledge…we have groups of people accepting outlandish conspiracy theories and protesting against the very existence of COVID-19, saying things like the world is flat, manmade climate change is not real, and that COVID-19 is somehow a hoax so that the governments can track their citizens better. (Of course it should not need to be said, but none of these are true. And, fun fact: if they wanted to track their citizens better, it would be far easier to do so using the always-on always-connected mobile phones that almost everyone has on their persons at all times. But hey, who am I to argue logic with those who refuse its clarity.)

In the year 2020, almost a century after the Civil Rights movement first began in earnest, there are still people who think that it is somehow okay to devalue other human beings simply because they are different: whether that is a difference of skin color, gender, or sexual orientation, or because they are of a different socioeconomic group, or because they are of a different culture or race, or for any other aspect of them that differs from a prescribed societal norm. (To be clear: this is absolutely not okay.)

And more recently in the year 2020, echoing many prior instances such as the killings of Ahmaud Arbery and Breonna Taylor and many others, we have police officers who, despite having sworn an oath “to never betray […] the public trust” and “to hold [themself] and others accountable for [their] actions” (source: IACP Oath of Honor), abuse their power to epitomize this intolerance through clear excessive force leading to outright murder — in this most recent case, the murder of George Floyd — and are often not held justly accountable for it.

And just a few days ago, after the United States alone reached over 100,000 confirmed deaths from COVID-19 and still has almost 2 million confirmed infected (source: CDC), we had the chief executive officer of the United States announce that our country would be leaving the World Health Organization, in order to continue his racist trend of blaming China for this disease. (Fun fact: China itself holds about 19% of the world’s entire population. So, yes, it is going to be a significant focus for pandemic efforts, on the simple basis that it holds such a large proportion of the world population. That’s just how epidemiology works.)

Let me be perfectly clear: None of this is acceptable.

Respect should be the default in our interactions with other people, not some reward earned through commonality of class or culture. Respect should never have to be earned. It should always be given.

And yet, here we are.

We should not be so entrenched in a political system that so readily divides issues across bipartisan lines. Parties should be debating what the correct solutions are to our socioeconomic and welfare problems, not debating whether these problems even exist at all. We should not have to vote for the lesser of two evils simply because the qualified third candidate won’t win.

And yet, here we are.

We should not, in the midst of a viral pandemic, be separating ourselves from the primary worldwide organization whose current overarching goal is to end this pandemic with a minimum of life loss.

And yet, here we are.

We should not have groups of people afraid to simply live out their lives, due to the high likelihood of being attacked by those in power who should be protecting them, just because they look or act differently.

And yet, here we are.

#BlackLivesMatter should not need to be a hashtag.

And yet, here we are.

People should not need to be protesting in the midst of a viral pandemic, that their lives are in danger from the very people who should be protecting them, by endangering their own lives even further as part of a (hopefully peaceful) crowd.

And yet, here we are.

We should not have our police officers armed to the teeth and attacking the very people they are sworn to protect, while our medical personnel are struggling to make ends meet with not enough PPE and ventilator equipment to help keep people alive through this global pandemic.

And yet, here we are.

We should not have such intolerance so hardwired into the justice and political systems that even the people who hold arguably some of the highest offices in the world are willfully ignorant and continue to encourage prejudice over progress, and wealth over well-being.

And yet. Here. We. Are.

To you protesters, please stay safe. Stay vigilant. Stay peaceful. You are bold; you are brave; and I stand with you, albeit virtually.