If you’ve heard any of the members of CRT Labs talk about online security, you’re likely to have heard us urge you to use a password manager. And if you spend a normal amount of time online, you’ve also read about password manager breaches. The most recent high-profile attack hit LastPass earlier this year, and the attack helped spawn a lot of “are password managers really a good idea?” think pieces.
Let me be direct: yes, it’s a good idea to use a password manager. It’s a really, really, good idea, and using them is something I will continue to recommend to the REALTORS® with whom I speak.
The reason we recommend using them so strongly is because password managers solve the two most common reasons why accounts get compromised: weak and reused passwords.
WHAT’S A PASSWORD MANAGER?
A password manager is a piece of software that helps a user create, store, and use complex passwords. (There are hardware-based password managers, as well as some browser based ones, but we’ll just be talking about dedicated software managers in this post.) By “complex passwords” I mean a combination of letters, numbers, and special characters; length and unpredictability can also increase the complexity of a password.
Password managers help you create these complex passwords; the software I use allows me to create passwords up to 64 characters in length, with up to 10 numbers and 10 special characters. For example:
Do I use complex passwords like this for online banking and shopping? I do. Not all are this crazy, but there’s actually no reason why they shouldn’t be. They can be as complex as the above, because password managers don’t require you to remember the passwords of individual sites and services you access online; they only ask you to remember one master password that gives you access to the rest.
HERE’S WHERE FOLKS GET NERVOUS:
It’s at this point that most people start to get nervous, and they usually have both of the following concerns:
Are you crazy? You’re putting all of your password eggs into one basket!
I can’t remember a password that’s complicated enough to be my master password.
Let’s start with the all-your-eggs issue. I currently have one master password that protects 55 very complex passwords that are stored in my password manager. My master password is complex but memorable. Am I worried about someone cracking my master password and getting to my banking, investment, and shopping passwords? Not really, and here’s why:
My master password and password vault are shared with no one. Not even the company that provides my password management software has access to it. When you combine the strong encryption on your vault, a strong master password, as well as controlling where your information is stored – provides you multiple layers of security against any threats.
The encryption used by most password managers exists not only during transmission of data but also at rest.
My password manager encourages me to create very complex passwords because it can be done for me automatically when signing up for accounts at new websites.
I don’t even have to use the Internet to use my password manager. I can run it on a local network, storing all my information on my computer and other devices. None of my password information need ever go near the cloud.
This last issue — cloud vs. local storage — could be the key for you to start using a password manager if you’re afraid of hackers but see the benefit of randomly generated strong passwords. Make sure any password manager you think of using has the ability to store information away from the cloud and away from the provider’s servers.
CREATING A MASTER PASSWORD
It may seem a little daunting to come up with a complex but memorable password, but I’d like to suggest it’s not as difficult as it seems. Let’s take a look at a made-up complex password: !M2j3B*s*T*. How did I come up with this, and how would I remember it?
Let’s assume you think Michael Jordan is the best basketball player ever. You’re sure to know he wore the number 23. Introduce some special characters, start to think about the words as single letters or abbreviations, and you’ve got a memorable and very strong password.
STILL DON’T WANT TO USE A PASSWORD MANAGER? AT THE VERY LEAST, DO THIS:
Whether or not you wind up using a password manager, at the very least remember that variation (not using the same password on more than one site) and complexity (passwords with letters, numbers, and characters) are essential to protecting yourself online. It’s easier for me to use a password manager to handle that variation and complexity. If it’s not for you, devise your own system, but stick to those two password virtues. Somewhere down the line you’ll be happy you did.
A long, long time ago — in internet years, anyway — usability pioneer Jakob Nielsen codified ten general principles for interface design. Nielsen had the then-new Web in mind, but some 20-plus years later these principles continue to be relevant.
My favorite of Nielsen’s principles has always been this:
User control and freedom
Users often choose system functions by mistake and will need a clearly marked “emergency exit” to leave the unwanted state without having to go through an extended dialogue. Support undo and redo(emphasis mine).
I’ve been thinking a lot about these principles, because I recently replaced the nine-year old WiFi router in my house. At the same time I changed the network name and password to make access to the router more secure. If I had done this a few years ago, I’d have told my family what the new network name and passwords were, they’d have connected their smart phones (because smart phone makers long ago figured out how to support undo and redo), and all would have been well.
But now I’ve got a bunch of smart home devices — thermostats, security cameras, air quality monitors, smart lights, and more — and getting all of them to play nice with the new WiFi network has proven to be, well, adventurous. In this first of a series of blog posts, I’ll highlight the easiest, least frictional experience I had with one device that sets a high bar for the others, user-experience wise. That device is the Logitech POP Home Switch.
First, though, an acknowledgement: not all smart devices are the same. They do different things and require different levels of security regarding changes made to them. The steps I need to take reconfiguring my front porch security camera should be different than what I need to do to the POP Switch. Yet the reason I’m highlighting the POP Switch experience is because it is well-done and elegant, and security and elegance are not mutually exclusive. More “complicated” smart devices can learn lessons from it.
The POP Switch Experience
Logitech’s POP Switch comprises two parts — a bridge, which plugs directly into a wall outlet, and a switch, a 2.5” square rubberized controller that can work with things such as smart lights. Pressing the switch in various ways allows you to change lighting scenes (for example) without getting out your smart phone and using an app. Truth be told, it’s a sweet product.
But what makes it especially nice is the way it behaved when I fired up my new router with new credentials. The bridge immediately started blinking (because it was now offline), and finding where to go in the POP app to get the bridge back on line was a snap. And if a good interface captures 1) the task you’re performing, 2) instructions on how to accomplish the task, and 3) the status of what’s going on, the POP app hits it out of the park. Here are the sufficiently brief steps I had to take to get my POP Switch onto a new network, as experienced through the app:
It probably does without saying that my experience with other smart home devices in my house didn’t go as smoothly.
Why Is This Important?
Good design is always important. But it’s desperately needed in the still-new world of smart home devices. As the department within the National Association of REALTORS® that is most focused on smart home technology, CRT Labs has a responsibility to help shape the nascent world of smart home tech, both for homebuyers and for the REALTORS® they hire. IBM’s Security Intelligence blog recently pointed out in a thoughtful piece that many design decisions are made for the first owner of something, and that the needs of subsequent owners are often neglected.
“The needs of subsequent owners” sound a lot like the needs of a homebuyer, don’t they?
Over the coming months I’ll continue to document my experiences with smart home devices and changing configurations, documenting as best as I can which ones are painful and which ones are relatively painless. More and more smart devices will be included in real estate transactions, and the smart home industry has a lot riding on “support redo and undo.”
“…Nest is mostly a victim of the current state of the smart home market, which itself seems perennially stuck in the early adopter phase.”
Slow to start, maybe. Perennially stuck? That’s a bit much.
On this we can agree: early adopters are buying smart home devices at a rate that surpasses that of average consumers. They are buying “more expensive, less reliable, (and) more complicated technology.” That’s what earlier adopters do.
Those early adopters have made Nest arguably the most successful smart home device released to date. And its advance into homes speaks to Nest meeting Mr. Dawson’s three criteria for smart home device innovation success:
1. You don’t have to buy many of them; one thermostat is good for most homes
2. Installation can be tricky, but it’s not rocket science
3. The possibility of a return on investment is obvious (“Control my HVAC more efficiently? Ka-ching!”)
The rest have failed to take off because they “require electrical expertise, devices to be installed throughout the home, and cost a lot of money with increased convenience the only real benefit.”
Here’s where the argument gets a little wobbly.
My beloved Netatmo device that monitors (among other things) humidity, carbon dioxide levels, and sound levels in my house was plugged into the wall socket by my 8 year old. Its outdoor counterpart, an incredibly accurate temperature and barometric station, is attached to my back entryway with zip ties. And while the return on investment isn’t immediately financial with this particular device, there is comfort in knowing the air in my house is clean and dry. (And the chance to remediate a problem in my home before it gets out of control is a huge opportunity for return on investment.)
It’s the insistence that “convenience (is) the only real benefit” that’s most problematic. Device manufacturers don’t help themselves here: promotional videos and the like overemphasize the “look what I can do from my phone!” aspect to their products. Convenience is awesome, but there’s much more to the near future of the smart home than that.
We at CRT Labs believe that the more you know about your home, the better you are. You, your house, and those living in it can be healthier. We envision a homebuying and selling marketplace made smarter by data that enables everyone to make informed decisions about the most important purchase anyone can make.
My wife and I bought a house 9 years ago; we loved the aesthetics, the location, and the elementary school. We also looked at other houses. Did we buy the one that had the driest basement? The one least likely to contain health hazards? The brightest one, or the darkest one?
Sadly, I have no idea. But smart home technology could have told us that, and that’s why if smart homes are stuck, they’ll soon unstick themselves.
I recently started re-watching The X-Files, particularly the “mytharc” episodes. You know, the conspiracy-crazed ones with the aliens hell-bent on colonizing Earth. And it was right at the end of a particularly long binge session – a few minutes into the first season finale – that I realized showrunner Chris Carter and his creative team all would have made excellent user experience designers.
It’s in that episode (“The Erlenleyer Flask”) that we’re introduced to one of the first alien/human hybrids. And not to be gruesome, but the important thing for this discussion is that this hybrid gets shot while fleeing the police. He bleeds, and he bleeds green:
Up until this happens, we don’t know anything about the person trying to get away from the cops. But when the camera pans down to his spilled green blood, we know exactly what he is.
He’s an alien.
The X-Files was a creative tour-de-force, inventing and re-inventing ways to tell stories about the stuff of our wildest science fiction dreams. But some stories are best left unchanged. Some things don’t need to be reinvented. And alien blood needs to be green.
What’s This Got to Do With User Experience?
Companies are tripping over each other trying to bring the latest and greatest smart thermostat or lock or smoke detector to market (and into your home), and to a great extent their success or failure will depend on the user experience their engineers and designers have brought to the product. Because smart devices require their users to learn new (and sometimes fairly complex) things, the best experiences will be the ones that don’t force users to learn too much or to unlearn the helpful, leading truths they already know.
So why do the LED status lights on the front of one smart hub we have in the CRT Labs glow green when everything is OK, and the other glow blue?
Why does one hub blink blue when there’s a connection problem, and why does the other hub blink purple?
And what could magenta, pink, and white possibly mean?
Smart hubs have an important job: they need to clearly communicate the state of a complex smart home network. But indicating the status of a complex system need not be complex itself, and from what I’ve seen, we’re headed in the wrong direction.
Designers and engineers need to honor what the user brings to the experience, keep the cognitive load low, and pump their smart devices full of some alien blood.