A Japanese newspaper run a article that 60% of the people uses same password over different web sites 1. In fact, it is hardly a news, since our research back in 2008 clearly showed this. (The result also made into several magazines.) The question we really have to ask is why web sites keep building their own “password services” and not rely on external authentication services.
There could be several reasons for this. For example, a common misconception that “they have to own the customer” is one thing2 However, there is another factor that affects the situation even more, as I see it. It is the market failure by the negative externality.
A typical example of negative externality is pollution.
Goods can be produced cheaper without controlling the pollution for the company, because the cost of pollution is borne by other people. In such cases, everybody chooses to pollute and overall situation become sub-optimal. Access Control by a home grown password system is easy to implement, but dangerous. It has negative impacts to other sites and users. According to the statistics that NRI collected, majority of people can remember less than 3 passwords while they have about 20 accounts on average.
This means that users are using same username/password pairs all over, even with an insecure service. We all know that those services are target to the cracker attack, and passwords leaks.
The problem is that the cost and impact of these leaks are not borne by the leaking site, but it will be borne by other site and data subjects. The appearance that password based system is low cost is not actually true. It is mealy pushing the cost towards other people. This is a classic case of negative externality.
There are a few possible policy measures.
- Quota limitation and
- password tax3
are some of the most common measures.
It is kind of funny that many people seem to fail to recognize this negative externality problem.
However to make the market functioning, we need to rectify it. My prediction is that if we do not successfully internalize this external cost, home grown password systems will persist.
- I understand that they want to build a strong relationship with customers, i.e., “own” the customer, but having the customer’s password has nothing to do with it.
- I now believe that compulsory insurance is a better way as it goes through market mechanism. (2016-06-22)