How many different passwords do you have? The chances are that it’s a very large number. How do you keep track of them all? I once asked a colleague if I could borrow his login to a server because mine had timed out and the help desk (or maybe they should just be called “desk”) couldn’t fix it quickly enough.
Shocking I know – but sometimes you just need to get stuff done. He told me to use “password17”, which I did but it didn’t work. “Oh – OK – try password18” he told me. Not exactly the most secure of strategies.
Back in the days of Netware, some bright spark decided that the network password needed to be at least 15 characters long. His assumption was that the longer the password, the safer it would be. The flaws in this approach are two-fold. Firstly, there aren’t that many 15 letter words and secondly, spelling wasn’t our operators’ strong point, so they wrote the password in a black book with a “passwords” label on the front. They stored it in a drawer and on the front of the draw in dyno tape was “Password Drawer”.
What makes things worse is that every single login comes with its own rules. The expiry cycle will be different so you can’t synchronise passwords. Some would argue that this is a good thing because it means that the impact is minimised if one of your passwords is compromised.
Not only that, but the rules for what is a valid password are different everywhere you go. Different minimum lengths, some will only take letters. Some insist on letters and numbers. Some want capitals and punctuation marks. Many of them won’t let you reuse a password that you’ve used before. All this means that it is becoming increasingly difficult for mere mortals like me to cope with all these passwords.
Every time I top up the lottery account, I am asked by my debit card company for some characters from my password. Because this is the only time I ever get asked – I invariably forget what it is and have to go through the rigmarole of setting a new one (which can’t be the same as any I’ve used before).
Some are fans of password management programs which use one password to rule them all. The trouble with this software is that if your password is compromised, they have access to everything and if you are logging in from a machine that’s not your own, the software’s not there.
There’s got to be a better way to manage identity. I definitely like being able to click on the log in with Facebook or login with Twitter button. I think a combination of that with waving your phone over an NFC reader could be the answer.
Related articles
- Creating secure passwords protects you, your non-profit and your donors (donordreams.wordpress.com)
- Infographic: SecurityCoverage Explains the Difference Between Weak and Strong Passwords (prweb.com)
- How To Find Happiness In A World Of Password Madness (socialnetworkingwatch.com)
- Passwords reused by 6 of 10 consumers (news.techworld.com)
Martin, look at lastpass. This is a password manager but with a wrinkly. Everything is encrypted on your browser so there is no clear data at the server. If you lose your password for the lastpass server, you are on your own. It, optionally, automatically fills in your userid and password and optionally logs you on. It detects password changes and allows you to catagorise your sites. Really good. It also works on my iPad.
Thanks John – I’ll take a look!
Research has shown that the most secure passwords are actually all text. The strategy is to create a password that is an Acronym of a phrase that means something to you. That way it is not a word which is what the password cracking programs normally use to launch a brute force attack on a system. Those programs normally try all the common adaptations like switching i’s and l’s for the number 1, e for the number 3 and a for @ so if you only ever use these numbers and special characters beware!!
+1 for LastPass, it’s great. To counter “if your password is compromised”, one can even combine and use Last Pass together with Google Authenticator, for multifactor… see http://blog.lastpass.com/2011/11/introducing-support-for-google.html, based on http://www.mattcutts.com/blog/google-two-step-authentication/