Archive for August, 2011

Is Your Site Password-Worthy?

August 30, 2011

I hate passwords. I just read an article on Yahoo about how to make your password more secure. I think this is the wrong message. Passwords should be abolished altogether. It seems that almost every site on the web, in order to see the interesting stuff, has you enter a user name and password.. Let me tell you, most of these sites are not password-worthy. First you have to set up an account name. Since these have to be unique (it’s a computer thang), probably one name won’t cover all sites. I have a nice yahoo name, but since I got it 15 years ago it was available. That same name is not available on pretty much any other site so I have to add letters and numbers and whatever to get an account name that works. Who can remember these?

On the issue of user names, why not just use your email address?  I try to do this when I can but lots of sites don’t allow the @ or . symbol (in which case I drop it) or don’t allow long names. Also this method reveals your email address, because often your account name is something that is public. Why not eliminate user names altogether, base log-in on email address and allow an arbitrary public name which doesn’t have to be unique. A computer is smart enough to figure out how to deal with non-unique user names (the technique is called capabilities). Right now, for non-password-worthy sites, I use a free yahoo mail address – as a side benefit all the spam goes into that email, which I haven’t looked at in years.

Once you create an account name you have to pick a password, which inevitably is even more difficult than picking a user name because no two sites have the same rules for passwords. Some allow special characters, some don’t, and some require them. Some have length limits. some force a certain minimum length. Some allow you to use any password you want, some judge the “strength” of your password and don’t allow what they consider to be “weak” ones. One site I signed up with recently (comcast) forces your password to be between 8 and 16 characters contain a lower case, an upper case a number and a special character. I guess their biggest fear is that someone hacks into my account and cancels HBO. My bank forces me to change my password after a month of inactivity, and doesn’t let me change my password to any password I’ve used it in the last 5 months. They also make me answer 3 questions every time I log in from a different computer and now they call my cell phone and I have to punch in a verification code, all this to log in. Next I expect they will send a phlebotomist over to check my DNA. I have resorted a simple method of picking passwords: I write how I feel when I’m using their site. It seems to be the easiest to remember.

Next, most (if not all) sites now have a way to obtain your user name and your password if you have forgotten them. This is what I usually do. Almost all of these lookups are based on email address and then maybe ask a question like “Who is your favorite hot actress?”, something you answered 5 years ago when you were into girls with short hair and big boobs. I digress. Then you get a link in your email box that acts as a password, maybe for an hour of so, during which time they expect you to enter yet another password that you will never remember.  This is the technique that some cracker used to steal Sarah Palin’s emails.

I’m sure there is some site out there that just collects passwords and then tries to break into people’s accounts using deviations from these baselines. I use the same password for most sites, who cares if someone breaks in, I don’t store anything important on 99% of the password protected sites anyway.

At this point in the development of the internet one has to ask, “why do we still use passwords?” Hasn’t someone come up with something better?

One suggestion (from by brother) is to allows users to select a question and answer as a password. That way you can use lots of different passwords and be reminded of what password you used for that site, without anyone else understanding the hint.

Another suggestion is maybe it is time to use cell phones to do authentication (authentication is a technical term for figuring out if you are you). Most people have them and sending a message every time you log in is probably not that expensive. For those people who don’t have or want to use a cell phone, you email server could act as an authentication agent.

Of all the sites I go to these days, maybe three are password-worthy. The rest I either use so rarely that having a password is impossible, or are so unimportant that I don’t really know why they bother. Therefore, I hereby establish “The committee to abolish passwords”. Membership is free, no usernames or passwords are required. Just reply to this posting. (Does wordpress require a username & password?)