The Password Post-It Conundrum

7 07 2008

Any of you who have worked in a cubicle-style environment will have noticed one of the biggest ironies of the Information Age. You walk around the office, checking out people’s computer monitors and nearly every single one has Post-It notes stuck to their edges. And, if you looked closely (I’m not advising you to do this, I’m just saying…), you’ll notice that a very high percentage of monitors have, on at least one Post-It, a sign-in password.

That’s right.  Most people have the keys to unlock their computer, sitting right there on their computer. That’s like leaving your front door key inserted into the lock in your front door all of the time.

For those of us who don’t want to do that, we do something almost equally moronic — we attempt to use the same exact password for all of the sites that require a password. And that password is usually something like the name of your child, or your spouse’s birthday, or something else equally guess-able.

The reason why we do this is obvious — there are way too many sites that require passwords for us to remember them all. Many sites have arcane restrictions on them (“Must be 8 characters long, contain at least one number and one ampersand.”) and require you to change them every few months.

With the rise of identity theft, this isn’t a bad idea. But the plain truth is that most sites require passwords for monetary reasons, not security ones — in order to continue producing the site, most companies need to monetize it. And that means collecting data on you. The only way to do that effectively is to register people, so that they can track what you’re doing on the site. Then they can either sell something to you, or sell your eyeballs to an advertiser (well, not literally your eyeballs, but at least the information about what those eyeballs are looking at).

This leads us to the Information Overload Password Conundrum (or IOPC, a term I just made up).

People, who are generally unable to retain a variety of complex passwords, will do their best to make their passwords less complex and less varied.

This is a problem for institutions who really need to keep your data private — like banks, medical facitilities, research institutions, etc.

There are two initiatives that have been brewing to help to make this entire process both more secure and less intimidating for users.

The New York Times, on June 24, published an article on an organization which is developing something called the Online Information Card. Companies like Microsoft, Google, Equifax, Novell, Oracle, and PayPal are trying to come up with an online version of a driver’s license ID card.

The idea is to bring the concept of an identity card, like a driver’s license, to the online world. Rather than logging on to sites with user IDs and passwords, people will gain access to sites using a secure digital identity that is overseen by a third party. The user controls the information in a secure place and transmits only the data that is necessary to access a Web site.

There are a host of problems with this, of course, most notably the fact that the consortium will have to convince millions of web sites to trust the company behind the inititative — the metnioned “third party” — with the data that the sites’ users have entrusted to them. Personally, I don’t know how I feel about that. Is there a difference between a government Big Brother and a private industry one? We regularly hand over large amounts of our personal data to companies right now. About the only thing that keeps them from abusing that data too much is that it is fragmented between many companies.

Still, it’s a laudable start to our IOPC.

Another, more interesting one, came up in today’s “Bits” column in the New York Times. Called “More Personal Password Questions” the piece talks about a new inititative at the Palo Alto Research Center (which, as Xerox PARC, developed the icon-based user interface which is used on nearly personal computers today) called “Blue Moon Authentication.”

Named under the erroneous assumptiion that you only forget your password “once in a blue moon,” this technology is used to provide reliable, but difficult to crack, “fallback questions.” These are the questions that you need to answer when you’ve forgotten your password and need to either reset it, or have the website send you an email with that information. You choose from a list of questions: what was your first pet’s name?, where were you born?, what is mother’s maiden name?, etc.

The problem is that they are very hackable, especially to someone who can automate the responses (the Times even publishes a list of common pet names). PARC’s idea is

While registering for a site, users are asked to select from a long list things they like and dislike (punk music, golf, southern food, for example). If they forget their password, they return to the site and are presented with the list of items they selected. Then they have to specify whether they like or dislike those things – a quick personality test. Forget about plumbing the depths of your brain; just be yourself. “It turns out very few people have a hard time remembering who they are,” [Markus Jakobsson, principal scientist at PARC] said.

The piece says that, in a study, the chance of someone not being able to remember the answers to those questions was near zero. No one knows, of course, what happens if you choose to dislike chocolate after liking it for many years. People change, though not as often as most sites require us to change our passwords.

Still, it is a step to solving our password problems, something that has been discussed for years. Now that we do much of our purchasing, banking, and investing online, it’s time to do something about it.

Advertisements

Actions

Information

3 responses

7 07 2008
matt

somewhere on the web there is a very informative website detailing how to maintain complex passwords on a post it while keeping it secure. the basic process is this: if you’re password is jdsjf938Hh, you write it on a post-it jdAsjfA938Hh and keep it in your brain that whenever you have a capital A, you don’t type it. works great.

8 07 2008
Louise

You bring up excellent points about how people don’t know how to deal with passwords anymore.

I work for http://www.passpack.com, which is an online password manager and we are always trying to inform people of all the exact points in your post – post-its, password reuse, password fatigue.

There is a solution – keeping your passwords safe in an application that is designed to do just that.

Preserving our privacy on the web is vital in a Web 2.0 world. The internet is only as safe as we make it, so let’s make it safe.

Louise

8 07 2008
Norman

And, yet, many people still worry about putting all of their password information (no matter how skimpy it is) up in the cloud. What your company has to worry about, encrypted or not, is the perception of a large percentage of net users (not unjustifiably) that hackers are really smart and that the only reason why they haven’t attacked any one given technology or site is if that site is too small to be worth the investment.

What people think is that if your company, god willing, gets big enough to attract serious notice and have millions of users, is that it will become a bigger target for hacking. And then all of that information that they’ve entrusted you with will fall into someone else’s hands.

I believe that these fears are, though overblown, with some basis in reality. But even if it were completely baseless, it would still be important to have a suite of solutions, not just one sitting up there in the cloud.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s




%d bloggers like this: