Any of you who have worked in a cubicle-style environment will have noticed one of the biggest ironies of the Information Age. You walk around the office, checking out people’s computer monitors and nearly every single one has Post-It notes stuck to their edges. And, if you looked closely (I’m not advising you to do this, I’m just saying…), you’ll notice that a very high percentage of monitors have, on at least one Post-It, a sign-in password.
That’s right. Most people have the keys to unlock their computer, sitting right there on their computer. That’s like leaving your front door key inserted into the lock in your front door all of the time.
For those of us who don’t want to do that, we do something almost equally moronic — we attempt to use the same exact password for all of the sites that require a password. And that password is usually something like the name of your child, or your spouse’s birthday, or something else equally guess-able.
The reason why we do this is obvious — there are way too many sites that require passwords for us to remember them all. Many sites have arcane restrictions on them (“Must be 8 characters long, contain at least one number and one ampersand.”) and require you to change them every few months.
With the rise of identity theft, this isn’t a bad idea. But the plain truth is that most sites require passwords for monetary reasons, not security ones — in order to continue producing the site, most companies need to monetize it. And that means collecting data on you. The only way to do that effectively is to register people, so that they can track what you’re doing on the site. Then they can either sell something to you, or sell your eyeballs to an advertiser (well, not literally your eyeballs, but at least the information about what those eyeballs are looking at).
This leads us to the Information Overload Password Conundrum (or IOPC, a term I just made up).
People, who are generally unable to retain a variety of complex passwords, will do their best to make their passwords less complex and less varied.
This is a problem for institutions who really need to keep your data private — like banks, medical facitilities, research institutions, etc.
There are two initiatives that have been brewing to help to make this entire process both more secure and less intimidating for users.
The New York Times, on June 24, published an article on an organization which is developing something called the Online Information Card. Companies like Microsoft, Google, Equifax, Novell, Oracle, and PayPal are trying to come up with an online version of a driver’s license ID card.
The idea is to bring the concept of an identity card, like a driver’s license, to the online world. Rather than logging on to sites with user IDs and passwords, people will gain access to sites using a secure digital identity that is overseen by a third party. The user controls the information in a secure place and transmits only the data that is necessary to access a Web site.
There are a host of problems with this, of course, most notably the fact that the consortium will have to convince millions of web sites to trust the company behind the inititative — the metnioned “third party” — with the data that the sites’ users have entrusted to them. Personally, I don’t know how I feel about that. Is there a difference between a government Big Brother and a private industry one? We regularly hand over large amounts of our personal data to companies right now. About the only thing that keeps them from abusing that data too much is that it is fragmented between many companies.
Still, it’s a laudable start to our IOPC.
Another, more interesting one, came up in today’s “Bits” column in the New York Times. Called “More Personal Password Questions” the piece talks about a new inititative at the Palo Alto Research Center (which, as Xerox PARC, developed the icon-based user interface which is used on nearly personal computers today) called “Blue Moon Authentication.”
Named under the erroneous assumptiion that you only forget your password “once in a blue moon,” this technology is used to provide reliable, but difficult to crack, “fallback questions.” These are the questions that you need to answer when you’ve forgotten your password and need to either reset it, or have the website send you an email with that information. You choose from a list of questions: what was your first pet’s name?, where were you born?, what is mother’s maiden name?, etc.
The problem is that they are very hackable, especially to someone who can automate the responses (the Times even publishes a list of common pet names). PARC’s idea is
While registering for a site, users are asked to select from a long list things they like and dislike (punk music, golf, southern food, for example). If they forget their password, they return to the site and are presented with the list of items they selected. Then they have to specify whether they like or dislike those things – a quick personality test. Forget about plumbing the depths of your brain; just be yourself. “It turns out very few people have a hard time remembering who they are,” [Markus Jakobsson, principal scientist at PARC] said.
The piece says that, in a study, the chance of someone not being able to remember the answers to those questions was near zero. No one knows, of course, what happens if you choose to dislike chocolate after liking it for many years. People change, though not as often as most sites require us to change our passwords.
Still, it is a step to solving our password problems, something that has been discussed for years. Now that we do much of our purchasing, banking, and investing online, it’s time to do something about it.