Friday, April 15, 2011

Passwords obsolete? It's about time

The Chicago Tribune Breaking Business site reports a Reuters story this afternoon about passwords: The Obama administration, it seems, is against them.

Finally, some good news out of Washington.

Maybe.

See, the administration wants the private sector "to develop methods that consumers can use instead of passwords to identify themselves online," which sounds pretty good until one reads further that "the Commerce Department is also keenly aware that any attempt by the federal government to create a national identity card would be extremely controversial."

To say the least.

However, standardization of password structure might be very helpful. The problem is not that people can't handle complex or unique passwords; the problem is that most people can't handle 87 of them.

Soulless Megabank wants a password of not less than seven nor more than 11 characters, two of which must be numbers, one of which must be a punctuation mark.

2Big2Fail.com requires no more than eight characters, three of which must be numbers. And don't even think of using a punctuation mark.

On the other hand, Master-Visa-Express insists on a password that has no z's or x's, except on Tuesdays, or during a full moon when the password must be changed to only p's and v's.

Every one of these sites also requires the customer to provide a "user name." The customer often finds that the same user name will not work on every site. The user name might be the customer's last name... but some sites won't accept that. At least one initial, at least one number, or at least one character which is neither a letter nor a number must sometimes be added. The customer now has two things to remember for each site.

More and more of us are paying bills on line. Every vendor wants a password and every one has unique requirements. The security gurus tell us this is supposed to protect our security -- but with so many different passwords necessitated by so many different rules on each website, only a genius or savant can avoid writing these all down somewhere.

And the one thing we're never supposed to do with passwords is write 'em down.

And then there are the challenge questions. Many sites require customers to answer questions in advance in case he or she has trouble remembering the user name or password. Or in case the customer tries to sign in from a machine in which the site hasn't planted a cookie. And even when the customer is using a familiar machine and has remembered the user name and password, these questions may be asked anyway, just because. Now, if these were objective, factual questions (Where were you born? What was the name of your high school?) the challenge questions might be reasonable. But... what is your favorite color? How the heck do I know? Today it might be green. Tomorrow, blue. How will I remember, six months from now, how I answered that question today? And some sites have even more esoteric, speculative questions. What is your least favorite vegetable? What is your neighbor's favorite pasta? What is the air-speed velocity of an unladen swallow?

Some sites don't bother with challenge questions. These give you a limited number of chances to guess your user name and password combination and, when you exhaust these chances -- typically, three strikes and you're out -- the site assumes you must be an identity thief. The site then goes on total lockdown.

This is fine if someone really is trying to steal your identity. It is not particularly helpful if the bill must be paid by 4:00pm and it is already 3:57.

A standard password format might solve everything. As a nod to the paranoid, we could make the standard password 15 to 20 characters long. If the security gurus think that 15 to 20 characters is not enough, we could make it 25 or even 30. We could require that three characters be numbers or that two be neither letters or numbers. At least it would be only one password. I'm sure I could remember that.

Probably.

No comments: