Then I lost track. I had started the day with the intention of counting every time I logged in to my computer, a shared system or a Web site. (Information security policy at work requires that I lock my screen every time I step away from my desk.)
It didn’t feel like an excessive password day. Some days are much worse.
If you’re anything like me, you have hundreds of passwords and you store more and more information online every day. And unfortunately, passwords are not always secure.
- Passwords that are easy to remember are often weak. (Back in 2006, 1 percent of MySpace users had the word “password” as, or as part of, their password. I don’t have more recent data, but I imagine that’s still fairly representative of passwords in general.)
- Strong passwords tend to be harder to remember. Often, people write them down, tape them to the bottom of keyboards, put sticky notes next to their monitors, hide notes in drawers, and so on. Not secure.
- If you use many systems, chances are good that each one will have different password requirements, i.e., length, capitalization, punctuation, special characters. Sometimes remembering the password rules for a system can be as hard as remembering the password itself. (And according to one information security consultant, restrictive password schemes actually reduce the number of possible passwords.)
- Often, organizations with “strong” information security policies make you change your password frequently and prevent password recycling, but that makes it even harder to remember your password. When you have to remember long, arcane, frequently-changing passwords, what do you do? You write them down. (See #2.)
- Finally, chances are you have different user names across various sites, too. It’s hard enough to remember your password, but if you can’t even remember your user name….
So it’s hard to create and maintain good passwords across multiple systems. Theoretically, that’s what OpenID was created to address: a single log on with a single password that you can use to access multiple systems. Great idea.
The problem is, it’s too complicated for mere mortals to use. Let’s hope that changes.
UPDATE: The day after I posted this, Ben Laurie, who has forgotten more about security than I’ve ever known, posted about a similar issue on his blog. It’s worth a read.
0 Responses
Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.