Wednesday, August 13, 2008

The Password Paradox

In our new fangled, hi-tech world it seems like we have to have passwords and usernames to do anything. Most websites will allow just about any username as long as nobody else has it. My favorite sites are the ones that just let you use your primary email as your username. Most sites are pretty open on passwords too. I don't think I've ever had a website tell me I couldn't use a certain password. Add on top of that the fact that most browsers will store your passwords for you and it really makes surfing rather seamless in spite of having a couple hundred different logins and passwords.
No let's go to work. I start my day of by signing in with a username and password. My username is a randomly generate series of letters that was hard for me to remember at first. My password has to be in a very specific format. It must have a certain order of letters, numbers and special characters. Then on an average day I may access 15 different systems that each take a login and password. IT has disabled the password keeper function on the browsers so that allowing the browser to auto populate it is not an option. So, I have to remember all 15 different logins and passwords. Now the format requirements are different for each system. Some require a certain length; others don't. Some require a letters numbers and specials, others don't. Some even have a certain orders, like so many alphas followed by so many numbers, etc.
As if having to remember all of these usernames and passwords wasn't enough the passwords expire. Some expire every month, some every 8 weeks and some expire whenever IT decides to make them expire even if you've just reset it two days ago. When the expire the good systems will let you logon one last time as send to to a reset password screen. Others will just expire an you have to call tech support to reset them. Tech support got tired of handling all of these calls so they created a password reset website. Guess what? You got it, it requires a password. And then once you log on it still doesn't allow you to change the passwords for some of the systems.
Last year my company was purchased by another big ol' company. We had to start learning about all of the new systems that they were using. We were bracing for the fact that we'd have to learn all new systems at the same time we were still waiting for them to phase out the others. We were prepared for our password and logins to double. But that's not what happened. You see the new company had previously acquired another large company out west. And in the process it had already adopted all of its systems and hadn't yet completed phasing out the redundant ones. So when they acquired our company rather than doubling the number of logins it has almost tripled.
The complexity has also gotten really bizarre. One password requires a a very specific combination of capital letters, lowercase, specials, and numbers. It has to be a certain length and the first and last digits must be capitals. This is also the one that requires you to change it the most frequently. So as soon as I get this weird sequence memorized I have to pick something else.
At last count I have 32 different codes that I use pretty much every day in order to do my job. Here is the paradox. The only way I can remember them all is to write them down. I find this incredibly ironic that all of these steps to make the passwords safe may actually make the systems more vulnerable. It doesn't matter how bulletproof the systems are anymore. All you have to do is figure out where they're written down any "viola" you can log onto the school computer and change Alli Sheedy's chemistry grade. We've made all these systems impervious to hi-tech snooping around, but made them much more vulnerable to low-tech snooping. It seems to me that it'd make a lot more sense to make the systems just a little simpler so that we didn't have to write them down.
Incidentally, if anybody were to ever find where I wrote down all of my passwords you wouldn't be able to read it. You see, it's protected by a password.


  1. I feel like I can relate in 1/32 of a way. I just need to do 1 username and password to leave a comment.
    So, are human brains going to become more complex to remember these types of things, or will we just give up and toss the computers out the window?

  2. I've seen several articles recently about the need to move beyond passwords for security. Here's one example from the New York Times

    One solution that has been developed is using a digital media file like an image or mp3 as your encryption key.

    I definitely think passwords, by themselves, as a security measure won't be around for too much longer.

  3. Canisunis4:24 PM

    You need one of these


  4. I was going to leave a comment, but I couldn't figure out all the "wiggly letters" in the password (LOL)...

  5. I just got my New laptop for work and they have changed from passwords to a USB key. The key has to be in to work the system, and upon boot the key authenticates the user by a fingerprint scan. Now if it would only keep ALL my other passwords on the thumbdrive....