Anyone with an active Web life has a lot of online accounts. I have over 100! Most are trivial, but some involve credit-card information, and a few are critical in my life. Keeping track of them has gradually become an issue, and the potential damage of getting hacked grows. For the new year, when I log in to an online account, I am strengthening my passwords. I want to follow a system that I can remember without having to write anything down. But I think it’s impossible, because the people who create sites operate independently and because software is anti-humanistic, at least in the view of this human writer. I will explain, while attempting not to reveal my secrets.
First, even in this age of Wi-Fi sniffers and ATM skimmers, people remain the weak link in computer security. Last year Imperva published a list of the most common passwords used from among millions hacked on a single website. The top twenty password strings included the name of that website, something an idiot would use on his luggage, the name of one of my sons, and one of the words in this sentence. Previous studies in other contexts have yielded about the same list, so it’s a problem of long standing. (I am not using any password on this list.)
OK, so yea verily, I am weak, nag, nag, nag. What’s a fellow to do? You can buy a software solution. A password management program provides suitably inhuman passwords to all accounts but unlocks with a single, hopefully memorable password. This is the Mark Twain approach to security: Put all your eggs in one basket—and watch that basket! (Today’s treasure chest contains a single piece of paper.) That helps, but can I use it at work, at home, and at the mall? No? Then I need more.
Longer passwords are generally better, so one approach is to use a passphrase instead of a password. A passphrase can be both long and easy to remember; for example, “rock, paper, scissors” is easy to remember and actually quite strong. (That is not my password.)
The password is strong, but people are weak. Software to the rescue again? The product I document requires user IDs and passwords, and an administrator can define password strength rules that require users to select passwords of a minimum length that contain lowercase letters, uppercase letters, numbers, special characters, or any combination thereof. A system administrator can, for example, require users to choose a password at least eight characters long and containing at least one uppercase letter, lowercase letter, and number. Stricter rules can set a password expiration date, not allow previous passwords, and even not allow words found in a dictionary. Many, if not most, websites now configure password strength rules.
With enough rules, can passwords be made secure? No such luck. With so many accounts, I am tempted to devise a passphrase that will work for all of them; perhaps something like “My 3 tools are rock, paper, and scissors.” (That fits the rule example above, but it is also not my password, and Twain notwithstanding, having one password for all accounts is a bad idea anyway.) But because the rules are configurable, security administrators configure them, and they do so independently, so as a result the rules are different everywhere you go. Even if there could be one universal recommended set of password rules, security administrators wouldn’t accept it, just to be, you know, secure. I despair of finding a universal password. And even if I did, some administrator will make it expire in 90 days and not allow me to reuse it.
The second problem is antihumanism in rules. After all that effort to force people to use different characters in passwords, quite a few software systems actually restrict the characters they accept. “Rock, paper, scissors, 3!” is not a legal password at multiple real websites used by millions of people that won’t allow punctuation characters. (OK, this isn’t my password, but I discovered the problem the hard way.) The same goes for visual thinkers: “__^.^__/” is easy to remember if you think that way, but it too has forbidden special characters. (And no, this is not my password, though I’d be proud of it if it were.) Never mind UTF-8—I’m talking about ASCII characters here. My limited research suggests this is not a bug, because different systems restrict different ASCII characters.
If this is a feature it baffles me. It’s arbitrary and it’s antihumanistic. The security geeks want complex passwords, but we think and remember like human beings, so we forget and in the end write them down. I see no reason, even a software reason, to restrict common characters that add complexity the same as any others but also make passwords easier to remember. As a writer, if I want to remember a natural passphrase, I want to punctuate it naturally. There’s a win-win solution here, people. Can’t we all get along?