How many different passwords do you have? Add up all the ones on your work computer, your bank account, 401(k), personal email account, amazon, google, ebay, twitter, facebook, linkedin, wikipedia, professional organizations, other shopping sites… The list goes on and on.
Each password has to be strong enough to protect the information behind it. Of course, knowing that we are all basically lazy (and that they will be held responsible if the account is hacked), the companies hosting these services require “strong” passwords – numbers, punctuation, no duplication, etc. And without universal standards, we end up with a hodge-podge of passwords that are impossible to keep straight.
One answer is a “password management” program, often built right into your web browser. These programs remember your logins and passwords for you and automatically fill them in as soon as you go to the page. There are several problems with them, though.
- When your computer gets stolen, you lose all your passwords.
- If the password manager gets hacked, you again lose everything all at once.
- The passwords are only available while you’re working on that one computer. You’re out of luck if you need to check your account from your mother-in-law’s.
- And, of course, these don’t do anything for the passwords you need to track that aren’t associated with web pages.
A perhaps-better answer is a single-signon service. In this model, you create one account with a widely accepted and trusted service who then authenticates you to the merchants. The Open ID Foundation is probably the best known, accepted by about 9 million websites including Google and Yahoo. This still leaves all your eggs in one basket but at least the basket is not in your easily-stealable laptop. On the other hand, if any one of those 9 million websites gets hacked, the thief might then be able to forge your credentials on the other sites. I’d trust their service for accounts I don’t care much about (google, email, shopping sites, etc) but not yet for my bank account.
Several academics are experimenting with using your cell phone as your password manager. It’s an interesting idea since we are so very attached to them. But we also lose them at an incredible rate. And if you think you get resistence about your computer passwords, try requiring a strong password on a phone.
Biometrics? There are some interesting new ideas about facial recognition using the builtin webcam of many modern laptops and others that track things like your typing patterns. None are ready for prime time yet.
All told, I think we’re still in a bad place. Passwords are the least unworkable answer we have today. Try to pick strong passwords, use a pattern that lets you modify a core password according to the site you’re visiting, change the important ones regularly and never, never, never share your password. If you must write them down, keep them in a dedicated and highly secure application like the old Blackberry password vault.