Password Pandemonium

At last count, for work, I have over 30 passwords.  I know I’m not the only person to think that password protocols are out of control.  I have over 30 unique passwords, not because I’m a freak about security, but because each site has it’s own password protocol.

  • Must be 8 characters or longer
  • Must contain a special character
  • Must have one upper case and one lower case
  • Must have at least one number or one letter
  • Must be a sentence describing something cryptic that is a reflection of your inner child in 20 characters or less.
  • Must be in the WingDings font copied and pasted from Word 97 and accessed on the night of a harvest moon.

Then you have sites that require you to frequently change your password, every 30 days, every 90 days, every year.  These are usually the ones that require you to never use the same password twice and that new passwords cannot contain any part of an old password, so you are left with 30 plus unique passwords that you couldn’t possibly remember if you tried.

Number one rule about password security:  don’t write down your passwords.  But it’s okay to use a password protected password app, as long as you can remember that password and sync up all the changing passwords to the program.  So true confessions, I have some passwords written down, but there is a Captain Crunch decoder ring that is required to decipher the abstruse legend of my written password log.  This is about as secure as I can make it.  If the hackers can figure it out, we are all screwed.

Is there a better solution than the draconian practices of password protocol for online security?

Biometrics.  Facial recognition and fingerprints are some of the developing protections for online security.  Facial recognition is only as good as the camera doing the recognizing as I have seen family members with similar facial features gain access to a smartphone.  Fingerprints seem the safest personalized protection we can get, but hackers have already developed methods of skirting this issue.

Pass Phrase.  The newest iteration of password security seems to be the passphrase.  A short sentence can more easily incorporate most of the above requirements and is harder for a decryption program to hack.  “The significant owl hoots in the night!1” is supposed to be a harder phrase to crack than “EyeH8p@s$w0rd5!”  Don’t ask me.  I am not a computer expert or hacker by any stretch of the imagination.

Don’t ask me how many personal passwords I have because none of them are written down, unless I managed to remember to write them on a statement and filed them in a filing cabinet.  The problem is that many sites I may only have a use for looking at once a year or several times a year, and I have to think back to my state of mind at the creation of the password, and I have three or four that I can easily remember, but if anything is different like a capital letter or a special character, I am screwed and locked into the “Forgot Password” loop.

The worst loop I got lost in was with a state revenue entity that was requiring additional security.  They sent me a confirmation code that was time sensitive that didn’t make it’s way out through my email filter until after the time had expired.  The worst is having to spend a half hour of your day on the phone to change a password, or confirm identity when online access is supposed to be more convenient.

That’s the heart of the issue for me, convenience vs. security.  If a client has never had fraud occur or identity theft, they can only see the inconvenience because of your conservative security measures.  Conversely, someone who has dealt with ID theft or fraud will blame the security measures in place for not being strong enough.