I know a guy, I won’t tell you his name, but for the last ten years, his username for everything has been his first name and his password has been his last name. If he’s at a site where he’s asked for a “strong” password he starts typing numbers and symbols from the top row of the keyboard. In other words, if they say his password can’t be “Smith” then he makes it “Smith1!2@,” adding numbers and symbols until the web site is satisfied.
What scares me is that he has a Yahoo account and my email address is in there somewhere.
But then again really my friend isn’t the problem, he’s a symptom of the real problem. The real problem is that the very idea of passwords is broken. Here are the options we have today:
Use a weak password, or use the same password for everything. People have lives and don’t have the time, ability or inclination to remember 100 different strong usernames and passwords.
Create a spreadsheet that has all the usernames and passwords you use in it. Great, until someone gets that spreadsheet and cracks its password. Even better, you can print out a list of passwords and keep them by the computer. That always works (not.)
Create a different password for everything and don’t even try to remember it. Just use “forgot my password” all the time. This is actually one of the most secure methods, but it’s a major pain.
Use a password manager, either built into the browser or something like LastPass, to store all your passwords in the cloud. This is like the spreadsheet method but now you’re depending on someone else to keep your passwords secure.
Use passwords that seem strong but aren’t. I know someone who changes all his passwords every three months but just changes the last number to the month he changed them. If his old password was “Monkey4” and he changes it in October, he changes it to “Monkey10.” Even worse is the lady I know who changes her password to something like “November2016” every few months.
Use biometrics or something like that. This is great until you get robbed at gunpoint, forced to give up your phone and they cut off your thumb too.
See, there is no real solution. Every solution is bad in its own way, and that’s the problem. Obviously some choices like using your own name as a password are really really bad. But that’s not to say that any solution is “good.” The real problem is that we are constantly being asked to confirm who we are, to hundreds and thousands of different entities, and each one takes a sliver of our personal information. Put together these little bits of information make up everything about ourselves and form the keys to our own destruction. If our passwords are stolen, we lose our wealth, our reputation, possibly even our friends.
I don’t pretend to know the answer but at the very least I think we have to all agree that this is a big problem and hopefully some very big minds are thinking about it. Every day, we read about another security breach or find that our friends’ facebook profiles have been hacked. It’s not only getting more common, it’s getting more dangerous. If you haven’t had your identity stolen yet, some day it will be, at least in some minor way. And simply cutting yourself off from computers isn’t a choice, not today and certainly not in the future.