Every now and then I get a message I dread, telling me that my password has expired and that I need to set a new one.
Why do I dread it? Let me think. I have no problem with the majority of my web accounts and signups and subscriptions. For the most part, I set my password once for each of those and, once I’ve done that, I never really have to change it. That’s the theory anyway.
As I learnt more about identity theft and phishing and strong passwords and weak passwords, I tended to make sure I used passwords that were considered at least marginally complex, not to be found in dictionaries, both alpha as well as numeric, case-sensitive where possible, and not even vaguely connected to anything else in my life. If that wasn’t problem enough, I then had to make sure the passwords were such that I could construct a question that would help me work out what password I had chosen. This may be fine if you use things like “the name of your first pet” or “your primary school”. What kind of question would beget the answer “X4bh3A21”?
So I started doing something else. I brought in a materiality test. I used really complex passwords only where my identity could be used to do something with money. The rest of the time, I kept things simpler.
When OpenId turned up, my life got a lot easier.
I now had a system. Two types of password. One type to be used for general things, “strong” yet easily remembered, and OK for use in multiple contexts. A second type to be used for things you did with money, “stronger” and not that easily memorable, and explicitly not to be used in multiple contexts. OpenID in use where possible, Sxipper where possible. Both password types didn’t need resetting per se; I chose to make regular changes to the ones that had the possibility of financial impact.
If only it were that simple.
Work passwords don’t tend to work that way, for some reason. You get regular messages to change them. Particularly for things like laptops.
And for Blackberries. Oh yes, Blackberries. I’m one of those guys who doesn’t particularly like device proliferation, so I don’t keep a separate work mobile. As is the case with many of you, my Blackberry is my phone as well.
If only it were that simple.
I have a Blackberry with a non-standard keyboard; even though it is QWERTY, the letters are distributed over 14 keys rather than 26; 12 of the keys represent 2 letters each, and the two remaining keys have just one letter each. The double-letter keys toggle between the two letters on the key, while the single letter keys behave as normal. Beyond that, 10 of the keys also have numbers on them, accessible only by pressing some other function key first. So now, when I set a complex password for the Blackberry, I need to think of something else. I need to think about the number of keystrokes I need to use in order to enter the password. Oh for the days when an 8-character alphanumeric password required just 8 keystrokes.
And the moral of the story is that passwords are passe. Or soon will be.
Incidentally, I love trivia. And one of the pieces of trivia I delighted in finding out many decades ago was this:
If you were restricted to using only one row of letters on a standard QWERTY keyboard on a typewriter, the longest word you could come up with was ….. TYPEWRITER.
In similar vein, I tried to figure out the longest word I could make on the multi-tap Blackberry keyboard, if I restricted myself to the letters that came with “tap 1”. Now the letter set for the 14 keys is as follows:
QW ER TY UI OP AS DF GH JK L ZX CV BN M
The first tap therefore produces Q E T U O A D G J L C B M.
I guess I was mildly delighted to find that the longest word I could construct was …. CALCUTTA!
Little things please little minds :-)
Completely agree. Human factors seem to be forgotten in password algorisms, with an additional pet hate that catches me. I too have a ‘weak’ standard password that I use for web sites and the like. But, periodically, I get caught by restrictions on specific sites – must have n letters, no non alpha-numerics(!), and the like. This forces me to choose a variant, but then when I try and log in again possibly months later, there is no prompt for the restrictions, so I have no easy way of re-creating the variant I used. I then have to resort to a reset request, and on some sites they then ask me for a new password ‘that I haven’t used before’. That just compounds the issue by making the password not only have to conform to their rules, but not the normal weak password either. My interest in such sites does not last long.
BTW, faced with the same Blackberry password dilemma I went for a password which only used characters from the single press side. Less secure, but I know we have a corporate 10 tries and lock policy, so that should stop too many random guesses if I loose it.
Greg
longest = File.read(‘/usr/share/dict/words’).grep(/[qetuoadgjlcbm]+/).inject do |memo,word|
memo.length > word.length ? memo : word
end
puts longest
Which gives… tubolabellate. Is that even a word?
I remember when passwords at work had to comply to various daft rules, such as no repeated (‘aa’) or adjacent (‘ab’ or ‘ba’) letters. With each system enforcing the rules slightly differently, many people got frustrated and just picked something like ‘a1a1a1a1’, which pretty much defeated the object.
trust you, Kerry!
I guess you may find dictionaries with “tubolabellate” in them. But you can’t play it at Scrabble. Neither SOWPODS nor TWL has the word.
Passwords on the little BlackBerries aren’t a problem at all. You can get amazing apparent strength by ‘drawing’ a shape with two lines starting one with num and the other with shift (which themselves can be ends of the lines). A cross is far easier to remember than 7guMge.