Seriously, is there anything worse about using websites, apps, services, products, or technology in general than having to enter in usernames and passwords? Half the sites want a username, half use my email address, and most of the time they don’t even tell me which one to enter. Not only do I have many different passwords, I even have different approaches to making passwords on different sites. And not a week goes by that I need to complete some kind of “Reset my password” process.
Some sites want some uppercase letters. Some don’t. Some need a number – but make sure the number isn’t the first character of your password. Some have minimum amounts of characters, some will let me through with “1-2-3-4-5” (yeah, I know, your luggage…). The all time granddaddy for most inconvenience? My online bank. Why? Because when I forget my password, I are required not only to make a new one, but one I haven’t used before. I’m sure this is more secure, but it pretty much creates a 100% certainty that when I come back I have some brand new approach to making the password this time, and therefore, will forget it again the next time I return.
Unless I cheat, and write down the password somewhere, or save it in a google doc. Which pretty much invalidates the entire purpose of all of this added security.
Oh, and I’m sure it doesn’t help that 90% of the “remember me” or “save my password” features fail. Which is doubly bad when its a site that has some obscure requirement on usernames, so I can’t remember those either.
It’s awful, and I’m sure that it creates a major amount of headaches and frustration for the typical Internet user.
Supposedly Google is trying to fix it with “automatic strong passwords” but it just gets me thinking: maybe not every single site needs a super strong password system? Do I really need a distinct username for my online bookmarking service? Or for Words with Friends? Isn’t that the entire stated purpose of Facebook Connect? Is there no way for me to “trust” that this really is a computer only I have access to, and for me to relay that concept onto the websites I want to use?
And I think that’s part of the inherent problem here: every single individual site, service, app, etc is taking on the entire trust responsibility themselves. There’s absolutely no common sense in play, just a CYA style approach to “best practices”.
So I’ll personally waive some of my online security to the sites I use. Yes, online banking and credit card companies, this is the only computer I plan to access your sites with, and if I visit, then yes, it’s me visiting. This goes to you too, video sharing site, online game, and document backup site. If someone steals my computer, I’ll deal with the consequences and will use the service you build me to un-authenticate this one. And yes, Zynga, all the apps on my phone are mine, and only I will be playing them. And if someone should snatch my phone, I too will take responsibility to close access remotely. Because in all of these examples, I can do exactly that.
I’m not trying to diminish the needs for security and privacy (I’m a huge privacy advocate), but I believe we need to distribute and balance the responsibility in solving this as a relationship between users and services. I don’t need an extra set of keys to every room in my house, nor provide a thumbprint to use the stereo or air conditioner in my car. Let’s assume that we do need some strong passwords, good encryption, and safety standards, and let’s also assume human beings can take responsibility for their actions once they are properly informed and the right experiences are delivered.
Great points, but I have two to add.
Why is it that Google provides easy two-factor authentication for my email, but most banks don’t?
Why don’t most financial institutions support strong passwords? (letters and numbers only).
PS. I find the OSX Keychain a great place to store passwords and other sensitive data, just do a few searches and you’ll see how secure it really is.
I live in fear of emptying my cache because that seems to make so many previously saved password combos disappear.
Japan will present a technology of user identification through the webcam photo – no probs with passwords and username though.