Thursday, 3 January 2013

The problem with passwords

Passwords are a modern-day menace. I'm sure they trip up the user far more often than they foil a would-be online Peeping Tom. Because passwords are easily hacked, website creators delight in forcing their visitors to type in all manner of complex character combinations. Visit 10 websites and you'll surely encounter eight different password creation and login rules.

Image courtesy of Arvind Balaraman/ FreeDigitalPhotos.net

This morning I wanted to make use of the free pattern downloads at the Rowan website, for example. Registered users can view and download a free pattern each month and the yarn site maintains an archive you can browse. Having requested a password reminder, I had seven attempts to create an acceptable password that was long enough, had numerals, upper-case characters and 'formatting' - and I'd still have a shot at remembering next time I visited the site. I think I know why I can't remember the password I chose last time I visited the site - they've made it far too complex and put me off a return visit for several more months.

For years, I refused to allow websites to keep me logged in. I've accidentally posted a blog comment and '+1ed' a story on Google. No harm done. I take greater issue with 'liking' on Facebook since it's so often used by marketeers in a scurrilous fashion and 'click-jacking' has become a common threat.

The auto-login of my email account or Twitter feed are greater issues, so I try and keep both logged out. I could use a secure password tool such as 1Password, but I'm not comfortable logging in once and thereafter being logged in to every account I've associated it with.

After an apparent Twitter hack last year, I changed the passwords for both my social networks and my email address - with the result that I now have such a complex email password I'm in danger of locking myself out of it. And no, I don't want to register my mobile phone number so I can verify myself by text if needs be. I've already changed my phone number once after the mobile version of Facebook proffered my personal phone number to all and sundry, despite my web-based Facebook account expressly omitting such permission. The time I accidentally dialled the number of someone I knew only as a Foursquare acquaintance taught me a further lesson about accidental 'oversharing' - ironically, the label of one of the badges the location check-in site encourages you to earn.

It's tempting to use the same password at every site you can, but the danger here is that you'll use that same 'eight character, one of which is a number' combo at a site where security is important - and find yourself hacked or your bank login credentials stolen.

Proper verification here is a must, but why do other sites insist on treating their wares like Fort Knox? Logging in to get at free content you've signed up to say you'd like is a current bane. Yes, someone else could enter my email address and view those reviews or instructions on how to make something, but they'd first need to make an educated guess that I'd registered my information and email address at that site.

If they preferred, the site owners could email me the page contents I'd requested, knowing that it would definitely be me receiving it. (If I'd left my email account logged in and someone else was using my computer, this might not be the case, but that's one of the worries about auto-logins at sites and allowing Gmail and others to keep you logged in). And since I'd had a good experience at their site, finding information quickly and easily, I'd be far more likely to return and use their services again (and to recommend them to others, though probably not via the dreaded Facebook 'like').

If there were fewer sites that required passwords - or simply asked for your email address so they can cross-check for themselves that you've registered as a regular visitor - I might be more inclined to use a password manager for the rest. And I might just feel a little less fraught and more secure online. 

No comments:

Post a Comment