What’s the Password?

June 26, 2015
Eric Postal, MD

Passwords are increasingly difficult to keep track of.

I took my first-and last-class in computer programming in high school. At the time, most people had never even heard of the Internet, and didn’t make routine use of passwords for much more than accessing their banks’ ATMs. If you can even call a 4-digit PIN a password, that is. Of those needing passwords, the vast majority could get by with just one-even if they used it for more than one account.

I therefore found it entertainingly nerdy of my programming teacher to walk around with a pocket-sized notebook, which he routinely consulted whenever he needed to enter his username or password for anything. How could that possibly be necessary, I would jeer in my internal monologue. Does he write down the combination for his bike lock, too? What’s he ever going to do if he loses that little notebook? How much mayhem could someone inflict on him if they got ahold of it?

The next couple of decades, of course, showed that the joke was on me, and I now have a little notebook of my own.

I resisted it as long as I could, making use of my favorite password for everything under the sun. Yes, it was less than secure of me, but my PW wasn’t particularly easy to guess (or randomly generate with PW-cracking software), and I was hardly working with ultra-classified state secrets or protecting million-dollar ideas.

And then, one day or another, my hand was forced. My favorite password didn’t meet the requirements of whatever new login info I was trying to create. I had too few characters, didn’t have an uppercase, didn’t incorporate a weirdo symbol like “%,” whatever. I eventually tweaked my favorite password to barely comply, and committed it to memory that, if my regular PW ever failed, to try the tweaked version. After all, it had to be one or the other.

But other instances came up with their own quirks to the rules, and I started having to keep more than two versions of my password in mind. Then, some developed rules sufficiently complex that my favorite password was completely unusable, even with modification. Some came up with the brilliant notion of requiring a change of password every so often, even making it verboten to use a PW I had used within the past few cycles of mandatory change.

Lest I be willing to try one PW after another until I stumbled upon the right one, it had long since become the case that just a couple of failures in this regard would get my account locked out…and, as part of the unlocking process, of course it would be time to create an entirely new password.[[{"type":"media","view_mode":"media_crop","fid":"38859","attributes":{"alt":"","class":"media-image media-image-right","id":"media_crop_921116996358","media_crop_h":"0","media_crop_image_style":"-1","media_crop_instance":"3899","media_crop_rotate":"0","media_crop_scale_h":"0","media_crop_scale_w":"0","media_crop_w":"0","media_crop_x":"0","media_crop_y":"0","style":"height: 300px; width: 200px; border-width: 0px; border-style: solid; margin: 1px; float: right;","title":"©Africa Studio/Shutterstock.com","typeof":"foaf:Image"}}]]

So I have my stupid little notebook with all my login info. Yes, I could get with the times and put an encoded master list in my smartphone, but that would just give me another file to update and generally keep track of. Besides, I’m still leery of putting anything too important on such a device from back when Palm Pilot (remember those?) intermittently punished me for being too reliant on anything technological.

Every time I reach for the notebook, aside from remembering my old programming teacher and wondering if this is some sort of karmic payback for my insufficiently respecting his ways, I wonder: What are we really accomplishing with all of this? Are we really any more secure? Sure doesn’t seem like it, since every other week there are headlines about the latest breaches of security in this bank, that internet service provider, the other governmental agency. Huge, regulated (and regulating!) entities that have vast budgets and entire departments devoted to security. And that’s when they don’t contract out the security stuff to an outside company whose sole purpose is the security biz. If even they can’t keep things under control, what chance do the rest of us have?

I am increasingly of the mind that nobody in the know truly believes that there is reliable security, and our umpteen ring security circus is purely for the purpose of 1) generating ever increasing profits for the industry that has been built up around it, and 2) maintaining a comforting illusion that we have a halfway decent prayer of keeping a determined thief out of our private stuff. Even if it is at the cost of our having almost as much difficulty accessing our own accounts as some random miscreant would.

I’d proceed with a few notions I’ve had about how we might ditch the password routine altogether (I briefly enjoyed a fingerprint-taking peripheral device for my workstation, once upon a time), but I have to go…I’m due to start reading cases in half an hour, and I have to make sure I have enough time to look up and enter the dozen passwords my workstation demands during its boot-up process.

Related Content:

Facility Management