Tuesday, December 18, 2007

Passwords

There has to be a better way.

I have what seems like thirty thousand logins, each requiring its own username and password combination. (That's not even counting PIN numbers.) Since the identity theft awareness campaigns have gained steam, some of these systems have changed their password rules to prevent anything easy to remember.

As the number of username/password combinations has metastasized, I've found exactly three ways of dealing with the information cascade, none satisfactory.

The first is to use the same combination (or one of the same two combinations) for everything. It's relatively easy to remember, which is no small thing, but it isn't terribly secure. Someone who could hack into one account could hack into many, many others without any effort. The problem with trying to do the electronic equivalent of the James Spader character in Sex, Lies, and Videotape ("I only want one key") is that once that one key is lost, all is lost.

(I've seen programs that remember your passwords for you. This strikes me as an accident waiting to happen. It's literally the one key that rules them all.)

The second is to write them all down, and keep the list handy by the computer. Leaving aside my, um, distinctive handwriting, it raises a fairly obvious security issue. It also raises an issue with updating. Passwords expire at different times, but too many cross-outs make the list useless, and too-intensive updating means I just won't do it.

The third is simply to accept that, at any given moment, a disconcerting amount of my personal information is inaccessible to me. Besides, system admins love nothing better than frantic calls from users who can't remember their passwords. They live for that stuff.

I've done passwords in series -- all the characters from a particular show, important historical dates, hurtful childhood nicknames, that sort of thing. I've taken lines from Great Works of Western Thought and used them as series. (My fave: at Proprietary U, the ERP system made us change passwords every 30 days, and would remember a year-long cycle, so you couldn't re-use any of your previous eleven passwords. Towards the end, I started a series: "Workers" "World" "Unite" "Nothing" "Lose" "Chains." It was good for a chuckle.) But it's embarrassing when your system hiccups, and you get the tech guru in there with wing of bat and eye of newt, and he asks you your password, and it's something like "Winona8675309" or "Scalia666." It's important to maintain some basic level of surface banality.

I've heard talk of 'biometrics,' where you have to get a retinal scan or a fingerprint reading instead of entering a password. It may very well be more accurate and secure, but the 'creepy' factor is pretty high. It's also incredibly vulnerable, in the sense that once somebody figures out how to pirate a retinal scan, you're done. If someone steals my password, I can change it. If someone steals my retinal scan or fingerprint, I'm pretty much out of luck.

Is there a better way? Am I missing the obvious? The number of logins I have to remember at any given time just keeps growing, and there are other things on my mind.