Password to Hell
Courtesies of Heartbleed, I’m paying more attention to my passwords than I have in the past. Here in Klaskyville, we’ve contemplated shifting to a password management system (where we have one super-complicated password that generates a unique impossible-to-hack password for any sites we visit), but that doesn’t work for a bunch of reasons — shared accounts, varied hardware, limited access to browsers from some locations, etc. Therefore, I’m implementing new individual passwords on all my sites.
I’m following a system recommended by many experts: I’ve chosen a phrase that I’ll remember, and my password is the first letter of each word in the phrase, with some of those letters capitalized and some of those letters replaced by numbers. I’m also adding a unique number at the beginning of the password for each individual site, based on the name of the site (so that I don’t use the same password for everything, but I’ll still have a chance of remembering the “tweak”.
Many of the sites I’m visiting are simple and straightforward — I go to something clearly labeled “My Account” and I click on a link clearly labeled “Change Password” and I enter the old password once and the new password twice and the system gives me a clear Attagirl, and I know I’ve changed the password.
But lots of sites aren’t as clear. I’ve encountered sites that:
- Don’t clearly have a “My Account” link, so I have to browse for something similar,
- Don’t clearly have a “Change Password” link, so I have to browse for something similar,
- Don’t require double-typing of the new password, making me paranoid that I’ve mistyped my new password, and I’ll be locked out forever,
- Require a password of greater strength (presumably, one requiring non-alpha or non-numeric characters, as I already have lower-case, upper-case, and numbers in my password), but only explain that requirement after I’ve tried to set my new password,
- Require a password of greater strength but don’t explain those requirements, only stating “Password not strong enough”, and
- Have no place anywhere to change any password at any time (but still require a password for access) — I’m looking at you, Kobo Writing Life.
(For the last frustration, I had to resort to reporting my password as forgotten, then changing the password through the link they sent me.)
The end result, of course, is that I maintain a print list of passwords. I password-protect *it*, and I record my passwords in code, but I’m obviously compromising security.
I understand that the power of the Internet is that no one controls it. I get that the beauty of the system is there is no system. But there has to be a better way.
Off to change more passwords…