Password to Hell

Posted by on April 25, 2014 in computers | 4 comments

Courtesies of Heartbleed, I’m paying more attention to my passwords than I have in the past.  Here in Klaskyville, we’ve contemplated shifting to a password management system (where we have one super-complicated password that generates a unique impossible-to-hack password for any sites we visit), but that doesn’t work for a bunch of reasons — shared accounts, varied hardware, limited access to browsers from some locations, etc.  Therefore, I’m implementing new individual passwords on all my sites.

Heartbleed-Refresh

I’m following a system recommended by many experts:  I’ve chosen a phrase that I’ll remember, and my password is the first letter of each word in the phrase, with some of those letters capitalized and some of those letters replaced by numbers.  I’m also adding a unique number at the beginning of the password for each individual site, based on the name of the site (so that I don’t use the same password for everything, but I’ll still have a chance of remembering the “tweak”.

Many of the sites I’m visiting are simple and straightforward — I go to something clearly labeled “My Account” and I click on a link clearly labeled “Change Password” and I enter the old password once and the new password twice and the system gives me a clear Attagirl, and I know I’ve changed the password.

But lots of sites aren’t as clear.  I’ve encountered sites that:

  • Don’t clearly have a “My Account” link, so I have to browse for something similar,
  • Don’t clearly have a “Change Password” link, so I have to browse for something similar,
  • Don’t require double-typing of the new password, making me paranoid that I’ve mistyped my new password, and I’ll be locked out forever,
  • Require a password of greater strength (presumably, one requiring non-alpha or non-numeric characters, as I already have lower-case, upper-case, and numbers in my password), but only explain that requirement after I’ve tried to set my new password,
  • Require a password of greater strength but don’t explain those requirements, only stating “Password not strong enough”, and
  • Have no place anywhere to change any password at any time (but still require a password for access) — I’m looking at you, Kobo Writing Life.

(For the last frustration, I had to resort to reporting my password as forgotten, then changing the password through the link they sent me.)

The end result, of course, is that I maintain a print list of passwords.  I password-protect *it*, and I record my passwords in code, but I’m obviously compromising security.

I understand that the power of the Internet is that no one controls it.  I get that the beauty of the system is there is no system.  But there has to be a better way.

Off to change more passwords…

4 Comments

  1. Good luck. And you’ve got the sympathy of millions. *sigh* I keep a password-protected spreadsheet that has a column for a link to websites…you could do a column to the actual account page. That might be a little easier. It’s crazy these days–with passwords needed for everything from multiple email accounts (under multiple pseudonyms for some…) to those retail scan cards to school accounts for each child to bank/investment/credit card accounts to utilities, I’ve got over 150 REGULARLY USED passwords I have to deal with.

    • Funny, I hadn’t thought of using a spreadsheet – I just have a Word document, where I’ve entered the Username, Password and (where necessary) email address of the site. And yes, it’s absurd, some of the things that require passwords. Sigh…

  2. You have my sympathy, too, and you’re spot on. That is why I won’t leave comments on blog sites that require me to sign on. I’m not going that route.

    I also won’t sign up for most online retail outlets. If I don’t create a username/password pair, I won’t have to rush and change it later.

    Amazon has had my personal info since the 1990s. As much as I dislike that company, if I feel compelled to buy something online, I’ll most likely go through them.

    (I also have an account at Barnes and Noble, and they were vulnerable to that “Heartbleed” problem. So that password had to change. Sigh.)

    I, too, had trouble with a couple of sites figuring out how to change my password. Thankfully, I only had to do a handful.

    Online bill payment? Forget it. Maybe they can raid my physical mailbox, but how do I know they can’t also raid my online account? At least someone has to be physically present to break into my physical mailbox. They can’t do it from Kazakhstan.

    The Internet is obviously a very useful tool, and I don’t know how I’d survive without Google. But do I feel more secure in my life with it? No. Just the opposite, in fact. I’ve never felt more vulnerable in my life.

    My personal motto: I’m not paranoid if they’re actually out to get me.

    Bob Shepard of Denver

    • Bob – you take a more cautious line than I do. For example, online bill payment allows me to travel and still pay my bills. I *do* think that we all need to step back and consider how much of our information is where and what we can do to best protect ourselves!

Email Newsletters with VerticalResponse