Monday, November 23, 2009

Open Letter to People Who Need to Chill

or, my passwords do not need to be strong enough to pull a tractor with their teeth.

Keep in mind here that I spent 13 years working in technology, ensuring that the software being developed met everyone's needs: the end users, the stakeholders within the company, the legal department, you get the idea. So know that I'm not a newbie who keeps all their passwords on a post-it attached to their monitor. No, I'm a badass techie who keeps their passwords in their PDA.

Because, seriously? Almost every single web site I use has a different crazy set of rules for creating passwords. This one includes at least one letter and at least one number. That one requires one letter, one number and one capital. And so on.

So if my usual password was "skippy", which it isn't, because even I'm not that lax about security, one site would require "skippy1" and another "Skippy1" and a third would tell me that "skippy" is too commonly used so I should pick something else and I feel I've shown great restraint by never using "FkingProgrammers". Because, of course, the only people who can remember all these different passwords without writing them down have the kind of mind that make you able to code software.

Which is why I've had to point out many times at work that requiring Strong passwords that must be changed quarterly make people's accounts so insecure (thanks to post-its with passwords, or web browsers set to remember them) that we might as well not require a password at all.

Other solutions have been invented, but it's cheaper just to force you to add an umlaut in the middle of your password, so that's what we're stuck with. My favorite was that used photos of people instead of passwords. They call it passfaces. They teach you in 10 minutes which 5 photos made up your password and they display a page with 9 pictures, only one of which was yours. They do this 5 times and then you'd be in. I haven't been to their site in years and I was just able to log in with my 5 faces. And yet there's no way I could tell you what my passfaces are (it's that freshfaced woman, then that weird looking guy and so on).

But no, I have to call my health insurance company every 3 months to change my password, because logging in correctly with an expired password isn't good enough for them. Heaven forfend that anyone log in as me and search for a doctor in my network! They don't even store claim info. There is nothing secure in there! And yet they have higher security than my bank.

I also had to come up with a strong password for IdeaAid, so I could suggest my Kris Kringle for Heifer International idea. Are we worried that someone will log in as me and suggest a bad idea?

OK, what's the site that makes you come up with the most ridiculously secure password in the history of this here series of tubes?

**Don't forget the contest that runs until December 9. Leave a comment, possibly mentioning the amusingness of the Goodle Ad served up with a post, and you get entered in a giveaway of a box of stuff that will include cookies. The more you comment, the more chances you have to win. I should probably mention that the cookies will probably be imported from Japan, so that's cool. There will also be novelty salt & pepper shakers. Depending on who wins, I'll throw in some craft supplies or chocolate or whatever. In honor of WKRP in Cincinnati, there will be a tube of lip balm.


  1. Today's ad is for Paypal. As if Ebay was not evil enough. You need yet another password that can access your credit card.

  2. I see a lot of ads for password-recovery services today.

    I suggest you try one of those one-size-fits-all-passwords-ALMOST deals. Come up with something that includes caps, lowercase letters, and numerals, then customize it for each site. Then you basically have only ONE password to remember--and it's one that's pretty strong.

    For example, you can probably remember the name of your blog easily, so you could use that as part of your "root." So: "FLttP" (which has caps and lowercase) appears in your password. Add in your zip code or your hat size or some other easy-to-remember number. Then add something like the first three letters of the website that needs a password--so "blo" for Blogger, etc. Mix it up in a way you can remember (e.g., website letters then numerals in backward order then root letters) and VOILA! You've got a password that's easy to remember wherever you go!


All the cool kids are commenting. Give it a try, it's fun!