Please note: This site's design is only visible in a graphical browser that supports Web standards, but its content is accessible to any browser or Internet device. To see this site as it was designed please upgrade to a Web standards compliant browser.
 
Signal vs. Noise

Our book:
Defensive Design for the Web: How To Improve Error Messages, Help, Forms, and Other Crisis Points
Available Now ($16.99)

Most Popular (last 15 days)
Looking for old posts?
37signals Mailing List

Subscribe to our free newsletter and receive updates on 37signals' latest projects, research, announcements, and more (about one email per month).

37signals Services
Syndicate
XML version (full posts)
Get Firefox!

Password Fatigue

01 Sep 2003 by Brad Hurley

I don’t know about you, but I’ve got a lot of passwords. I have one that I use for all my low-security needs, such as my online New York Times account, but I’d rather not use it for more sensitive things like online banking. And even if I wanted to use one password for everything in my life, I can’t because sites impose varying requirements for the number of characters, numbers, and letters you can have in a password. So you get password proliferation. Online banks, ATM cards, calling cards, PayPal, wireless base stations, computer user accounts, intranets, keychains, ISPs, Amazon.com, Expedia, software web sites--all of them require passwords and usernames.

I store all my username-password combinations on my Mac OSX keychain, and the Safari browser is keychain-aware. But even that’s not a perfect solution. On my Windows machine, Internet Explorer can remember my passwords but I have to remember my username, and I’ve been forced to come up with several usernames over the years when the one I wanted was already taken.

Is there a light at the end of this tunnel? Will we eventually have secure digital IDs that we can figuratively wave at a web site to gain access? I find myself increasingly reluctant to sign up on any site that requires me to establish a new username and password. And I don’t think I’m alone.

32 comments so far (Post a Comment)

01 Sep 2003 | the poster formerly known as fajalar said...

I have 3 passwords that I use based on the type of online transaction I am doing. Each is "more secure" than the next, but they are all based on the same premise: a pattern on the keyboard. So I only have to remember what type of transaction, and it's coresponding starting position in the password.

Course. I also have my voicemail passwords (home and work) that don't fit this schema as well. The ATM, as you said...

PayPal really pissed me off recently when they made me change my password. I wrote them about it and basically got a canned response.

I would like to get to the point where I can just say, "Hey, it's me!"

Slightly OT: I'd also like mobile History. When I browse at work, I have to remember which threads I have read when I get home and vice versa.

01 Sep 2003 | the poster formerly known as fajalar said...

Dernit! I forgot.

Welcome hurley #1! Glad you're "it."

01 Sep 2003 | Mike said...

Oh yeah, now I see the connection between the poster formerly known as hurley #1 and this month's celebrity, congrats! :)

As an interesting side note... at my old work, most of the passwords for the network consisted of shortened funny phrases that the net-admins used to say to each other, here's a (fake) example:

"DOS it up, DOSsy!" "dos1T^D0S5Y"

The stupid part is that even though I knew the funny phrases, the humor was still lost on me. Oh well.

I guess net-admins do have all the fun.

01 Sep 2003 | Mike said...

Hmm, some characters are missing...

..."DOS it up, DOSsy!" leads to "dos1T^D0S5Y" as a password...

01 Sep 2003 | Mal Ross said...

This is going to be unpopular, but weren't Microsoft pushing their passport technology as a solution to this kind of thing?

01 Sep 2003 | Brad Hurley said...

I always wondered why Passport didn't fly, or maybe they're going to keep trying?

And yes, I'm "the poster formerly known as hurley#1." Thanks for the welcome! When I first started posting on SVN, I noticed there was someone named Brad who had helped with the site redesign, so I didn't want to use the name "brad." I used "hurley" instead. But then someone else started posting under the name "hurley" so I became "hurley#1" and that person became "hurley#2."

01 Sep 2003 | One of several Steves said...

Not only is there password proliferation, there is nickname proliferation, at least around here. When I first started posting, as far as I can recall I was the only Steve. Now there are a few. Suppose I should start using a surname initial or something.

Anyway, I'm tired of all the passwords too, especially with the various varying requirements. I have about 5 that get used regularly, although one or two basically end up being used only for my work computer, where I have to change about every three months and can't use my previous couple.

Plus there's my PIN for my bank card, work voice mail password, mobile phone password, answering machine code, unchangeable passwords for some work-related financial stuff, passwords for a discussion board I moderate, blah blah blah.

I'm looking forward to the day where everything's tied into a fingerprint scan or retinal scan or something like that. Although I'm sure that system will invite its own unique set of flaws and annoyances.

01 Sep 2003 | Osiris said...

Another question should be: do these sites really need usernames and passwords? I mean its a bit over the top to need it to view the NYT.

But Ive found the easiest way is to have a 3 password system. You do get annoyances, but as long as you can retrieve them to your email address, then you should be fine.

I didn't and still don't like the idea of my details being centrally stored on a remote server owned by Microsoft. Having a single password for accessing all the minor passwords which is stored in your browser is a start. But there needs to be a function to export the usernames and passwords for backup purposes and also (more importantly) use in other browsers.

01 Sep 2003 | JF said...

I mean its a bit over the top to need it to view the NYT.

Why is that? Don't you think free access to one of the world's best newspapers is worth a username and password? Or, pay about $250/year to subscribe to the paper version and you won't have to worry about logging in.

01 Sep 2003 | Brad Hurley said...

The Mac OSX keychain is handy for storing all my passwords, even those that aren't Web-related, like my ATM card password, my bicycle lock combination, and serial numbers for software and equipment that I've bought. I back up my keychain offsite once a week.

If you have Quicken, you can use its "PIN Vault" feature as a similar secure storage system for user names and passwords.

01 Sep 2003 | Jon GAles said...

Keychain does a great job for me (I use Camino not Safari). I typically have 1 username and several passwords (I am pretty good about not using words and adding in at least one symbol).

From a web developer POV there isn't much getting around it (for things such as Amazon and web mail). And if I can get something for free (like the NYTimes), I don't mind.

01 Sep 2003 | One of several Steves said...

At the risk of hijacking the thread and running it off onto a big tangent: even worse than dealing with all the passwords is the way many sites deal with passwords. For example, for the sorts of sites where logon is going to be common (like a bank), having the logon on a different page rather than the front page. Or, worse, doing something like Amazon does whenever I try to log in: showing me a page that says nothing more than "you've successfully logged in" and then gives a continue button to go on to the task I wanted to do. I think I'm smart enough to figure out that I've been successful at logging in if you'd just give me the page I was trying to get to in the first place, instead of the worthless "congratulations, you're smart enough to remember your username and password."

01 Sep 2003 | Paperhead said...

The solution's obvious to anyone who's seen Memento ;)

01 Sep 2003 | Anonymous said...

Although managing multiple logins/passwords can be a hassle, it does give a certain amount of control of how much personal info is given out on a site to site basis. On sites with questionable privacy policies I like to limit the amount of info given.

It would be nice if there was a method of identifying individual users while maintaining some level of anonymity.

02 Sep 2003 | slvrfrg said...

The all-time worst password setup that I've come across so far is that of one of the banks I use. Username is your social security number - no big deal, easy to remember. The password, however, is a different story. It must be at least 8 characters long, contain at least one number, one letter and one symbol, as well as an uppercase letter. On top of that, you must change it every 90 days. If you forget your password (obviously very likely), you have two options: call the bank and have them reset it for you which takes a minimum of 1 business day - very inconvenient, or fill out a form answering three questions that you supposedly answered on your application:

1. What is your favorite movie?
2. What is your favorite drink?
3. Who is your favorite actor?

Did I mention that the answers to those are case sensitive AND you don't just choose one to answer, you have to answer all 3 correctly?? Maybe I don't take security seriously enough, but that just seems absurd to me. Like I'm gonna remember what my favorite drink was a year (or even longer) ago, let alone make sure I type it in exactly the way I did originally. Anyway, enough of my rant, I just thought I'd share a rather poor password scenario.

02 Sep 2003 | qwerty said...

If a login can't be avoided at least I should not be forced to supply my email and invent a nickname. My email and a password should be good enough (S/N should think about this, too.). The chance that I forget my email address is pretty slim but I already have trouble to remember all my nicknames.

02 Sep 2003 | Jay said...

qwerty brings up a good point: why isn't your "user id" always your email address in these situations? It is necessarily unique, so you don't have to worry that you'll get an error message saying "The ID you have chosen is already in use..."

02 Sep 2003 | Michael Spina said...

The ironic thing is, the more stringent password requirements are (slvrfrg's example), the more people are willing to do insecure things like writing passwords on post-its placed on monitors.

02 Sep 2003 | michael said...

I use GnuPG to encrypt and decrypt my password file using some DOS scripts and aliases in 4NT to shorten the syntax. Works OK for me but can be a bit cumbersome. I recently converted my plain text file to XML and use XSLT to style it into something readable.

02 Sep 2003 | Darrel said...

I've always been a fan of the dongle. Those hardware-based software keys.

I envision a day when I purchase software and it is licensed to *me*...not my machine. Then I can install it everywhere I want to, and simply put my license on my dongle.

My dongle could then be an ecrypted password storage device as well. A *real* keychain so-to-speak.

I could memorize one password to unlock access to any of the other pwds stored on the device.

Cons...well, if you loose it, you loose everything. The main password would be some protection. Perhaps there would be a way for a user to remotely de-activate it via the web (maybe the dongle phones-home whenever inserted.)

With technology like Rendesvous and BlueTooth (same thing?) the dongle could almost be anything on your body. Simply come within a radius of the device you need to unlock, and it is.

And isn't 'dongle' a really great word?

02 Sep 2003 | JF said...

With technology like Rendesvous and BlueTooth (same thing?) the dongle could almost be anything on your body. Simply come within a radius of the device you need to unlock, and it is.

That's how the door locks on the new Audi A8 (and I believe BMW 7-series cars) work -- as long as you have the key on your body, it will unlock the door when you touch the handle. Very cool.

02 Sep 2003 | Brad Hurley said...

That's how the door locks on the new Audi A8 (and I believe BMW 7-series cars) work

And the newly redesigned 2004 Toyota Prius as well. What's especially cool with the Prius is that you don't even have to put a key in the ignition, since there isn't one. You just walk up to the car with the "dongle" in your pocket, open the unlocked door, sit in the driver's seat, and press the "Start" button.

The one thing I don't don't like about this technology is it seems too easy for a thief to wait til you're close to your car, run up to you and knock you over, then jump in the car and drive away.

02 Sep 2003 | David S said...

Although having one password for everything seems convenient, I don't really like the idea. First off, if someone gets ahold of it, you are screwed everywhere. Second, the "kind" company that manages it all for you has a wonderful repository of data and is able to track your online habits. I'd rather be tracked on a site-by-site basis, not the whole internet.

I guess I'm lucky enough to have a last name that is unique to my family so I can usually go off that for a username that I won't forget, although I like the email-as-username method better.

02 Sep 2003 | Molly Zero said...

I use a program called RoboForm (http://www.roboform.com/) which remembers my passwords and does all sorts of other nifty tricks.

02 Sep 2003 | One of several Steves said...

That bank's security scheme is a nightmare. I would actually change banks just because of that.

That scenario reminds me of a former client, who required password changes pretty frequently (may have been as much as 30 days), and you could never, ever reuse a password. Well, that just invited everyone to start going with password1, password2, password3, etc., just increasing the number by one each time they changed. That sort of defeats the whole idea behind changing passwords. Sometimes security is to effective for its own good.

02 Sep 2003 | monkeyinabox said...

I need a solution, because I'm running out of post-it note space on my monitor for passwords!!!!! :)

02 Sep 2003 | Graham Hicks said...

The chance that I forget my email address is pretty slim

That's not always true. My webhost allows me to create email aliases that are all sent to a single mailbox, which means I make up a new address each time I'm asked for one (this is mainly to prevent spam since each alias can be shut off if I start to get a lot of spam through it). This means that my email for amazon is books@ and my email for NYT is the.times.they.are.a.changin@ and my email for Friendster is amigo@. I almost always use the same password for these types of sites. I'm probably in the minority here though.


That's how the door locks on the new Audi A8 (and I believe BMW 7-series cars) work

The 7s don't actually work this way (at least from my experience). The fob works like a normal remote control fob, except that when you get into the car, instead of putting a key into the ignition, you plug in the fob.


…knock you over, then jump in the car and drive away.

I'd imagine that the car would stop driving if it gets too far away from the key.

02 Sep 2003 | Mike said...

... I'm one of those people where if I see those number-pad locking dealies on the handle of a car, I just have to push a button or two :)

02 Sep 2003 | Taylor said...

I find that an 8 character mix of letters (upper- and lower-case) and numbers works with almost every site. I don't use any real words, making every password jumble of either made-up words or words spelled incorrectly.

I once saw a report from Los Alamos Nuclear Labs to back this up, but I can't find it now.

02 Sep 2003 | dan said...

I keep them all encrypted on my palm pilot so I just need to remember one password to get at the rest. It's like the OSX keychain, but its not limited to my computer. However, it would be nice if I could just beam the passwords securely instead of having to type them every time.

03 Sep 2003 | Darrel said...

dan:

I use the same thing. That goes back the Dongle idea. It'd be great to store everything on the palm, and then via blue-tooth, the main computer (whichever one I'm sitting near at the time) could retrieve the pwds and software serial numbers on-the-fly as needed.

Walk away, the computer is locked.

14 Nov 2003 | health insurance said...

yes seriously....i have too many variations of passwords to keep straight

Comments on this post are closed

 
Back to Top ^