The day of the password is done

With so many Web sites demanding passwords, no one, but no one, can really be expected to remember all the ones they need

When the popular Web site Gawker was hacked into recently, more than a million user IDs and passwords were released. If you were one of the people compromised that's annoying -- very annoying. Not that it's a big deal that someone could log into a gossip site under your name. But many of those people used those same IDs and passwords on other sites that are a wee bit more important, such as LinkedIn. Now, that's a problem.

What should you do about it? Well, I could tell you that you need to use different passwords for different sites; that you need to pick passwords other than that all-time favorite, 123456; and that you should change your passwords every month for every site. I'm not going to, though. It's all good advice, mind you, but it's also all pretty darn useless.

People never have, and never will, use good security practices. After more than 30 years of working with networks and security, I'm ready to give up on trying to get the general public to do the right things to keep themselves safe. In a company, it's a different matter. It's a pain, but if you keep at it and enforce the rules, eventually you'll get most of the people to do the right things most of the time. But people at home? It's not going to happen.

Besides, there's another issue here. At work, people need to recall, at most, two or three IDs and passwords. If you do single sign-on right, all they'll need is one. On the public Internet, though, people have to remember their IDs and passwords for their bank, Facebook, Twitter, school, Gmail, phone, electric, 401(k), LinkedIn, Computerworld and countless other accounts.

Who can manage to remember dozens of IDs and passwords for dozens of sites? I'll tell you who: no one.

I can't do it, and I'm blessed with a good memory for random alphanumeric strings -- you really don't want me to get a good look at your credit card number. If I can't do it, no one who isn't blessed with a photographic memory can do it.

What I do is keep a long list of user IDs and passwords in my head. Some of them I use only on trivial sites such as Gawker (though I don't have an account there). Others, I keep only for important sites, such as LinkedIn. And a few I save only for vital sites like my bank. Those last are tied in my memory with a specific site. So, for example, I have one ID and password for my health insurance site that I don't use for any other sites.

You can do a similar trick -- and this is security heresy -- by making a list of your account numbers, IDs and passwords. I don't mean a physical list, though. Make the list on your computer, encrypt it with a program like TrueCrypt , which can handle Linux , Mac OS X and Windows; AxCrypt , which is Windows only; or FolderLock , another Windows-only program.

You also really should use "real" passwords. No "123456" or "abcdef;" no "password" or "your_user_name" or "my hometown" or "favorite sports team." Those kinds of passwords are so easy to break, they barely count as passwords.

If that option doesn't appeal to you, I've got another one: LastPass . This program runs on all the desktop operating systems that matter and the major smartphone operating systems -- Android , iOS, Symbian and Windows Phone -- as well. It will automatically capture your log-in credentials and then enter them into the site for you the next time you visit. So, go ahead and use JK1127MarvelFan4TossSaladed! as a password. You won't have to remember it, LastPass, the password manager, will do it for you.

While I'd rather it didn't store all these passwords in an encrypted form on the Web, LastPass's advantages more than outweigh its disadvantages to my mind. It certainly beats having your one real password to every system on earth available to anyone who hacks into any site that you visit.

The real solution, though, is to find something else to replace user IDs and passwords. I don't know what that will be. I do know that as we spend more and more of our computing time online at dozens of different sites, we have to come up with a better answer that will really work for people. User IDs and passwords simply don't cut it anymore.

Steven J. Vaughan-Nichols has been writing about technology and the business of technology since CP/M-80 was cutting-edge and 300bit/sec. was a fast Internet connection -- and we liked it! He can be reached at sjvn@vna1.com .

Read more about security in Computerworld's Security Topic Center.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags securityLinkedIn

Struggling for Christmas presents this year? Check out our Christmas Gift Guide for some top tech suggestions and more.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Steven J. Vaughan-Nichols

Computerworld (US)

Most Popular Reviews

Follow Us

Best Deals on GoodGearGuide

Shopping.com

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Shopping.com

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?