Dear Security Experts (specially those who design/decide how passwords should work),
This is the first time I am writing an open letter (Though I wrote kind of an open letter before to Arvind Kejriwal). While writing this, I am really not sure if my letter reach any of you. But I am in a big pain. I have been planning to write this letter for ages. I have been struggling with this “torture” for a really really long time. And I am sure there are millions, if not billions who must be thinking the same way as I do. I will write about my pain as well as highlight solutions.
First of all, I must admit that you care for me (and all the online users). Secondly, I would also accept the fact that we need to walk an extra mile when we have to be more safe and secure. But what you guys are making us to do is a marathon. I also understand that you can be casual in your approach. It is we who will face the losses in case there is password compromise happening. I am also aware of the fact that even after the stringent rules, we come across news of hacking every few days.
So here is my story. You and the readers can easily link it to yourselves. I have 5 bank accounts (2 active, 3 almost non active yet not closed). I also have 3 credit cards (2 personal and 1 company provided). I own 2 demat (share trading) accounts. There are at least 5 emails accounts that I have (may be more but we have been using various emails for various purposes including official accounts. Right?). I have made account with a minimum of 7 ecommerce websites (If there is a good offer or coupon on a particular website, we make an account). There are also utility bill payment accounts where I have to make account. We all have been or are members of some 5-10 social networking sites. Add to that there are Government websites, Tax websites, Mobile phone/network websites, News portals, comment/discussion accounts, coupon websites, job portals, business portals, entertainment websites, religious/spiritual websites, travel websites and infinite other websites where I have an account and hence a password.
I cannot make the same password for all the same accounts. I cannot also make similar passwords too (reason below). I am tired of remembering all these accounts. It cannot be done too. The reasons are pointed below (see some of the rules various websites have for passwords):-
- Some sites say minimum 8 characters while others have maximum 8 characters limit (different limits too)
- Change password every 30 days, 60 days, 90 days 180 days
- Have to use 2 numbers, 2 special characters and 2 caps in some while in others cannot use numbers and/or special characters
- One site says not to use previous 3 passwords while other says not to use previous 5.
- Some sites do not allow recurring numbers, some do.
- Some sites expects passwords to be very complex while others gives only 6-8 characters for it.
- We have to use PINs (numeric passwords) for some sites while alphabets are more common on most others.
- Even when we use pin, there are 3, 4, 6 or 8 characters which are allowed.
I fail to even make a similar series kind of password (and almost all people I know too). This has become awful now. The situation is so bad that there are password apps/tools which remember the passwords for us. And with new sites/apps coming every minute, the need for a resolution is very important. There is an utmost need for making things simple.
I don’t like to just complain. And hence will be constructive. I have a few suggestions to handle the situation. Let us look at some solutions on how to tackle with multiple passwords.
Standard Password format:
We have standardized almost everything from the diet to speed limits on various road but we have failed to standardized password. Why cannot we have a universal rule for password. For e.g. minimum 8 characters, with at least 1 caps and 1 special character(optional maybe). This password will expire once every 6 months (I would prefer a year or more). A password can be repeated after a gap of 1 more password. Hence if my password is NewPassword1, I can have my password as NewPassword2 after a year and back to NewPassword1 after a year. (So that I do not make chain of password like NewPassword1, NewPassword2, NewPassword3, NewPassword4, NewPassword5 AND SO ON). I believe this is one of the BEST WAYS TO HANDLE WITH MULTIPLE PASSWORDS
Two level authentication
Although this is ongoing, it can be applied to most websites which will make things easier to safeguard against spammers and scammers. Two level authentication will also be beneficial if password expiry is for a longer period.
I am not sure exactly how this should work but let us say google/facebook/microsoft/yahoo authentication can help us with a common password. So if I am logged into google or facebook account, I can access some news / comment websites (this is already functional)
There might be smarter ways to handle it but this should be resolved else people will start using very casual passwords or save passwords in rather unsafe places making room for more and more hacking and spamming on the users accounts.
An ardent observer of life’s visual rhythms & curious on the SOEs that take place in the cosmos, I jot down my mind occasionally on yet another universe of the Internet.
An Engineer by profession and nationalist by heart, I write my heart and mind on anything and everything that comes to my way. I put my ideas on politics, religion, technical, green energy, stock markets, spirituality, open source, business and anything under the God’s green earth and above that too 😉
Being a Jack of all trades, I have my say on varied subjects 🙂
Some of my articles are also published in http://articles2read.com/author/ankur-mehta/