Wednesday, 7 December 2011

Password Pressure

How many passwords do you have to remember? I have lost track of the ones I need not only to get into work systems but simply to shop online. Often I need one to access my account on the company website and then a subsequent one to actually pay for the system and then that is often backed up by a third verification from the company providing the card I am buying with. It is probably alright to remember the ones you use regularly, though I am no longer in the situation to buy CDs and DVDs with the frequency I might once have used. The greater difficulty is with those that I might visit only once per year, for example, to order vacuum cleaner bags or to apply for a job with a particular company. You need a password for almost every job application and yet there is little chance even if it is a company you really want to work for, that a suitable vacancy will only come up once every three months, perhaps only once in a year.

 Of course, many systems now have ‘do you want to be reminded of your password?’ and for me that has almost become the default setting, hoping that I have remembered which email account I locked this particular company’s website too. Given that I applied for 80 jobs last year with about 70 companies, trying to remember so many different accounts was a real labour. What can be particularly frustrating is that ‘to increase security’ you can find that the reminder or more often these days the option to choose to reset the password only turns up an hour or two later. Thus, your window of opportunity for buying the item or filling in a lengthy job application has passed by the time you can get in.

One thing that irritates me is being told to alter my password just because a certain period of time has passed. The worst situation for this was in a job in the early 2000s where you had to change your password every month and were not allowed to repeat a password until you had used nine others. Trying to come up with things that you could remember was a really trick. Ultimately you end up writing them down or putting them in a file on your computer, so all of this fuss about security is compromised. My current job insists on a change every 3 months. I had the same password for my Hotmail email account from 1999-2010 and it was never hacked, yet this was felt by MSN to be too long a time without change and I was told to change it to one with greater ‘strength’. Having done this, a few weeks later, my account proceeded to be hacked for the first time. My password for my ‘World of Warcraft’ account now has 13 characters in it as the one 9 characters long proved too easy to break for hackers. YouTube insisted that I change the password I use to access that just recently. However, it kept rejecting my suggestions as too ‘weak’ and it was a battle to come up with a password and numbers that satisfied it and I can say that a month on I have forgotten what it was.

Passwords are supposed to be about security but generally they seem more effective at locking out the actual user than those attacking the account. Software can try millions of words even those in Japanese that I tend to use, in seconds and yet I can end up spending hours trying to get into my account and often abandon the attempt. It has never been so hard to buy something than in the 21st century. Most of what I have access to is of no interest to any criminal. I certainly have no belief that a hacker would alter my job application in order to reduce my ‘O’ levels. I suppose they could put their address in place of mine, and, assuming that I got an interview, go in my place, but even then, to get the job they would have to manufacture fake qualification certificates. If they are that skilled then they would not be going for the kind of jobs I am going for, currently not even at the level of middle management. I guess they could divert a DVD I have bought or buy lots of things on my cards, but I do not have the wealth that would make it really worth the effort. I guess this is the same for most people and yet we are subjected to a password regime which would suggest we all have access to state secrets. The last company laptop I was issued needed thumbprint verification to switch it on. No-one seemed to spot the irony when I asked whether we had ones equipped with the same facilities as those red boxes issued to ministers which measure skin temperature to check that the thumb has not been simply cut off the legitimate user.

It is not only ever changing passwords of sufficient strength that cause problem but the username or login name that goes with it that adds an extra dimension. Every company has a different protocol and I battle to remember whether they wanted my surname and initials, one initial, two initials, together or spaced with full stops; perhaps this one wanted my entire name or was it the email account or was it some other form of designation that they assigned me? Of course, often you can ask, if you know which email account you used, have the username reminder sent, naturally with the ‘security’ delay. Sometimes this is not possible and you reach the bind into which I have found myself slipping. Apparently not being known by the company I try to set up a new account and then are told that there is already an account in that name but they cannot tell me the password to it. This is one reason for having more than one email account as I am then compelled to start up a new account in a different email name all for one application to a job which at best I have a 3 in 8 chance of getting.

Sometimes systems are even more frustrating especially when combined with rapid ‘timing out’. I have commented before that job application sites are the worse for this. The extreme case was the one which timed me out between me deciding on a username and entering a password. Trying to re-access the system I was told there was already an account in this name and yet, of course, they could not send me the password to access it as one had not been designated. I abandoned online applying and rang them to be told that many people suffered this problem with their system. I felt it was futile to suggest they have it amended. In another case a company was charging me for virus protection I had not ordered. The bill sent me directions how to unsubscribe from the service, but going to the site it told me, as I already knew, that I had no account with the company, thus it was impossible to unsubscribe for the service which I was paying for! Trying to contact the company was almost impossible if you had no account as you had to log-in in order to send them a customer email and I was very fortunate to find a technical service email address on a discussion board that I used to get in through the ‘back door’ to reach customer services.

Doing business online loses much of its appeal when it is such a labour to access what you need to get into. The obsession with security especially for services you only use once a year or even less, is a real irritation. Every site seems to assume that they are the only people you deal with. I wish we had the ‘single sign-in’ approach adopted by universities which allows students, once they have signed into the university system to access a whole raft of e-books and online journals without having to sign in again to each one individually as used to be the case in the early 2000s. Bank accounts are the systems which do need greatest security, but interestingly they have moved away from passwords towards the devices which generate one-off code numbers. I know ‘World of Warcraft’ have introduced these too, but maybe it is time for Amazon and eBay to follow likewise. Of course, then we will have a desk full of these devices and we will leave the vital one we need at home.

The whole issue of passwords stems from the fact that no-one ever envisaged the internet to be such a crime-ridden place as it has proven to be or that so many people would put effort into peddling so much junk across systems. The internet is the distillation of the worst in human behaviour and despite constant efforts to portray it as something worthwhile it is like opening a library in the most run-down part of a city that had a vast proportion of criminals waiting to leap on anyone going to that library. Despite all the efforts over passwords and their strength, it appears that this is more of benefit to the ‘job’s worth’ attitudes of those people (very numerous these days) who like to make a fuss about regulations simply to give themselves an iota of importance, rather than providing any genuine security. For the average user like myself, trying to recall a string of passwords (even if you try to keep to a familiar few) and precisely what username you selected or were given many months ago, these concerns are increasingly making doing anything on the internet slower than telephoning in an order and, on occasion, actually physically going to the shop or office.

No comments: