Forgotten Passwords

by
,

Forgotten Your Password? Yes. Yes, I have forgotten my password. Yes, again.

I always forget my passwords and have to click the forgotten your password link. I resent the wording of “forgotten your password?” as it implies that I’m the one at fault. Gimme a break! The truth of the matter is that as a website user I can’t win. If I pick a nice simple combination of letters and maybe numbers that I can remember easily I’m told that it’s not secure enough; if I pick something suitably complicated or random then I can’t remember it, especially when I’m not supposed to use the same password across multiple sites.

We want our accounts to be secure and, at the same time, we want the convenience of not having to jump through a multitude of hoops just to log in.

In reality, the option of picking a simple, memorable password isn’t even an option any more. Your password now has to contain at least one uppercase letter, one lowercase letter, a number and a symbol. How long before you have to type it in blindfolded while standing on one leg?

So, what actually happens, every time, is that I have 3 or 4 attempts to guess what password I might have used before having to click the forgotten password link. This goes to a new screen which asks me for my email address, again, even though I’ve just tried it several times. I then wait for an email to arrive before clicking a link in the message to back to a screen where I can reset my password. I type in some new soon to be forgotten combination and I’m finally in, usually about 5 minutes after I started. Several times I’ve either run out of time or decided what ever I wanted to do just isn’t worth the hassle.

Some very secure systems make you change your password every month. Oh thanks. Yeah, that’s helping. And don’t even think about going back to a password you’ve used before. Does anyone really change their password properly each month or do they just increment one digit making it really easy to guess from one month to the next?

Keys?

Entering a password is fundamentally just me proving my identity by giving a piece of information, a combination of letters, numbers and symbols that nobody else could know. I have something unique which grants me access.

In other parts of life we approach gaining access differently. We secure our precious homes using a physical key. We actually put a piece of metal into a door and turn it, as we have for centuries. It seems quite crude for the 21st century but it’s simple and it works. We can spend our money by using a physical card and entering a four digit PIN. The PIN is easy to remember - it’s only four digits and you can keep the same digits for years. It’s the combination of something physical and a very simple password which makes it secure and easy.

Why’ve we made gaining online access to things so different? I’m not saying we should all have keys for our devices but an element of the physical could certainly come into play. If our web devices had the ability to read from something physical then we could use the same approach. Hackers would not be able to replicate the physical aspect quickly enough to make it viable to hack.

Partial Solutions

So, what’s the answer? There is software which will remember passwords for you. Most decent web browsers offer to remember passwords and there are other programs or apps which will allow you access your password list once you enter a master password. The problem with these is that they’re specific to one device and that’s just not necessarily how we do things now. During a typical day I’ll use a work desktop PC, a laptop, a phone and a tablet and I may want to access the same info from any of them.

The closest I’ve seen to an automated solution is to use the same browser across all devices, assuming this is possible, and allow it to remember and sync passwords. Chrome and Firefox offer this. As far as I know the passwords are not stored in the cloud but actually within the browser on each device. My worry is that a site or app could try to imitate the sync process and steal all your password data. I’m sure it’s pretty secure but anything that stores passwords is going to get the attention of hackers.

How about writing down all your passwords in a notebook? Sounds stupid at first but as there aren’t hoards of bad guys actively trying to steal it it’s probably one of the safer options. The difficulty is keeping it with you and never losing it. It could fall into the wrong hands and easily expose you to problems from people not clever enough to be hackers.

I think the key to balancing security and convenience is to weigh up how secure access to a site needs to be and how often you use it. Think “if someone got in what’s the worst they could they do?”. With the convenient “forgotten your password” service provided by most sites, if someone has your email address and password they can actually get into pretty much everything.

Guard your Email

Treat your email address as top priority. Choose a horrible, hard to remember password and make the effort to learn it. Don’t use this password for anything else. If you log into the email provider’s site or app, don’t let your browser or device remember the password - make the effort to type it in each time.

Get Creative with your Passwords

Finally, some fun things you can do to make seemingly random combinations more memorable. None of this is particularly new and won’t fool any serious hackers but it might help meet the increasingly tough password requirements for day to day stuff.

Use numbers and symbols as letters

E99$he11 (eggshell) £1ephan+ (elephant) +or+o!5e (tortoise) D@r+hV@der (DarthVader)