Here’s a quick rant about something which has always been annoying, but seems to worsen every year.
Every time I do anything on a website, whether it’s use e-mail, buy something, manage insurance or bank accounts, even view the newspaper or edit my running log, I need to provide a password. This is good in theory; it ensures that random people don’t have access to my private information and that they can’t, for example, change my settings at nytimes.com on a whim or write obscenities in running log. Passwords of some sort are clearly essential, as much important financial business is now conducted via the internet.
When creating a password, the common advice is to pick something not easily guessed or itself private; birthdays and social security numbers are obvious poor choices. To encourage a degree of cleverness in password selection, many sites require that both letters and numbers be used, and give length requirements. Some allow or require special characters, and some even detect repetition of characters or the use of one’s name or username. Bank sites especially use multiple passwords under different names along with “site keys,” or pictures to which the user gives a caption.
All well and good, except that with the different requirements of every site, I have to make up new passwords all the time while the restrictions become tighter and tighter. Sites now make it so hard to create a password that not only could no other person guess my password, I can only guess myself perhaps 40% of the time. I realize that the purpose is to prevent the theft of my private information, but do passwords really need to be so tricky that I get locked out of my own running log? This seems extreme. I’d much rather run the risk of someone breaking into my log and finding out (gasp!) how many minutes I ran on some date in 2005 than having to go through the routine of having my password emailed to me or changed every time I use a different computer which hasn’t already saved it. After all, isn’t it my own choice to pick simple passwords, knowing the risk? If I use my birthday as the password to my bank account and someone guesses it, I’m clearly at fault for my unwise decision, not the bank. So why do they persist in making me create one complicated username and two complicated passwords?
This brings me to my next gripe. These sites are aware that people have trouble remembering their own passwords. Their remedy is to place convenient “Forgot your password?” links next to every sign-in box. Enter your username, or e-mail address, and maybe answer a few “secret questions” and your account is magically reopened for you. But wait: passwords must be impossibly complicated to prevent fraud, yet getting access to another’s e-mail or finding out what hospital they were born in, or their pet’s name, or whatever other bullshit they ask is ridiculously easy. Someone who wanted to break into my account would simply have to get into my e-mail or find out an account number (not very secret ) and supply the name of some family member and they’d be in, no matter how sneaky of a password I chose.
Furthermore, passwords themselves are routinely saved on computers or written down, in hopes of recalling or circumventing them later, rather than committing all 75 of them to memory. How hard can it be to just use someone else’s computer and get into their accounts with the passwords saved in there already? Probably not very.
My advice to the website gods out there: find a system that might be both effective and tolerable. Please.