It’s time to shoot the password. And multiple screens are the trigger.

passwordI had this epiphany when wrestling with one Rhapsody music service on two devices using three pieces of software.

Firing up the Rhapsody Android smartphone app, I unexpectedly was prompted for my password. Okay, I figured, the app had been updated and needed me to log in anew. Tap-tap-tap.

Rejected. Hmmm. Over to my laptop and the Rhapsody website. Entered the same password. No problem. Also no problem with the Rhapsody portion of my Sonos audio system controller application.

Back to Android to type-type-type again. “Sign in Failed.” Uninstalled and reinstalled the Rhapsody app. “Sign in failed.” Restarted the Droid Incredible 2. “Sign in failed.”

“Rhapsody” this was not.

Confused, I emailed Rhapsody tech support, prompting an automatic reset of my password to “123456.” I logged in on both the app and website successfully, switched back to my old password, and discovered something awe-inspiringly stupid: a one-character symbol I had used in my password worked on the website, but no longer worked on the updated Android app.

My detailed report of this back to Rhapsody support could be concisely summed up as, “WTF?”

frankcatalano
Frank Catalano

“We are aware of this issue. Our development team is working on this. Please try after some times (sic) using the special character,” came the nearly literate response.

Now, I have long been a practitioner of good password hygiene. In the early days of websites, that meant avoiding the obvious (e.g., “123456”), and using a non-real-word alpha string. I progressed in steps over time to:

  • Add at least one capital letter, to introduce more complexity to defeat brute-force attacks;
  • Add a password element unique to each web account (non-obvious to others, but easy for me to remember), to avoid exposing all passwords should one be exposed;
  • Add at least one number or special character to each password (increasingly required by sites), to introduce even more complexity to defeat Hulk-force attacks.
  • Add two-factor authentication (when available on apps/sites/services, such as Facebook, Gmail and Twitter), to require a trusted device to generate or receive an additional passcode when an unknown device tries to sign into an account.

GrumpyCattweetfullBut this progression has been propelling passwords toward pointlessness. As we’ve entered the era of multiple screens and devices to access the same service, we’ve created a crisis of complexity. The factors are both internal consistency and human memory.

Rhapsody was the only the latest service to become maddeningly inconsistent. Hilton, I once determined, could handle a leading zero for its required PIN on its HHonors loyalty program site, but not on some of its hotel brand websites where one makes reservations with the same account. I found a similar password rule disconnect between a medical institution’s website and its linked Android app.

And don’t get me started on how rules can differ across unrelated sites. Some require or forbid use of special characters in passwords or user names while others don’t. That makes coming up with all-encompassing mnemonic schema virtually impossible, as do corporate or government sites that force resets of passwords every XX number of days.

I expressed my password frustrations via Twitter direct message to Eve Maler (aka @xmlgrrl), whose day job is as principal analyst, security and risk for Forrester Research. The response was immediate: “I swear, this is the one issue that unites geeks and everyone else. Can’t count how many conversations I’ve had about this with airplane seatmates!”

“Another frustrating situation I see,” Maler continued, “is requiring users to have different login accounts at different apps run by the same organization. Government agencies are frequently guilty of this. It takes a lot of back-end work to merge all these siloes, but the cost of not doing so is growing by the day.”

I also don’t consider a true solution to be a password “locker” (which strikes me as a co-dependent relationship between locker vendors and sites that proliferate inconsistent password rules), or web browsers that automatically, and potentially insecurely, save passwords. It’s definitely not using Facebook credentials to log in everywhere, unless you really enjoy combining a single point of failure with a tradition of privacy laxity.

ThinkPadfingerprintswcropThe future, as someone prescient might have whispered to Dustin Hoffman in 1967, may be biometrics. As a recent report from the National Institute of Standards and Technology defined, “a password is something you know, a biometric is something you are, and a cryptographic identification device is something you have.”

Take the fingerprint reader built into my Lenovo ThinkPad T430. I was originally skeptical, but have been impressed by its accuracy, speed and simplicity, especially before my first cup of French roast.

Other biometric or device approaches are being tried. The massively open online course (MOOC) provider Coursera has adopted, for its “Signature Profile,” biometrics that measure the pattern of typing (along with a webcam) to help ensure that the person submitting assignments is the same person every time. Apple has its Touch ID fingerprint recognition for the iPhone 5S. There’s Knock, an intriguing device authentication approach for Mac users to unlock their computers over Bluetooth by knocking twice on their iPhone.

Taking all this a step further, Steve Gibson, a long-time security nerd, in October proposed SQRL (Secure Quick Reliable Login and yes, pronounced “squirrel”). It’s getting a lot of attention and is not easily summarized in a sentence, but think holy matrimony of QR codes, automatic site-specific keys – and just one password to remember.

Yet it likely will be the case that, even if biometrics or device-specific solutions are widely adopted, some kind of backup password credential will be needed should a finger or retina be unavailable or bandaged.

So here’s my plea to developers and organizations: Don’t release updates until you’re sure password rules are consistent across all your apps or sites, mobile and web. And please, for the sake of increased security and user sanity, always recognize both alphanumeric and special characters.

In the meantime, I’ll remain an unwilling beta tester of bad password practice, be happy for the few biometric log-ins I do have, and be thankful that my laptop hasn’t prompted me to change my fingerprint every 90 days. That would be messy.

Frank Catalano (@FrankCatalano) is a strategist, author and veteran analyst of digital education and consumer technologies whose regular GeekWire columns take a practical nerd’s approach to tech. See the column archive. No, his password is neither “nerd” nor what the NIST reports “may be the most commonly selected password, where it is allowed … ‘password.’”

Comments

  • Joe

    Great article

  • West Seattle Blog

    Though I’m not eager for the day of retina/fingerprint/whatever log-ins, there MUST be a better way. Especially for services/sites you only need to use once a month, perhaps to pay a bill … And, please, if you are going to require a PW, do NOT put in draconian, maddening, no-way-to-remember-it rules such as “must be a dozen characters long, must include a punctuation mark, must include a number, must include a capital letter” … I’d rather have the security risk than the “I will NEVER remember this and will have to reset it each time” risk. – Tracy

  • Turing Radius

    Biometrics have been shown many times to be a dead-end, dating back into the 90s (https://www.schneier.com/blog/archives/2009/01/biometrics.html, https://www.schneier.com/crypto-gram-9808.html#biometrics).

    “Biometrics are unique identifiers, but they are not secrets.”

    Biometrics are a login, not a password.

    If you really think that “lockers” are too much of a bother and would rather use more insecure methods that are easier, you’re just setting yourself up for bad things later, biometrics included.
    KeePass, 1Password, et al, have created products that are useful, pervasive (on phones, mobile devices, and computers), and can be replicated via dropbox, etc. So you have a single store where you can manage the various password definitions (which seem randomized themselves), involving some of the strongest, peer-reviewed encryption available today. If you’d rather have a single password that you copy to all the Internet sites, with varying degrees of [in]security, good luck with that. You only need to have 1 compromised on some forum for your bank records and accounts to be emptied. The litany of compromises (MacRumors being the latest at 860k accounts) shows how easy it would be for this to happen.

    As someone that has just over 250 accounts between work and personal arenas, I would love a shortcut, believe me! Replacing a biometric print for the logins for all 250 would be brilliant in and of itself!

    But given my 30yrs in computing, there is only one, don’t use the Internet. Short of that, a secure little black book is what you’re left with. I have a number of friends that are cypherpunks (who generally have more accounts (and degrees) than I do), and one of the few philosophical things they all agree on is that there’s no silver bullet. It is no different than washing your hands or not drinking tap water in Mexico, you have to know where you are, and what risks to avoid, otherwise you’ll be in a world of hurt with no one to blame but yourself.

    • http://www.intrinsicstrategy.com/ FrankCatalano

      It’s abundantly clear from reading the column that I’m not using or recommending a single password for all sites (otherwise, I wasted all those bullet points). And, in my case for my laptop, biometrics actually do replace both the user ID and password.

      I consider password lockers a workaround that can enable bad password practices by sites by not forcing good practice. At the very least, there needs to be some consistency across sites, apps and accounts for what characters are allowed in passwords and password length.

      • Boss

        I bought my HP laptop because of the fact that it had a fingerprint reader. The convenient swipe of my finger logged me on and eased the burden of remembering the ever multiplying number of passwords.
        You mentioned the problem with one of your biometric passwords (aka finger) being bandaged and not being able to log on. When my fingerprint reader was initially set up it was mandatory that more than one finger was read into the program to thwart this problem.
        The problem that I ran into using this log on and password method of biometrics was that when my browser issued an updated version, I had to wait until the maker of the fingerprint reader wrote a new software extension that was compatible with the new browser version. The lag time in between forced me to wait on updated versions or go back to that dreaded list of passwords that I stored on a thumb drive… somewhere.
        I am all for biometrics!!!

        • http://www.intrinsicstrategy.com/ FrankCatalano

          The “bandaged” line was partly tongue-in-cheek. Even if more than one fingerprint can be enrolled (and my ThinkPad software does allow it), it’s helpful to have an alternate way to log in if you need to have a spouse or colleague get into a device and you’re not near it. I also recommend occasionally typing in the actual password — just to reinforce in your memory what it is, for when you really need it and you can’t use the fingerprint scanner.

  • Guest

    As a very basic starting point it would be helpful for each login screen to display the password rules for that site. That would give you a chance of remembering what specific password you had to create.

    And changing passwords every X days, and not using a password used within the last 12 months really adds to the confusion.

  • Slaggggg

    Headline/article mismatch. The author is not recommending killing the password.
    Plus – you are using Rhapsody ??? There’s your problem …

    • http://www.intrinsicstrategy.com/ FrankCatalano

      Actually, the headline is exactly what I meant. But if it makes you feel better, you can mentally insert “as it’s used now” just before the dash.

  • margaret Bartley

    You use different passwords for different sites, as do I, for the simple reason that it it practically impossible to say that any one site will not be hacked, and you don’t want one weak link to expose every password.

    So suppose some gangser-type organization sets up a website with lots of naive, honest fools as frontmen, and stores your biometric ID. Good luck with that one!

    If someone steals your credit card number, you can get a new one. If someone hacks your SSN, it’s a pain in the tush, but you can get a new Social Security number. Good luck getting new thumbs or irises!

    • http://www.intrinsicstrategy.com/ FrankCatalano

      Fortunately, my ThinkPad’s biometric ID is stored in just one place: on the ThinkPad itself. And I’m ever the optimist that there will be more than one biometric approach (and one can switch if one ID is compromised), plus that before trusting any site with biometric information, people will pay attention to details of the site or service. That said, there’s probably no hope for those who still use the password, “password,” biometrics or no.

  • margaret Bartley

    Until we get a foolproof, easy way to securely use logins, I’d like to suggest making use of a private code, much like DaVinci did. I type the seed of the password in a document that has two columns, one for the website, the other for the user-name and password seed. I know the easy-to-remember algorithm that converts my seed to the real passport, so if someone were to find the oddly-name document, and crack the password to open it, they would see many of my real logins, but only the seed, not the real password.

    The document has a shortcut and can be opened with two keystrokes, although it does have its own password, by now, my fingers type it so quickly I don’t even notice.

    The additional benefit of this is that I can also keep notes about the website there, as well.

  • Mark H. Harris

    You’re fighting the problem, dude …

    … and the sad news for you is that the problem is going to win.

    Clear elegant rules have been established long ago for the generation of passwords which are difficult to render by cracking schemes and even more difficult to remember. This is not going to change any time soon, so what are you whining about… you want sympathy or something?

    I have a little small book of passwords, digitally encrypted, with hundreds of active passwords, none of which are the same, and all of which are well over thirty random alpha-numerics with upper and lower case and permitted symbols.

    No, I don’t remember them. I access them with a key, or I look them up in a physical book. I change them regularly, and I have been doing this for many many years … hasn’t killed me yet.

    This is a great article for clear guidance in the generation of strong passwords:

    http://www.thegeekstuff.com/2008/06/the-ultimate-guide-for-creating-strong-passwords/

    Cheers

    • http://www.intrinsicstrategy.com/ FrankCatalano

      Sorry, I refuse to accept defeat (and trust me, I know how to generate strong passwords). This is a human-created problem, especially the inconsistencies, and will have a human-created solution, coupled with more elegant technology. I’m optimistic. The sympathy can be saved for someone who is not.

      And whining? Hell, I’m a columnist. Fact-based whining is my JOB.

  • PPM

    Wholeheartedly agree with everything above and few things in life bug me than the sites you rarely visit that say enter your password and don’t give you a hint as to what special rules they imposed. If they are the only site in the net that wants at least 30 characters or a Greek letter or two, then for goodness sake, remind us!

Job Listings on GeekWork