It’s time to shoot the password. And multiple screens are the trigger.
Firing up the Rhapsody Android smartphone app, I unexpectedly was prompted for my password. Okay, I figured, the app had been updated and needed me to log in anew. Tap-tap-tap.
Rejected. Hmmm. Over to my laptop and the Rhapsody website. Entered the same password. No problem. Also no problem with the Rhapsody portion of my Sonos audio system controller application.
Back to Android to type-type-type again. “Sign in Failed.” Uninstalled and reinstalled the Rhapsody app. “Sign in failed.” Restarted the Droid Incredible 2. “Sign in failed.”
“Rhapsody” this was not.
Confused, I emailed Rhapsody tech support, prompting an automatic reset of my password to “123456.” I logged in on both the app and website successfully, switched back to my old password, and discovered something awe-inspiringly stupid: a one-character symbol I had used in my password worked on the website, but no longer worked on the updated Android app.
My detailed report of this back to Rhapsody support could be concisely summed up as, “WTF?”
“We are aware of this issue. Our development team is working on this. Please try after some times (sic) using the special character,” came the nearly literate response.
Now, I have long been a practitioner of good password hygiene. In the early days of websites, that meant avoiding the obvious (e.g., “123456”), and using a non-real-word alpha string. I progressed in steps over time to:
- Add at least one capital letter, to introduce more complexity to defeat brute-force attacks;
- Add a password element unique to each web account (non-obvious to others, but easy for me to remember), to avoid exposing all passwords should one be exposed;
- Add at least one number or special character to each password (increasingly required by sites), to introduce even more complexity to defeat Hulk-force attacks.
- Add two-factor authentication (when available on apps/sites/services, such as Facebook, Gmail and Twitter), to require a trusted device to generate or receive an additional passcode when an unknown device tries to sign into an account.
But this progression has been propelling passwords toward pointlessness. As we’ve entered the era of multiple screens and devices to access the same service, we’ve created a crisis of complexity. The factors are both internal consistency and human memory.
Rhapsody was the only the latest service to become maddeningly inconsistent. Hilton, I once determined, could handle a leading zero for its required PIN on its HHonors loyalty program site, but not on some of its hotel brand websites where one makes reservations with the same account. I found a similar password rule disconnect between a medical institution’s website and its linked Android app.
And don’t get me started on how rules can differ across unrelated sites. Some require or forbid use of special characters in passwords or user names while others don’t. That makes coming up with all-encompassing mnemonic schema virtually impossible, as do corporate or government sites that force resets of passwords every XX number of days.
I expressed my password frustrations via Twitter direct message to Eve Maler (aka @xmlgrrl), whose day job is as principal analyst, security and risk for Forrester Research. The response was immediate: “I swear, this is the one issue that unites geeks and everyone else. Can’t count how many conversations I’ve had about this with airplane seatmates!”
“Another frustrating situation I see,” Maler continued, “is requiring users to have different login accounts at different apps run by the same organization. Government agencies are frequently guilty of this. It takes a lot of back-end work to merge all these siloes, but the cost of not doing so is growing by the day.”
I also don’t consider a true solution to be a password “locker” (which strikes me as a co-dependent relationship between locker vendors and sites that proliferate inconsistent password rules), or web browsers that automatically, and potentially insecurely, save passwords. It’s definitely not using Facebook credentials to log in everywhere, unless you really enjoy combining a single point of failure with a tradition of privacy laxity.
The future, as someone prescient might have whispered to Dustin Hoffman in 1967, may be biometrics. As a recent report from the National Institute of Standards and Technology defined, “a password is something you know, a biometric is something you are, and a cryptographic identification device is something you have.”
Take the fingerprint reader built into my Lenovo ThinkPad T430. I was originally skeptical, but have been impressed by its accuracy, speed and simplicity, especially before my first cup of French roast.
Other biometric or device approaches are being tried. The massively open online course (MOOC) provider Coursera has adopted, for its “Signature Profile,” biometrics that measure the pattern of typing (along with a webcam) to help ensure that the person submitting assignments is the same person every time. Apple has its Touch ID fingerprint recognition for the iPhone 5S. There’s Knock, an intriguing device authentication approach for Mac users to unlock their computers over Bluetooth by knocking twice on their iPhone.
Taking all this a step further, Steve Gibson, a long-time security nerd, in October proposed SQRL (Secure Quick Reliable Login and yes, pronounced “squirrel”). It’s getting a lot of attention and is not easily summarized in a sentence, but think holy matrimony of QR codes, automatic site-specific keys – and just one password to remember.
Yet it likely will be the case that, even if biometrics or device-specific solutions are widely adopted, some kind of backup password credential will be needed should a finger or retina be unavailable or bandaged.
So here’s my plea to developers and organizations: Don’t release updates until you’re sure password rules are consistent across all your apps or sites, mobile and web. And please, for the sake of increased security and user sanity, always recognize both alphanumeric and special characters.
In the meantime, I’ll remain an unwilling beta tester of bad password practice, be happy for the few biometric log-ins I do have, and be thankful that my laptop hasn’t prompted me to change my fingerprint every 90 days. That would be messy.