7ce7K46X… or is it 7ce7K56X?

Regular

posted 15 Mar 2005 in Volume 1 Issue 8

By Bill Raschen

What had been a minor inconvenience suddenly became a real problem during the recent half-term school break. My family had just finished a meal at an Italian restaurant. As normal, I produced my Visa card, and waited to provide the left-handed scrawl that passes for my signature. But instead the waiter brought back a new PIN machine, and cheerily asked for my four-digit number. Somewhere in the dull recesses of my mind, I remembered that Visa had recently provided me with yet another electronic password to add to my collection. But could I remember it now? Could I hell. Luckily, albeit to the slight disappointment of my children, I was able to provide the number for my Switch card instead, and embarrassment was averted. But it had been a close call.

The volume of electronic passwords for most people has probably crept up fairly imperceptibly until quite recently. Personal identification numbers for accessing cash from bank hole-in-the-wall machines became routine in the mid-1970s, when magnetic stripe technology enabled plastic cards to be used to withdraw cash. Information professionals would have come into contact with passwords for online database logins not that long thereafter, particularly when personal computers became widespread in the early 1980s. But, of course, it has been the advent of the web that has really opened this particular Pandora’s box. Each time we access our bank details online, shop on Amazon, sell on eBay or enter a newsgroup, there’ll be a password to contend with. Add further variables such as multiple e-mail addresses and hours of fun are guaranteed – particularly when you need the details and can’t remember them.

If you take a fairly relaxed approach to the passwords (maintaining just a handful of them, and using the name of loved ones, for example), you certainly aren’t alone. A February 2005 survey of over 1,000 respondents conducted by RSA Security found that more than two in three people use fewer than five passwords for all their electronic information access, and 15 per cent use a single password for everything. These numbers correspond closely with the results of a similar survey for RSA in 2004. A separate survey, conducted prior to the Infosecurity Europe trade show in April 2004, tellingly found that 80 per cent of respondents were fed up with passwords and would like a better way to login to computer systems.

The problem is, of course, not just confined to our private lives. Within work, users are accessing corporate networks in multiple ways and have to remember different passwords depending on how, and from where, they are logging on. This could mean using one password to login to an intranet and a separate one to access work-related e-mails from home, for example. IT department requests for staff to change their passwords regularly (often in hard-to-remember, alphanumeric strings), exacerbate the issue further. And there are financial repercussions from the time wasted in trying to remember passwords in the first place, with productivity being hurt each time a user is locked out of an online system and has to call the helpdesk.

Despite plenty of hand wringing, there still seems to be no clear consensus on how to tackle the problem of a multitude of online providers acting independently in demanding access details from us. Proposed solutions are broadly in two categories: the non-technical, requiring memory feats, or the technical, which have proven fairly lame, and not terribly popular.

There is a faintly daft puritan stance to many of the ‘non-technical’ suggestions that are provided on the web to help remember passwords. Their usual tired mantra pokes fun at users for only maintaining their handful of easy-to-remember logins, and urges us not to write them down. The common refrain is that passwords should be alphanumeric in nature (letters and numerals), and should be written in a variety of lower and upper case. But if that means remembering variants of ‘7ce7K46X’ thirty times over, the response should surely be “dream on”.

The ‘technical’ solutions have not fared much better. Microsoft launched its Passport service some years ago, expecting to sell it to thousands of online vendors and companies who would then allow Microsoft to validate people’s identities via one centrally-stored set of details. But a lack of interest and a series of security flaws meant that the system was never widely adopted. A statement from eBay in January 2005 saying that it would no longer support Passport has probably sounded the death knell on this service, and Microsoft’s broader plans to manage identity information are being deferred to its Longhorn operating system. Liberty Alliance, a trade group formed by Sun Microsystems with the backing of major players, including Intel, provides an alternative ‘federated’ identity service system, but it too has received a tepid response so far.

So, there is a worsening problem out there that is still waiting for a comprehensive (but simple) solution. If you’re tired of trying to build fusion reactors or solve world poverty, you could do worse than create a system that would consign multiple passwords to an historical dumper.