Passwords and April fools

Before you can say correcthorsebatterystaple, April 1 is upon us once again. It’s hard to believe that another year has come and gone. But why is the 1^st of April an important date? Because much of the commentary and advice about passwords reminds me of an April Fools’ joke – not malicious, just frustrating, incomplete, impractical or silly.

Not laugh-out-loud funny, just that awkward Homer-Simpson-forehead-slapping d’oh!

Let’s start with the particularly maleficent (yes, I’ve been watching Disney movies with the kids…) idea that passwords are meant to be memorized and remembered. It doesn’t make sense.

Spelling words are meant to be remembered. Multiplication tables are meant to be memorized. BUT we still have tools to help us with each of these: every word processor out there has spell check, and every smart and not-so-smart computing device has a calculator. Even restaurants will often provide a calculator in that folder thing with your bill.

I guess it stems from the thought that passwords are secrets, so we have to carry them in our heads. OK, I can buy that for one or two or a very few passwords that we use frequently. Remember that Ali Baba only had the one to remember: Open Sesame. And he didn’t have to worry about caps or lower case, numbers or special characters.

But, in today’s online world, where just about everything in our lives is tied to a host of password-protected accounts, it isn’t workable to memorize all of them. We all have too many accounts, each with its own set of rules – not to mention that we don’t access the accounts with the same frequency. With passwords, it’s use it or lose it, just like muscles (insert your favorite quote by Arnold Schwarzenegger or Lou Ferrigno here).

Remembering stuff is hard – for all sorts of reasons. (Hint: here’s one area where a password manager is a big help.)

For some people, remembering names is easy, while others are terrible with names. Some people are great at remembering faces. Dogs are amazing at remembering where they found food (i.e. garbage to you and me) and strange smells along their walk routes.

And most people are lousy at remembering passwords. More precisely, most people just aren’t very good at remembering lots of unique passwords for all their online accounts.

There’s gobs of advice online about how to create the perfect password. Lot’s of it is very good advice:

• make it long and strong (12 or more characters)
• don’t use dictionary words, names, or significant memes from your life
• mix in upper/lower case, numbers, special characters
• base it on a phrase like the lyrics from a favorite song

The underlying premise of most of the advice is that you can and should do this for all your accounts and that it will make them all so very easy for you to remember, while making it very difficult for others to guess. (I’ll pass over whether people are all that good at remembering song lyrics.)

Do you like the Rolling Stones? Great – take a line from one of their songs and modify it to make it an awesome password.

I can’t get no satisfaction

becomes

ICaN76eTno5at?!

Well done! Now repeat that for the rest of your 30-40, or more online accounts. You’re all set.

But… even when we create our own rules for our passwords, is it all that reasonable to think we’ll remember a) which of these super-duper passwords belongs to which account, and b) to actually remember which letter was replaced by a digit or special character? Was that an uppercase or lowercase T or A or…? (Psst, here’s another area where a password manager is a big help.)

Have we really eliminated the need to employ our little grey cells for remembering a bunch of passwords? Have you really solved the problem of associating each password with its corresponding account?

Even worse is the suggestion that by segregating our important accounts from our unimportant ones, we can ease the burden of having strong passwords.

Not only does this not solve the problem of having to remember passwords, it opens up a can of worms concerning what’s an important account and what’s not important.

Are bank accounts important, but email accounts not-so-important? How about utilities (gas, electricity, cable) accounts – are those unimportant? Credit card accounts are important, but what about your children’s school? Is Target important, while Walmart and other store accounts are unimportant? If Twitter and Facebook are important, what about Skype and other social media accounts? What about frequent flyer accounts with airlines? What about password-protected blogs and clubs that you belong to?

We know that hackers are more than happy to get any of your personal data. Patient assembly of a just a few of pieces of data allows identity thieves to create an image of you that can lead to their financial enrichment at your expense. The idea of purposefully NOT protecting data in any of your accounts is just asking for it.

And you still have the problem of having to remember a bunch of passwords and the need to match them up to the right account. (You guessed it, here’s yet another area where a password manager is a big help.)

When you think about it, the whole concept of un/important accounts is an administrative nightmare that can only make matters worse. Because it ignores human nature! People will do what people do: they will round the corners of the new shortcut – which is what this method is.

In everything we do, people (even animals) want to make their lives easier for themselves. This leads to great things like … the wheel. The same applies in the area of passwords, we want security, but we want it to be easy for us. It’s the reason that the worst passwords lists every year look the same.

Separating important from unimportant accounts will invariably end with most accounts being labeled unimportant. The next thing you know, you’ll be bleeding personal information from all those accounts.

Password security is about secure passwords. The internet revolves around password authentication. Like it or not, we are going to have to deal with passwords for the foreseeable future: until one or more of the alternate methods of authentication (maybe biometrics) replaces passwords in a major way. More likely, additional methods will supplement passwords – think 2 factor authentication. Until then, though, it really is up to each of us to protect our online accounts with strong passwords. A password manager is the best way to create, store, manage all your passwords. My favorite is Sticky Password.

The next time someone offers you an easy-peasy-lemon-squeezy short cut for memorizing or reclassifying your passwords, just flash a sly smile as you think April Fools!