LEFT TO MY OWN DEVICES: This is the end of passwords as we know them, and I feel…. | Columns

Although we all saw the headlines together at the end of last week, we are likely to feel varying levels of relief or security in their potential. Merged together, these titles read: “Apple, Microsoft and Google make passwords useless”.

You are not alone if you find yourself celebrating. Sometimes it seems like it takes as much time and energy to manage your passwords as it does to use the websites and apps that need them in the first place. Pitchforks and torches have collided since the password regime really took off about 10 or 12 years ago. When password “policies” started requiring specialized characters and other rules that took you beyond simple letters and numbers, we in the cyber community heard the clamor.

At the same time, their complexity increased, as did password usage. More services have moved from brick and mortar to being online. Think banking, insurance and retail. So, no more passwords. In the workplace, online training supported by external providers, HR processes, payroll… many have started to migrate to computer-based activities. So, no more passwords. In classrooms, tablets and all their software have taken precedence over textbooks. So, no more passwords. The list is as long as your current list of passwords and it seems, to me at least, that not a month goes by that a cutting-edge widget that promised to make your life easier actually adds another password, which makes life a little backward.

Now with 438 different sets of user credentials, which let’s face it, is more simply 438 passwords – ok, ok… we’re all guilty of using the same handle of passwords on those hundreds of entry points – there’s the maintenance requirement. This is a new edition of Security Theater. The notice that “Your password has expired” makes you roll your eyes, arms up as if you care, or worse. It’s worse because Lo! and here is creating a different password, like lazy repeating the one you used before, just causes another error message. Then the third attempt does not include both uppercase and lowercase letters. Then you used a special character, but not the special character specialist so try another special. Many extremely secure websites don’t require you to create new passwords every 90 days. These present us with both relief and skepticism.

God forbid you lose or forget your password! You are now in a completely different domain and still cannot access the service, website or online need behind the password roadblock. It’s time to answer a few questions. What high school did you go to? And its mascot? Where did your paternal grandfather grow up? The name of your first pet? How long do you brush your teeth? What song was playing the first time…. You get it. The safety net that keeps the whole shebang from collapsing, from a security standpoint, can be found in these crafty, personal, and, I suppose, never guessable or knowable details of life. Not for nuthin; but a security solution to the risk of sharing personal and private information online is to dive deeper and disclose even more? Really dark. For more drama, i.e. to give myself a false confidence, I play this game with the safety net model of personal questions. “Where is your favorite vacation spot? has the answer in my world, “Turkeyleg75”. “What is your mother’s maiden name?” gets “{}{} grapefruit.” To see. I’m so smart.

Good news. Once you’ve answered your own very personal questions about which password you forgot, the powers that be will send you a link to create, remember, and then forget a new password. All you need to access this link is your email, which requires a password, which can be known to others, giving them the privilege to change your password.

One solution I hear touted at cybersecurity conferences and other gatherings of all the sneering creators of cybersecurity scares and solutions is to make a password manager part of your routine. Years ago, and not coincidentally when password-based approaches became more complicated and time-consuming, some Shark Tank entrepreneurs sold venture capitalists on the idea of another new application requiring a password: the password manager. The idea is that we catalog our dozens, scores or hundreds of user credentials – usernames and passwords, and sometimes the aforementioned personal questions and answers – and keep them in one place, easily accessible and practical.

Yes please make an incredibly inconvenient part of your workday the percentage of productivity that is the noise of managing passwords versus the signal of information becomes more convenient with a password manager Passwords. Intelligent. You can also do the following. Go carefully room by room throughout your home. Put new locks on every window and door, inside and out. These are all entry points into your personal privacy of course. If you leave one of them unlocked, why lock one? But first, make sure all those locks can be opened with one key. It is a password manager. If that set of user credentials, the one that gives you access to the password manager, gets into the wrong hands…convenience realized…the bad guy’s, at least.

More or less, it’s the newest solution to convenience issues and all the others associated with passwords. Still a vain hope, if I may be cynical. The strategy is for our smartphone to be the entry point to everything else. Wow! Exciting stuff (that already exists). The tech giants’ biggest solution to our password problems is to fuse our mobile device to our persona, lest we risk the door to everyone else getting lost or unlocking mala fide.

I don’t have a better solution, mind you. You and I watch, obey and complain. And, we suffer the inevitable breaches despite all this theater. I’ve been through it all and I feel good.

Ed is a cybersecurity professor, lawyer and ethicist by training. Contact him at [email protected]

Comments are closed.