Juggling passwords at home, work frustrating but essential
By Yuki Noguchi
Washington Post
What with work and personal e-mail, banking and retirement accounts, association memberships, photo sites, Web communities, and retailers like Amazon.com and eBay.com, David Gammel maintains 130 online accounts, each requiring a user name and password.
Gammel tracks his log-in information in a file on his computer, but at least twice he has confused or mistyped his password, and been locked out of his bank accounts, forcing him to call the bank or look for an open branch to regain access.
"It's frustrating, if understandable," the suburban Washington consultant said, adding that he has also been denied access on a news site when he couldn't remember his log-in information. "I bail on them if I'm having a difficult time," he said.
Password peeves are a cost of doing business online using multiple computer applications. A typical professional relies on a dozen or more programs or Web sites to manage life at home and work, many of which require user authentication for access.
The average number of passwords used at work is between six and 12, and is increasing at about 20 percent a year, according to RSA Security Inc., a software and security consulting firm. Users often must change passwords regularly, or include a mix of letters and numbers, to make it harder for a hacker to guess a password.
But these frequently changing passwords are not only inconvenient, they can also undermine the very security they were meant to achieve.
At two-thirds of companies studied, workers jotted passwords on a piece of paper kept in the office, according to a study released last week by RSA. Another 59 percent stowed them in files on their computer; 40 percent wrote them on sticky notes pasted around their computer monitor, allowing anyone to see.
"There's a trade-off between convenience and security that people don't think about very much," said Jim Harper, director of information policy studies at the Cato Institute. "Technical people have been working on this for a long time, but it's hard to come up with something that's easy and secure."
Kimball Brace, president of the consulting firm Election Data Services Inc., rotated between three or four standard iterations of his password, a system that worked for a while. "I'm a heavy Internet user and a heavy computer user, and as such I'm always hitting various new sites, so I do see a proliferation of passwords becoming necessary," he said.
Password management has even spawned a small technology subindustry.
Dozens of companies make software that consolidate various passwords under a single password. For example, the program Roboform, made by Siber Systems Inc., automatically unlocks all the sites users visit by consolidating all log-in information into one master password. A site called Bugmenot.com lists generic usernames and passwords anyone can use.
Many users permit Web sites to send cookies, or small bits of identifying information, back to the computer so the site remembers when a registered user returns. Many password-protected sites also anticipate the need and offer "forgot your password?" links that e-mail the password, or send a new one, to the user's e-mail address.
In the future, biometric markers such as fingerprint scanners — some of which are on newer computers — might solve the problems of password protection, some security experts say.
Password fatigue has created a rich environment for identity exploitation, information security consultant Robert Douglas said. Reinstating rightful, but forgetful, customers creates a problem for companies that must authenticate their identities through other means. Often, the only additional information the hacker might be required to provide is easily obtainable biographical facts like the last four digits of the account holder's Social Security number or their mother's maiden name, he said.
"We live in a generation that wants instant access, and they want it yesterday," he said. "Companies don't want to anger a real customer" who forgot a password, he said, but in accommodating that request, they might be giving information to a criminal.