Thursday, 31 May 2007

Too many passwords

Depending on how active you are online you may have anywhere between 1 to 50 logins (username and password pairs). It's just that every web site you go to requires a separate login. Sometimes you can reuse the details but not always. Your favourite username might be taken, or the password rules are incompatible with each other. Thus it's practically impossible to use the exact same login for every site you run into. This is usually not a problem for sites you use on a daily basis such as emails, but for sites we seldom use the it's always a challenge to recall the username and password. "Which email address did I use for the username?" "When I changed my password last year did I remember to update for this site?...no, and apparently I didn't update for the password change two years ago either." The problem becomes more complicated as some sites change ownership or two sites merge. I once lost my netscape.com email because when AOL bought Netscape it got changed to netscape.net, and with that I was unable to recover the password for the old SETI@home project. In short, things can become quite messy, and this is the reason I do not create accounts on web sites unless I absolutely have to.

As if things are not bad enough, we also have some "hidden" accounts created for us automatically when we subscribe to real services such as phone and utilities. Most of the time we are not even aware of the existence of these accounts until we need to say change our credit card details or enter a competition. But if we didn't create the accounts ourselves, how the hell do we know our username and password? If you are lucky, you may be able to dig up the letter they sent you when you first subscribed and the login details would in that letter. More likely there was no letter or it was lost or they never told you the login details. Thus you can't login and have to call support to get the details. If you can confirm your identity to the support guy he might tell you how to login. If you are calling on behalf of someone else, good luck.

Here's a real life story and basically what motivated me to write this post. My mum's credit card was discontinued because they thought the spending pattern seemed suspicious (in fact nothing of the sort was going on). Rather than reinstating the card, they had to issue a new one to my mum. This means we have to update the credit card details for our phone services. Now, trying to log onto the phone website, I found the password on the phone bill would not work. A few trials later I was redirected to a password recovery page, where it would email me the password. Great, except at the bottom I have to enter the "4-digit service code". What?! What the hell is that? You can imagine how silly this is. If I don't know the password why would I know a 4-digit service code? So in order to retrieve one shared secret (the password), I have to have another shared secret (the service code)? Come to think of it, isn't the service code just another password?

It's not hard to see the problem here. We have too many passwords, so only the frequently used ones are remembered. I don't know how long it'll take phone or utility companies to realise their customers don't need to access their accounts every day. Or every week. Or every month. Or ever (just call support...). If they want the customers to actually be able to login, maybe they should make the logins easier. Maybe the username is the customer number and the password the driver license number or something they actually know. You might think this choice of password is insecure, but if I know your driver license number I can just call up support and ask them to tell me the password. And no, these companies will never understand passwords should not be revealed to anyone including the support staff.

No comments: