As our lives have become digitized, the number of passwords we juggle has exploded.
How many passwords do you have?
Rajean Moone of Minneapolis has so many — more than 75 — that he tracks most of them on a super-secret spreadsheet. Others he scribbles on hidden Post-It notes — coded in a foreign language.
“It’s getting kind of ridiculous,” he said.
As our lives have become digitized, the number of passwords we juggle has exploded. There’s e-mail, online banking, Facebook, Amazon, even the library. At the same time, keeping passwords secret from increasingly sophisticated cybercriminals requires ever more complex requirements. Yet a foolproof system to manage dozens of passwords (which should be a combination of letters, numbers and symbols) remains elusive, even as tech companies tease with gizmos like the fingerprint scanner on the new iPhone 5S.
In a fit of frustration, many of us default to easy passwords that we repeat across multiple websites — a practice that practically begs hackers to breach our penetrable defenses. While the average person isn’t often the target of an all-out attack by cybercriminals, many of us become vulnerable when the sites holding our passwords are compromised. If that stolen password is the key to everything important in our lives — identity, finances, personal information — then we’re in trouble.
“A little bit of prudence goes a long way,” said Joseph Konstan, a computer science professor at the University of Minnesota.
Yet even Konstan admits the best practice — such as using a different complex password for every site — is tough to follow.
He heeds that suggestion for his most important info, say financial and e-mail accounts. But he uses repeated passwords for sites that seem to require passwords just so they know who you are, including basic apps or free news websites. If it’s a site Konstan rarely uses, he simply forgets and resets the password the next time he visits.
“We have managed to engineer a password system that is extremely taxing on people,” he said.
One of the biggest sticking points: Each site has its own rules for password length and complexity. Some let users opt for two-factor authentication — a combination of something you know and something you possess. For instance, Gmail’s optional two-step security calls for a password and then a code sent to the user’s smartphone. Twitter enabled a similar system this spring after prominent news organizations were hacked. A false tweet about bombs at the White House, sent through the Associated Press’ compromised account, sent the stock market plummeting.
The dizzying list of security features can cause headaches for users. Password has almost become a curse word.
“It used to just be that you could use a word. Then you could have a combination of words and numbers. Now it’s like you have to have words, numbers and some sort of symbol,” said Angela Mattson of Mendota Heights, who keeps an assortment of passwords written down in different places. “It gets a little confusing.”
Then there are security questions, odd personal trivia that can make you doubt your self-knowledge as you attempt to prove your identity. What was your first teacher’s name? What street did you live on in fourth grade? What was your maternal grandmother’s maiden name?
Experts say it’s best to give a false answer when setting up security questions. Even if grandma’s maiden name was Johnson, you should say it was Williams. That way intruders can’t crack the questions through research, as a college student did when he hacked Sarah Palin’s e-mail in 2008 by correctly answering questions about her birthdate and family. But good luck remembering those false answers.
Michelle Brooks of Fridley was stumped recently when an attempt to reset a password led to this question: What was your childhood nickname?
“Not only did I not remember having a childhood nickname, if I had answered it [at some point], I couldn’t remember what I answered,” she said.