Skip navigation

 Login or Register | Member Centre

When the memory fails

Jack Kapica, May 8, 2008 at 3:42 PM EDT

Silicon.com, a British website dealing with technology in business, published the results of an informal poll the other day in which it asked respondents how many passwords they use at the office.

The result, Workers hit by password overload, is no big surprise. We've all known for some time that we have too many passwords.

Silicon.com reported that a scant 2 per cent of their respondents were lucky enough to have only one; 61 per cent have more than five different passwords.  But a fifth of respondents have as many as 20 passwords to juggle.

Interestingly, Silicon.com's survey asked only about office applications. It did not ask for passwords to recreational websites, banking websites, music sites, news sites, and others that respondents might use through their home computers. By the time they're finished, people might have as many as 50 passwords.

This, of course, is insane. People can use password-keeping applications like Roboform, from Siber Systems, a great program that stores all your passwords under one master password. But crack that one password and, if you have access to that computer, you can have all the other passwords at your fingertips.  So of course you should change your Roboform password frequently to secure yourself.

It's bad enough to have so many passwords, but office applications are also often outfitted with password sunset features, which kick you off the system after a set period of time and force you to come up with a new password. Not only do they demand complexity (the new password must have at least one upper-case letter, at least two numbers and be at least six or eight characters long), these sunset features can include algorithms that examine your new password and reject it if it's too similar to any of the passwords you used in the past.

In the real world, there is little difference between having 20 passwords or one that you have to change 20 times. There are only so many passwords one can keep in one's head while changing a number of them every two or three months, so many people resort to writing them down. And that makes their computers even more vulnerable.

I asked an IT guy once about why his department keeps demanding workers change their passwords, and he gave me a blank look, as if to say that if I can't keep up with all the password changes the company demands, then that's my problem.

I pressed him further, and he said that the system is in place to protect the IT department from corporate wrath should management decide to look for a scapegoat after a case involving a stolen password.

This is backward. We're making passwords difficult not to secure the computer, but to protect the IT guys who are running the computer system.

Surely there's a better way. Perhaps a portable flash drive with passwords on it, or a portable finger-print reader with all the appropriate passwords recorded in it, although I can see problems with those systems too. I'm also sure a lot of people have their own idiosyncratic ways of keeping track.

Many office workers would love to  install Roboform or something similar, but they can't — their computers are, more often than not, locked down because the company doesn't want employees installing any old software that could com promise the office network.

And we do that to make sure we don't leave the nice guys in the IT department vulnerable.

  1. Delta J from Canada writes: This will definitely become a major problem as the baby boomer generation ages and some of its members start getting forgetful about little bits of info like passwords.

    Then again, a security program that holds all of your passwords under a single "master" password kind of defeats the purpose of having multiple ones as well as the dreaded one-password-for-everything type of office worker.
  2. Louise Vinciguerra from Rome, Italy writes: A 'portable' alternative is an online password manager. Nowadays people really do have too many passwords to remember which makes it difficult to make the passwords original.

    I work for PassPack which is an online password manager - and the key to choosing and trusting an online application is knowing exactly where and how you are storing all your passwords.

    PassPack uses a combination of encryption and host-proof hosting so all of your data is encrypted before it even leaves your browser.

    Here is a quick blogpost with more info on host-proof hosting:

    http://passpack.wordpress.com/2008/03/10/host-proof-hosting/

    Hope it helps with password fatigue!

    Louise
  3. Ed Leslie from North York, Canada writes: Changing passwords frequently is a fallacy in terms of creating security. It merely forces people to use a cycle of passwords over and over, or worse, to write down the passwords in order to retain them.

    Better by far is just a "good" password (easy for you* to remember, but difficult for *someone else to determine).

    Passwords should in the best of all worlds be unique, at a minimum, use unique passwords for things that require more security, such as online banking.

    Our computer systems could also assist the pursuit of security by reporting how we last accessed the system both successfully and unsuccessfully. The former so that we can see that it was us, the latter so that we can see if someone is trying to guess their way in.
  4. Rick Borchert from Winnipeg, Canada writes: > Many office workers would love to install Roboform or something similar, but they can't

    A simple solution to not being able to install a password repository program - keep you passwords in an encrypted password protected Word document.
  5. Gabby Moran from Canada writes: Rick Borchert : "Many office workers would love to install Roboform or something similar, but they can't"

    They can't but they can use portable Roboform that's installed in a USB key. That's what I use at work. I also keep my Roboform data in my USB key synchronzied with my home PC Roboform data.
  6. Scott Kinoshita from London, Canada writes: Crikes, password overload kills my head, and I DO have a system that's easy for me to remember and hopefully hard for others. The worst one is that sunset system. I've got more important things to think about than a password, but for all those different sites and social systems there's just no going around it.

    I would love to have something like the portable flash drive. My vision would be that the drive has an application that doesn't just store the passwords, it creates them. So if I want to feed the password into the system, I just call up the app. from the drive. The application itself is protected by just one single password.

    Now all I have to do is remember my app. password, and to carry the key on me at all times. If someone steals it, they still have the barriers of my user name for whatever system I'm on, AND the general application password. It's still crackable, but the difficulty is bumped up a lot... yet not a pain for me to use.

Join the Conversation, Leave a Comment

This conversation is semi-moderated What is moderation? | How do I report a comment?

You must be logged-in to submit a comment — login now!

Not registered with globeandmail.com? Register now. It is quick and free.

close

Alert us about this comment

Please let us know if this reader’s comment breaks the editor's rules and is obscene, abusive, threatening, unlawful, harassing, defamatory, profane or racially offensive by selecting the appropriate option to describe the problem.

Do not use this to complain about comments that don’t break the rules, for example those comments that you disagree with or contain spelling errors or multiple postings.

Back to Kapica's Cyberia

Back to top