Escaping from password hell
the feeling experienced by many people who are required to remember an excessive number of passwords as part of their daily routine, such as to logon to a computer at work, undo a bicycle lock or conduct banking from an automated teller machine (ATM). The concept is also known as password chaos or more broadly as identity chaos.
“OMG John, I’m locked out of my own computer. I’m in password hell!”
Password hell has become a regular occurance in my life. I have so many damn logins to everything, I struggle to remember them all. But never have I had such a tough time managing my identity, as when I moved to Australia.
I’ve moved countries before, but perhaps what made this particular country move so tough, is that I’d actually already lived in Australia, years ago, so I thought I’d have it easy. I thought I’d have a grand old time as I already had a tax number, a super account, didn’t need a visa, my bank was already set up. But no, despite skipping many of the new-to-this-far-away-land setup steps, I actually had an even more difficult time. And that’s because those all important ID numbers were buried deep in stacks of paperwork I no longer knew existed, probably in boxes in dark, dark spaces of my attic. Or at least they were in deep, dark, far away spaces of my email account.
In getting my documented life back on track in Australia, I became hyper aware of the ridiculousness of all of these passwords and ID procedures. It wasn’t just the information I struggled to access, but I became acutely aware of how easy some of my information was to get. Too easy. Or, the ridiculous ID management measures that the success and failure of my day would hinge on. In this process, I decided to take note of every way that passwords were affecting me for a day, in the hopes of inspiring conversations about better ways we can manage our identities, to keep up with our modern lives.
My day of password hell:
- Went to the bank to put a pin on my new card, but wasn’t allowed as my signature didn’t match the one on file. A signature I wrote 5 years ago, on a crappy old touch screen. Have been told to come back again with a different form of ID.
- Still can’t use the card, so have to withdraw cash manually at the bank. Hope I don’t need more money outside of business hours.
- Signing up for a new phone contract, but again I don’t enough ID as my NZ driver’s licence doesn’t count toward my 100 points of ID. Turns out I’m ‘underbanked!’ Have to return with my passport, to supplement a bank statement that has my address on it.
- A few days earlier, I had bought an Opal card (Sydney’s contactless public transport ticketing system) and not only topped up, but set it up to auto debit and take money out of my account when it gets below $10. However, last night I lost it. When I called to transfer the balance to my replacement card and make sure it wouldn’t still autodebit, I was astounded at how little information I needed to give to get the balance from one card transferred to another. All I needed was the old card number, name and date of birth. If I stole someone’s wallet, I could easily transfer their card balance (and auto topup facility) to my own, if they had their driver’s licence in there! Crazy.
- Later, I’m arranging to go to a concert with friends, and transfer money for the ticket via Facebook. My initial thought is ‘Man this is cool, I always get so nervous when typing in bank account numbers that I’m gonna get it wrong.’ For a brief second I wonder how secure it is, but the moment passes quickly as I’m so overwhelmed by the convenience.
- After returning to the Vodafone store with my passport, the guy’s not even sure if that’s going to be enough after all, but luckily my Australian Business Number from last time I worked here is enough in the end. Already thought it was strange that I had to show my passport just to get a $20 prepaid sim card at the airport. What’s a girl gotta do to get some phone credit!
- As I’m starting a new job soon, I figure I should prepare by hunting down my Tax and Superannuation numbers. Tax is easy, as I had emailed myself the number. Took a few search field iterations though, as I had sent it with the subject line “ATO” i.e. Australian Tax Office, rather than “tax number” or anything immediately obvious. Didn’t take long though, ticked that task off pretty quick. My super account, on the other hand, was not so easy. I had to call, wait for hours, spell my name a thousand times, whilst simultaneously googling the phonetic alphabet as no one can ever tell the difference between ‘g’ and ‘b’ and ‘d’ over the phone. Turns out it was an ‘e’ she’d got wrong after all. Then I’m not in the database. Then she finds me, but I can’t remember what address I used. Finally after 3 guesses I get it right, and confirm all my security questions. At last.
- Finally have my shiny new iPhone six. This thing is so damn smooth, it’s lucky I got talked into the insurance because I just KNOW I’m going to drop it in the very near future. I unlock my phone with touch ID, and for a minute recall something I read in an article about some glitch, but you know I’m sure its fixed already. I’ll just update later. Oooh look, I can use touch ID for my banking app!
- Already so used to using touch ID that when I try to log in to my old iPhone it takes me three goes of holding down the button before I realise it doesn’t have touch ID and I have to enter the pin. Those 4 digits are such a hassle now, sheesh.
- Why do I need my old iPhone, I hear you say? Well, frustratingly as I tried to transfer money from my NZ account to my Australian account, I’m stopped by the big brick wall that is the verification text, which obviously I don’t get as I’m not in NZ anymore. So I call the bank who tell me I have no options as they won’t send a verification text an overseas number. Really, they said that. No options. When I questioned her, she says, ‘Oh, I can email you some forms that you have to print, sign and fax to us’. Forms? Printing? that doesn’t sound convenient at all! And Faxing?! I don’t even know where to find a fax machine! At last, I squeeze out of her that they can send a special chip that displays a number, but it will take 5–10 working days to arrive. So I decide to test my old NZ sim card and see if it will receive the message, sure enough it will! Thank God I didn’t cancel that number. I wonder how long I’ll get away with transferring this way for…
- Next, I’m on the train again. Why am I on the train, you ask? Good question. It’s because I went back to the bank to drop off the signed and completed form for my partner and I to share access to a credit card. But, unsurprisingly on this day of password hell, there’s another road block. The signature on this form doesn’t match the signature they have on file for him. Despite the fact that the form says “all we need is your Customer number to verify you.” So I train across town to meet him on his lunch break so we can both hand the form in together and deal with any issues. This time, I’ve come prepared. I have so many points of ID in my bag! When we get to the bank together, the next teller we speak to says “Oh no, that’s fine we’ve got your customer number!” Ugh.
- On the train back home after wasting at least an hour on that pointless process, I sign some facebook petition a friend sent me. As I blindly give permission for it to access my Facebook account, I wonder momentarily when the last time i cleared out all the apps with Facebook access. No time for that right now.
- Just as I’m nearly there, I can’t set up my banking app on my new phone. Ugh. Have to go through a whole verification mess with my laptop first. How did transferring money get so complex.
- Checking my emails, I did a software product trial and keep getting messages from a sales rep who says he ‘tried to call but you were unavailable’. I know, its because I gave an incorrect number. Poor guy, I wonder how much of his database gives false info. I bet it’s a lot.
- I have an email from the tax office, reminding me my student loan payment is coming up. I wonder how much the total is by now. Go to log in for the first time in at least a year. Of course I don’t remember my password. Turns out I also don’t remember my username or even what email I signed up with. Enter info, send confirmation, enter more info etc etc. Finally in. Why did I look this number up, its so depressing.
- I get a call from a recruiter, wanting references. Ponder for a moment what the true value of self submitted references is, of course I’m only going to pass on the good times ones. Does anyone ever give a bad reference anyway? There’s no incentive to, especially if it’s a current employee you want to get rid of!
- Later at work, I’m setting up a log in into a certain unnamed radio station site. I don’t even want to log in or save my preferences, I just want to listen to this one sation. Why do they need my details! Ugh. Too exasperated by this point to bother with anything other than ‘ABC123’ for this stupid unwanted password. Argh I mean ABC123! because it wants a symbol, like that’s really going to help in my super obvious password that I entered because I have given them no sensitive information and don’t intend to use it again.
And so it went on. So many parts of my day with unnecessary barriers and problems. The worst part by far was having to travel across town because what should have been a simple action of returning a form relied on something as archaic as matching a signature. Which is super easy to fake anyway. Or pehaps it is the cycle of ‘send username’ ‘send password update’ over and over. Or, maybe the most frustrating part is when you’re trying to create a new password for something you don’t even want a login for, and you get the “Sorry, there was no symbol”; “Sorry, there was no number”; “Sorry, you cannot use an English word”; “Sorry, your password must be a non-english palendrome complete with eight different non consecutive symbols, an emoji, must never have been used by anyone ever in the world before and cannot contain your mother’s childhood best friend’s date of birth in reverse” loop going over and over as you get drip fed one restriction at a time.
But rather than whinge about it all, I have instead funnelled my frustrations into compiling my top 5 ways you can escape password hell, to the best of your abilities.
- Use a password manager Lastpass is my favourite, it stores all your passwords so you can log in with one click on your computer. The downside? You can never lose your computer ever as that means someone can access your everything. Also, it can contribute to password hell outside of your home/work computer, as letting lastpass remember for you means you are less likely to remember your passwords yourself, especially new and non-important one’s you’ve made since you got Lastpass. Overall, I still think it is worth it, and it is pretty secure, too.
- Avoid creating passwords that will be rejected When setting up passwords, top contenders for the loop of rejections are passwords less than 8 characters, and those with the brand included (i.e. don’t sign up to iTunes and have ‘iTunespassword’ as your password), common words like ‘password’ and your name. Always include numbers and symbols. Top marks go to passwords that are super secure garble like: 1mMMjQ!WtVoQ%.r
- Make sure you will actually remember it though While 1mMMjQ!WtVoQ%.r is super secure, the chances of you remember it are pretty damn slim. Instead, you could try using a formula that you remember, or use a secure key at the start of each password, followed by something you remember or something about that particular thing. For example, your passwords could be “9o*&0facebook”, “9o*&0apple” and you just need to memorise the “9o*&0”. However, remember tip number 1: this may not work for every service, as many won’t let you use their brand.
- Use 2 Factor Authentication Two-factor authentication is a great way to enhance security without making your life miserable. Two-factor authentication means using a second way to prove that you are the right person logging in. Generally, it is when you log in with your password then get a confirmation code to your phone. The great thing about it is it is usually super easy. When you set it up with Gmail or Facebook, for example, you only need to enter your code once on each new device you use to log in. This means it isn’t an annoying hassle, but it stops someone remotely attempting to log in to your accounts. For online banking, this understandably will be done more often, i.e. each time you try to transfer money.
- Use Single Sign On …but only if you’ve gone through the previous step and set up 2 Factor Authentication. Single Sign On is where you use your Facebook, Gmail etc account to log in to a service. It’s a great way to not have to remember passwords, and to log in easily with one click. And when you’ve doubled down on security and locked down your Facebook and Gmail accounts with unique, strong passwords and 2 Factor Authentication, it is a perfectly secure way log in to sites and services. Try not to use it for anything super sensitive or essential though — i.e. anything with access to your bank account or credit card.
- Join the #KillThePassword Crusade As you can see, passwords are not an efficient way to safely manage your identity, but the process isn’t going to change without serious consumer demand. Things like Single Sign On and Two Factor Authentication show how you can use your own unique behaviour and online footprint, coupled with modern secure processes like text messages to your phone, rather than trying to force old school data points like passport numbers and passwords that can easily be faked or hacked, to keep up in the modern world. Even better, new methods are insanely more convenient, as well as safer. We think its time the password moved on, and identity verification caught up with modern times. You can help this change in small ways, from requesting single sign on in services you use, to emailing your MP to raise the issue of modernising IT and security in managing identity. We’re doing our part at Veridu to convince businesses and politicians to support actual, verifiable online data points using things like social data, and we hope you’ll support us too!
If you’d like to discuss anything in this article, or how Veridu can help your business, feel free to let us know your thoughts in comments below, or to get in contact.
Originally published at www.veridu.com on June 29, 2015.