Saturday, January 29, 2011

Zen and the Art of Password Management

“Never recycle user names or passwords,” Internet gurus tell us, “so if one of your accounts is compromised, the damage is contained to just that account.”

It used to be that looking both ways before crossing the street only cost me a second of my impatient kid’s time; following the above rule as an adult just taxes my ability to stay Zen. I used to freely reuse my user names and passwords online, but alas, that’s harder to do even if you want to. And your patience, your information overload and your sanity is the price.

Take, for instance, Copyright.gov (the U.S. government’s online copyright service), which didn’t like the user name I tried to register with many moons ago. Since I don’t go there on a regular basis, I’m always stumped by the fields, “User name” and “Password.”

The problem is not only their rules for user names, but their passwords must incorporate at least one capital, two numerals, a special non-alphanumeric character and three of Shakespeare’s more obscure sonnets. Okay, that last part was an exaggeration, but still, one “non-alphanumeric character”? I’d have to be a mutant freak to remember a password with those characteristics.

But I’m going to be Zen about it.

So I click over on the “Forgot your password?” field and get stumped with the next hurdle: email account you registered with? And phone associated with this account? (And did I use dots, parentheses, dashes or nothing to separate the phone number from the area code?) When, after thirty minutes of trial and error (and setting up a spreadsheet to keep track of all the permutations I’ve tried), I finally hit upon the right combination of email and phone, Copyright.gov is kind enough to automatically reset the password for me, (it looks something like “Eat_$h*t-M0r0n!”) and sends me to the login page again.

Whereupon I spend the next half hour of trial-and-error attempting to determine just what the hell my user name is (must be no fewer than 18 characters but not longer than 23, must have three accented Slavic characters, two alchemical symbols, and must rhyme with “orange”). And no, there’s no field there for “Forgot your user name?”

Welcome to the world of online security.

I realize it’s there for our protection, but I do grow nostalgic for the good old times of 1994, when “1234” was a sufficiently strong password for all my online needs, which pretty much consisted of checking messages from the single friend who also had an email address. Today we can do a lot more than that, and most of it has real-world, economic consequences, which is why my cell phone provider has rules for how to create a user name and password that would give the world’s leading cryptologists a run for their money. It’s also so far from my choices that, in a less Zen moment, I had to resort to an at last very memorable password that commanded the aforementioned cell phone provider to go do something with itself, and how many times.

It’s also why, in its zeal to protect me, my bank locks me out after three failed log-in attempts.

This is to keep out the crooks. Good. It also keeps out people like me who haven’t logged in a long time, and though I have my choice of user name and (almost) my choice of password, my cerebral database doesn’t come up with the right permutation within three tries, so the bank locks its online vaults to me.

I’m still trying to be Zen about this, but barely hanging onto my meditation cushion.

So I call my bank and punch in my account number and select the option to talk to a customer service representative. Incidentally, they’re not called that anymore: they have lyrical names like “apostle of fulfillment” or “ambassador of satisfaction” or “herald of contentment.” But I digress.

After a two-minute hold, a bored voice answers the phone. “Thank you for calling the Royal Bank of Marx and Engels [not their real name], where we exceed your expectations every day. May I have your name and last four digits of your Social Security Number?”

I tell him.

“And how can I deliver outstanding service for you today?”

“I got locked out of my online account.”

“I’d be happy to help you with that,” he says with as much vigor as if he’s just swallowed a couple of Valiums. “And what is your codeword?”

“Well, if I knew, I wouldn’t be calling you.”

“Not your online password – your codeword for talking with us.”

I sigh. Could this be my mother’s maiden name, the name of my first pet, my favorite rock star, or the name of the maiden who first petted my favorite rock star’s mother? Who knows? I try all of those to no avail.

“Well, what’s your mailing address?”

I tell him.

“I’m sorry, sir. Try again.”

“Try again? But that is my mailing address!”

“The address you get your bank statements at.”

“I have the paperless option! I’ve been getting online statements since 1998!”

“Well, I’m sorry, but that address doesn’t fit what we have on file.”

It’s been such a long time since this has come up that it could’ve been one, maybe even two residences ago. I reach into the deepest recesses of my brain and manage to wrench an address from the fog of oblivion.

“Sorry. That’s not it either.”

“Can you give me a clue?” I plead.

“Sorry, I’m not allowed to reveal any information on the account.”

“Was it the Harrison Street address?”

“No.”

“The Nevada Place address?”

“No.”

“The Dewey Avenue address?”

“Which street number?”

“Oh, God. Um… 5560?”

“No.”

“5360!”

“What unit number?”

“How the [blankety-blank] am I supposed to remember? I haven’t lived there in six years!”

“Well, sir, it’s the address we have for you!”

“Unit 520!” (God, what will I do with myself the day Alzheimer’s sets in?)

“That is correct. Now, how may I help you?”

“I need to reset my online password.”

“All right. It’s been reset. Do you have a pen to write this down?”

Yes, I write down my password. I also give my new address to the Emissary of Happiness, or whatever he’s called, and I make a note that on such-and-such date, my bank had such-and-such address. But let’s face it, chances are the next time this comes up might be twelve years from now, and I’m no more likely to remember my current address than where I put the paper that tells me which address the bank had on which date.

Of course, I bet some of you are sitting all smug, thinking that you’ve got all your accounts and passwords written on that spiral-bound notebook by the bedstand.

May I be the first one to offer my congratulations.

I have one word for you: children.

Actually, more: teenagers. Former lovers. The cleaning maid. The real estate agent showing your house. The plumber you had to let in when you were away on vacation. Are you getting paranoid yet?

Now, if you’re really techno-savvy, you’re smug because you have a super-duper smartphone, and in it, a password-protected app that tells you which password goes with which account. I applaud you.

Now tell me what you’re going to do on the day you lose your phone.

Ah, you have a backup plan. More than a backup plan: the app synchronizes itself with someplace on the cloud, so as soon as you get another phone (or to the right website) you’ll be able to retrieve everything. Congratulations again. So techno-savvy and up-to-the-minute of you.

I will soon follow in your footsteps and get that app. To log into it and access all my accounts and passwords, I’ll use “1234.”

Not only will that be a nice way to loop all this back to its cozy dawn-of-the-internet beginning, but also, now that everybody’s in on my secret, when Alzheimer’s does set in and I don’t remember even that, I’ll be able to ask the nearest person.

Or the nearest crook.

Photo credit: Leo Reynolds