[ Content | View menu ]

Too Many Usernames & Passwords

Written on September 18, 2007

I’m glad everyone is excited about social graphs and people search on the internet, but can someone seriously help me with the “Too Many Usernames & Password” problem I face everyday? 

You know what this is(apparently for a long time now) and probably have it yourself if you use the internet. 

Almost no sites / services I use have implement open id  and I am not sure if they ever will so it is not viable for me right now.  The only real solutions I know of today are to use an automatic form filler or encrypted password database that is desktop based.  That doesn’t cut it for me since I access my stuff from 3 different PCs + 2 different mobile phones + unlimited number of “kiosks”(never mind that there 4+ different OSes running amongst all that hardware…not all of which are supported). 

Last weekend I designed a solution for my needs.  It is a rote password generation approach that minimizes the cognitive recall work I have to do when logging on to an arbitrary website.  My goal was to make it so I didn’t have to remember anything unique except for the site’s url (thus I could logon from anywhere) and with that be able to logon in less then three attempts assuming I have an account on it.  In theory the sites I use frequently would become part of muscle memory and only need one logon attempt. 

This is what I did to build my solution:

  1. A brain dump in Excel of all of the major sites / services I use.  My list hit 37 services (on a weekly basis)
  2. Grouping them by similarity (e.g. financial services, shopping sites, communication services, ones I don’t really care about)
  3. Normalize the logon names which where typically a self chosen nickname or my email address.
  4. Creating a password generation algorithm that I can perform mentally. Inputs are a private key per grouping and the domain name as a salt for the password generation algo. Manipulation constructs I used were char offsets, capitalization constants, and punctuation substitutions. 
  5. Now, I can always recreate password based without having to memorize more then a few keys & password gen algorithms.  This is effectively 1 / 10 th the amount of memorization given the number of groupings and sites I have.  Close enough for my goal. 

Once you do this you actually have to logon and change all the passwords.  Remember the goal was to make it so all I have to remember was the url & then be able to login within three attempts of some username / password combos from any logon environment.  So when I actually went and changed the passwords and tried to update abnormal usernames (another whole rant) I hit some painful rubs with this solution:

  • Every site has a different userid syntax & some don’t even let you choose them.  In extreme cases you have another thing to remember that can’t just be derived when you arrive at the site.  These sites pretty much represent a brickwall for the goal I have.  My solution at this point is to create a private online list of my usernames for reference (private google doc or something).  Not ideal, but workable since many of the sites that exhibit this behavior I rarely logon to, or will eventually move the id into muscle memory.
  • Every site has a different “strong password” requirement.  This just sucks. Can’t we just define this once?  I vote for letting people use 2 out of the three of capitals, functions, and numbers.  Easy, secure, and I thought standard.  Luckily, I can  fudge my way past this by just figuring out the lowest common denominator for my set of sites and bake it into my password generation algo. 

So stepping back, is all of this work worth it?  I think so for the following reasons:

  • The solution is device independent and I can logon from anywhere
  • I don’t have a copy of my usernames / passwords on disk anywhere
  • It is easy to change my password for a class of services (e.g. financial because of identity theft) by just changing the private key or the password generation.  This is significantly less “cost” for me as an end user. 
  • If something unfortunate happens to me, it’ll be easy for folks to logon to all of my accounts with simple bit of knowledge that I leave in my safety deposit box (admittedly morbid). 
  • It gave me something to blog about and talk about with a few friends this week for reactions.  :)

How do y’all handle this problem? Is there a better software based solution I can replace the above with (requirement: it has to have shipped)? What are the holes / risks with this approach (other then proving I have too much time on my hands)? 

Filed in: Uncategorized, problems.

5 Comments

Write comment - TrackBack - RSS Comments

  1. Comment by Rob La Gesse:

    I use a similar scheme to remember passwords - but I store them all at http://clipperz.com. It’s a great tool that allows completely secure online access to your passwords - they even let you look at the source code!

    Rob

    September 23, 2007 @ 3:09 pm
  2. Comment by ryan burkhardt:

    I can’t find a similar post that I read on this about two years ago that got me hooked on this system. the key part, regardless of your method, was to make it non-obvious to someone who got access to a cleartxt password list on one site to reuse your algorithm somewhere else. e.g. MyStdpwD123M for murarka.com and MyStdpwD123Y for yahoo.com. one idea was to rot(n) the differentiator char by the numbers of letters of the domain name.

    this does really make it easier to have more complex passwords and not forget them..

    September 24, 2007 @ 8:32 am
  3. Comment by Bubba:

    Thanks for the pointer Rob…I’ll have to play around with Clipperz.

    Ryan, thanks for swinging by…I’ve found rot(n) to be hard to compute mentally, but that may just be me. :)

    September 24, 2007 @ 10:14 pm
  4. Comment by Tara (PassPack):

    Hi Bubba.
    While you’re at it, also check out PassPack.

    http://www.passpack.com

    Like Clipperz, it’s an Online Password Manager with full-out security features. I put together a comparison a while ago, I need to update it to add our new Offline Verision, but other than that, it fairly accurate:

    http://tinyurl.com/2nbqvn

    Cheers!
    Tara

    October 1, 2007 @ 7:06 am
  5. Comment by Steve:

    We actually talked about this in person, but I’m just getting around to actually reading your blog e2e (on a Saturday night, I know, I’m lame…decided to take the day off today and catch up on personal reading :) ).

    SplashId (http://www.splashdata.com/splashid/) is my soln…admittedly it only works for a single PC by design (Foldershare - http://www.foldershare.com - can solve this in a hacky way :) ), but it syncs to my smartphone (WM, Palm, Nokia, & RIM all supported)…and it does two extra things.

    1) saves me from the annoyances of different rules (eg. some sites require punctuation, some don’t…some require long passwords, some limit you to 8 chars….*ahem* Fidelity *ahem).

    2) also stores a bunch of other “interesting” data for me that I don’t really want to leave lying around unencrypted, like SSNs for my family, Drivers License #s, etc.

    That said, the fact that it only syncs over a cable to a single PC sucks…so there’s room to grow. :)

    October 27, 2007 @ 10:54 pm
Write comment