May 2011
Managing passwords and accounts is cumbersome and a waste of time. There must be better solutions.
An increasing part of our life happens on the internet. Apart form birth cards and wedding invitations, my personal correspondence is entirely digital. I have several email accounts, social media, internet banking, accounts for webshops, telecom services, and many other accounts on websites where I use services or buy products. And of course I have several computer accounts to log in to systems as well. In total I’m sure I have over 50 different accounts of one sort or another.
And or course I change all my passwords on a regular basis – even when my internet bank does not force me to – and use exclusively passwords that are hard to break. 23 Characters or more including non-alphabetical characters and numbers for each password. And as a good digital citizen I never use the same password twice.
Right. I think you get the idea. And unless you have a computer brain you can’t remember 50 continues changing twenty-first-century passwords for all services you use every day or once a year. So either you are committing the crime of reusing your passwords for different accounts, or you are in some other way breaking these simple rules that any internet expert will lay out for you. Administering and changing all accounts in a proper manner is becoming a substantial and ratheruninspiring job.
To control my increasing number of web id’s and accounts, I am presented with neat apps that store them for me. These programs allow me to store an infinite number of identities (user name and password) so that I can retrace the password I made up five months ago without using that increasingly important link “Forgot your password?”. This password storage application theoretically allows me to use very modern passwords for all my accounts. Since I don’t have to remember them anymore they really can be a 23 digits random combination of characters. The only password I need to remember is the one to get into the program that stores my password.
I must admit I am still getting used to this routine. Most of my password are still in a format that can be remembered by a human brain and retrieving passwords from the application is of course more fuss than having your brain or browser remember them. But since I try to make an entry for every account I have, it does clearly shows the problem of the increasing number of digital identities and accounts I have to remember.
The good thing of course is that I only have to remember one password to remember them all. Problem is that this application is on my laptop. So on my phone, I cannot retrieve my passwords, nor on any other computer I might use to browse, check my email etc. Another imperfection is the endless copy-pasting which makes me feel as if I am not in control of my own accounts. I use to know every password I needed by hart (I had three and they all were the same of course) and now I’m copying them into the input box as if I were a first time internet user!
So what would be ideal? I think it is time that all these accounts would merge into one single digital identity. Instead of having a separate account for every website and service, I would prefer a single one that enables me to log in anywhere. This could be a service I can subscribe to or I can transfer or upload my accounts to. This service would then sign in for me where I tell it to. It might not necessarily have to store all my passwords, it might actually work slightly different, just confirming to any website that I am the same identity that created the account. Maybe an authentication service like this would start with storing my passwords (and automatically change them every second day if I tell it to), until the web services I use update there security management to a authentication management system.
Once they do, and the authentication can be taken care of by a specialized service, we no longer have to worry about our credit card details being stolen because some amateur webshop application is hacked where we purchased something two years ago. It would not have our credit card details, only a prove that we were authenticated properly.
There would be some advantages to this system. Since it manages all my digital identities, it can very easily provide me with useful updates. For example, when it logs in for me somewhere, it can show me where I logged in during the last twenty-four hours. So any unauthorized use of any of my accounts would become much more detectable. Imagine an instant overview on all digital transactions from signing in to a mailbox to any credit card activity. All as one single service. If a service or website reports an authentication you cannot remember, you can act immediately.
It could also keep my personal information up to date on all accounts I have. After moving to a new house, the books and cd’s I buy online would find their way to my new address without any action on my part. The authenticator would just update my address on all services for which I indicated a current address should be provided.
In theory a single authentication is of course less secure than a unique one for each service. To break into there is only one account to be hacked in stead of many. But that is only true if all accounts meet the highest standards and basically we humans can’t do that anymore. And it also applies only if the authentication of the user name and password would be stored and compared in an equally secure environment. But there is secure authentication on many levels, and let’s assume the single digital identity service has the most up to date process. After all, it would be there core business!
So in case of a serious authentication service, the security on all my accounts would improve drastically, and the cost of that is a single account that should be really save. Now I would manage to remember one single 23 character password – I think. Specially when I need it to authenticate myself every morning with it, making all my service available on my computer, tablet, phone, television and any other connected device.
And in the near future I might not need that password anymore. A combination of voice-recognition via my phone and face recognition via any web-cam on any of my devices could make sure it’s actually me trying to unlock my digital identities. I already use fingerprint log in on my notebook for years. I hope my next laptop has an iris scanner! It really is easier to identify yourself with your body than with any password. You never forget your body unless you really try.
Some may argue that the anonymity would disappear. That multiple identities are needed to live an online life. No problems there. You could use your authentication service for this as well. Just uncheck the box where it is allowed to communicate your email address or name to the specific account you want to keep anonymous. Or indicate an alternate name or email address for any service. You can live your online life in exactly the same way you do now. Only your control over it would increase, the risks would decrease and the rather annoying task of maintaining an identity administration would be rendered obsolete.