Thursday, January 27, 2011

Are Passwords Part of The Problem?

by Bob Schapiro

How many new passwords did you have to create in the past few months?

Spam is the first culprit when people think of the clutter that’s choking the Internet, but passwords aren’t far behind. Passwords are a security “solution” that’s part of the problem.

In fact, with the CONFIKR virus living comfortably on millions of home computers, maybe all of this cyber-clutter is not just an annoyance; it’s an actual security threat.

A few months ago I attended a conference with people from all the big companies and government agencies. Many of the speakers wondered why the gosh-darn American public doesn’t take cyber-security seriously…at least seriously enough to create stronger passwords. The consensus was that people need more education.

I don’t think we’re dumb. We’re just overwhelmed.

Maybe my situation is unique. I enrolled for a course at a university and had to create four new passwords—one each for the registrar, bursar, health service and to get my email. This week I subscribed to a magazine and had to create three new passwords: One to manage my subscription, one for the online version and another for the environmental organization that publishes the magazine.

But the most galling experience comes from—who else?—my cell-phone company. I can’t name them for legal reasons but it’s a huge company known for really lousy reception. (Let them come to court and claim that distinction.)

When I got my new cell-phone, I had to get a “micro cell” device because I get zero reception in my home. In order to connect it, of course, I needed a “user name and password” distinct from the ones I already have with both the phone company and with the company that makes my phone. (If you’re counting, I needed three passwords just to make the first phone call from my home.)

While installing the configuration software—to get the warranty—I got one of those little drop-down boxes where I had to “agree” to their terms. The word “agree” was in the flashing blue box, in case I was confused about what I was supposed to do. (I put “agree” in ironic quotation marks because the word is supposed to mean that you actually concur with something.)

I don’t know what possessed me, but I decided to actually read the agreement. I scrolled through a few pages of tiny print before downloading the whole thing. It was over 200 pages! Of tiny type! I know there was fine print before the Internet, but this is insane. When I bought my first car I had to sign seven or eight pages of small print and I thought that was a lot.

We’ve all clicked that flashing “agree” button. We know how the world works now. Are you really going to return that piece of software—the one you’re already installing—because of sub-paragraph xvii on page 128?

But not so long ago, all you’d need for the warranty is keep the receipt.

What is the effect of all these meaningless passwords and agreements? Imagine if you only had to create five or six passwords…for your employer, your bank, a few others…do you think you might take them all more seriously? Most of us used to think twice before signing a long document. Now we don’t even look anymore. In fact, if you took all of this seriously, you wouldn’t be able to get through daily life in the cyber age.

You probably have your own stories. We’d like to hear them. Just send them to words@sendsonline.org or make your comments to this blog below.

Not to boast—okay, to boast a little—SENDS has the attention of the major players who are shaping cyberspace. Participating in SENDS will help you be heard.

SENDS seeks to discover what is inherent in cyberspace. My guess is that passwords are not. In the future, you may just swipe your thumbprint at any computer…or there may be facial recognition.

Right now, a lot of so-called cyber-security is driven by marketers. Yet companies will stop these people if they see a downside. A few years ago many websites absolutely needed to know your social security number and mother’s maiden name “to help us protect you.” Then they discovered that they were liable if there was data theft…and all of a sudden, they decided that this information was not so vital after all.

What do you think is vital…and what is intrusive cyber-clutter? Let us know at words@sendsonline.org. We’ll pass it along.