0pen 5es@me: Uncovering the fear of forgetting passwords

What’s your password? No, not that one, the other one. Nope, that one doesn’t work either. How many passwords do you have? A survey found that the typical computer user in Britain has 21 accounts requiring a password – allowing access to everything from the office network, to personal banking, shopping, email and social networks.

Just what a headache this can be was highlighted last week when Linkedin revealed that approximately 6.4 million accounts had been breached, and members’ passwords stolen. Those affected were due to be notified, but they advised all users to alter their passwords. Jim Aalter, of the McAfee Threat Intelligence Service, pointed out that this was “a good reminder to all internet users of the importance of maintaining an ever-changing and complex password”.

“Ever-changing.” “Complex.” Terrifying words in the already bewildering world of ubiquitous information technology. It’s hard enough remembering one password, never mind inventing dozens that meet the stringent requirements of certain sites that specify patterns of letters and digits and the inclusion of symbols from the top row of a QWERTY keyboard. Enter a very real, very 21st-century source of stress: password fatigue. So what are the symptoms, and what can be done to ease the pressure without leaving the door wide open for cyber-thieves?

Karen Wheeler’s experience will resonate with many. A British expat living in France, she blogs at www.toutsweet.net and has three other websites. “Like everyone I have hundreds of passwords. They are variations of a word, but because they need a special number of characters, or upper and lower case, it can do your head in trying to figure out which variation you used. It’s stressful, and I often give up because I can’t remember what the password is.

“I received an email recently saying that my professional website was about to expire. It sent me a link to renew by credit card, but I needed to know the original account user name and password I used to create the site in order to get in. I devoted a full day to tracking down that combination. The site went down and I got embroiled in a Kafkaesque nightmare of trying to prove my identity in order to retain the domain name – which is my name!”

Teacher Charlotte Wissett goes through phases when she uses the same password for everything because that’s easiest to remember. “Then I change them, but when I visit sites I don’t use often, I can’t remember whether I’ve used the old or the new password. And my ten-year-old told me she has 17 accounts with Club Penguin because she can never remember her password and doesn’t have email, so they can’t send a prompt. Yesterday I gave up trying to buy a book on Amazon because I couldn’t remember my password.”

The additional verifications some banks require only ramp up the angst. “They tell you to choose a memorable word – I can never remember it – and give them three letters, out of sequence,” says Wissett, who blogs at ellaboheme.tumblr.com. “Every single time I try to verify I have to come up with a new memorable word, rendering the whole thing useless. BT Vision has a pin number that we’ve completely forgotten, so we are paying for but cannot use the downloading streaming features. I’d have to sit on the phone for 30 minutes to get a new number, and then answer the security questions anyway, like mother’s maiden name.”

All this, she says, builds into an exquisite form of angst. “Thirty years ago who would have predicted that random strings of letters and numbers could be such a cause of stress? I actually don’t worry as much about someone stealing my computer and finding my stored passwords as I do about actually remembering my passwords.”

So what can you do to alleviate this stress? Internet psychologist Graham Jones recommends two options. One is to employ software, such as LastPass, which randomly generates passwords for every site and stores them securely for you. “However, if you lose your key to Last Pass you can’t access anything because you don’t know the passwords in the first place,” he adds.

“The other memory trick is something called ‘chunking’. Combing things which make sense and are easy to remember, such as the name of the site, followed by your surname and a four digit code you know. That way you end up using a different password for every site but they are all easy to remember.”

Tom Chatfield, author of How To Thrive In The Digital Age, points out that there’s a difference between passwords that are difficult from a human perspective, and those that are difficult from a machine’s or a hacker’s perspective.

“Security is not synonymous with obscurity. The real issue is how long it is, and how hard it would be for a machine to work it out. A different long, memorable sentence is actually much harder to crack than some nonsense involving lots of strange symbols and numbers. A password like ‘thisismyfavouritepasswordever!’ is much more secure than one like ‘pw$£%160*.’ ”

Ultimately the weakest link in any security chain is human. Scientist Simon Singh, author of The Code Book, a history of codes and code-breaking, recalls, “I worked in a top science lab, which had one of the world’s few supercomputers. Access was only possible with a digital card with a numeric password that changed every 10 seconds. Only a few trusted staff had these cards. Unfortunately, they would typically sellotape the cards to their monitors, which meant that any Tom, Dick or Harry had access to the supercomputer while the ‘trusted’ scientist was out to lunch. Any password system is only as good as those who are supposed to implement it.”

That being the case, most experts agree the safest passwords are both random and a minimum of twelve characters long. That slows the length of time it takes a computer – capable of billions of operations per second – to calculate all the possible combinations. Twelve character passwords create more than three sextillion possibilities. And that’s a lot of guesswork.

Finally, it’s fine to write your passwords down, says Jeremiah Grossman, founder and chief technology officer of WhiteHat Security. “It is much easier and safer for people to protect physical paper than data on a computer. Keep two copies around, just in case one is lost.”