Flutterby™! : Password Pain

Next unread comment / Catchup all unread comments User Account Info | Logout | XML/Pilot/etc versions | Long version (with comments) | Weblog archives | Site Map | | Browse Topics

Password Pain

2008-07-01 14:55:02.304888+00 by ebradway 12 comments

<gripe>Why do so many different systems have so many different rules enforced for unique ids and strong passwords?</gripe>

I started working for Uncle Sam a couple months ago. As part of that, I've had to prove over and over that I'm an American Citizen. That's actually a little more challenging for me because I was born in Germany and the State Department's form number for my birth certificate is different from the one they use now... But that's another issue...

In my regular work, I log into about a dozen different systems. Each one has it's own standards for user IDs and passwords. Some require numbers and punctuation in the user ID, some require numbers in certain positions in the password. All require changing passwords every 90 days. So I've had to resort to the worst possible security failure: maintaining a list of all my user ids and passwords on paper that I carry around with me.

Further, I'm not allowed to have admin rights on my workstation at work. I'm supposed to be exploring extensions to OGC geospatial server protocol standards. I can't do that without installing different server packages and modifying them. And on Windows, that can't be done without admin access.

I work for the USGS. By our mission, we never work on secure information and the results of all of our work is public domain. There's no need for this level of security!

I thought I left this all at work until I tried to pull my credit reports last night from AnnualCreditReport.com provides a gateway to the big three credit agencies to request your reports. I was able to get to Experian without much trouble. TransUnion asked me for a user ID and password which I never got right. So I tried their password help but couldn't get the secret question right. I finally had to order that one over the phone.

EquiFax was the worst. I did have my user ID or password, so I used the password help. The question was "What is your first child's middle name?" My first child has two middle names so I was guaranteed to get it wrong. Ultimately, I ended up on the phone with some guy in India. His first question: "What is your Social Security Number?"! After authenticating myself to this guy - had to provide details about two accounts on my credit report like max limit and account number - he finally told me that my user ID was my first name plus the last five digits of my SSN. He then said the answer to my secret question was "Heidi" which is my first child's FIRST name!

After finally logging into EquiFax and getting my report, I figured I should change my user ID and password to something I might actually remember next year. It turns out that EquiFax requires numbers in your user ID and your last name can't be part of it. So, once again, I had to create a user ID just for this system, write it down and file it away.

The biggest irony is that it doesn't take nearly 1/10th this amount of authentication to actually open an account based on my credit. In fact, more and more places don't even require a signature when you use a credit card.

[ related topics: Microsoft Work, productivity and environment Civil Liberties Earthquake ]

comments in ascending chronological order (reverse):

#Comment Re: made: 2008-07-01 15:04:58.043611+00 by: Dan Lyke

The one that tweaks me is the number of financial institutions that can't handle punctuation in passwords. Sure, we'll demand that you use mixed letters and numbers, or lower and upper case, but thrown an ampersand in there and all hell breaks loose.

Yeah, that makes me feel secure.

OpenID has its drawbacks, but I';m thinking that or something like it is our best hope.

#Comment Re: made: 2008-07-01 17:10:44.132542+00 by: ebradway

I'm starting to think the rectal scanner would be less annoying!

OpenID sure would rock. I need to set it up.

#Comment Re: made: 2008-07-01 19:56:18.142151+00 by: Mark A. Hershberger

I have a plain text file encrypted with my GPG key that holds usernames and passwords for a jillion different sites. My wife has a copy (since it has bank information) encrypted with her key.

Hey, it's better than post-it notes! And better than doing what I used to do: use the same username and the pronounceable password that the VMS system generated for me sixteen years ago.

#Comment Speaking of credit... made: 2008-07-01 20:20:46.429018+00 by: spl

This interview about credit ratings and reports showed up on Fresh Air today.

#Comment Re: made: 2008-07-01 21:26:45.559884+00 by: eharberts

Just a pesky comment... I do hope you changed the answer to your 'secret' question? (sorry)

On another note, one of my never-finished projects is to build a password-generating algorithm (to be implemented on a phone or PDA) that will automatically generate a correct password for a given user id and system, given a few rules.

The idea is you'd only have to remember the password to the generator, and not the actual passwords themselves.

Oh well, it's probably not secure enough anyway. In the end, paper and ink are probably not a bad solution to an impossible situation.

#Comment Re: made: 2008-07-01 22:42:17.860006+00 by: Dan Lyke

Hey, Mark, do you have a GUI front end for that? Charlene and I need some sort of way to share that particular file, and I'd like her to have access that doesn't require all sorts of command line machinations.

#Comment Re: made: 2008-07-01 23:35:53.481688+00 by: ebradway

eharberts: In addition to that secret question, you also have to correctly identify two pieces of account information and get my SSN and birthdate right. It's just funny because I never would have chosen that secret question because it has two correct answers.

spl: Thanks for that link. That's exactly what I was doing - pulling my credit reports for my annual checkup.

My wife and I are starting the process of buying a home - likely sometime next year. The first step is to get our credit ratings up to snuff.

#Comment Re: made: 2008-07-02 10:32:53.940214+00 by: DaveP

If you're on a Mac, you can use Password Wallet which was written by a friend of mine. Designed to solve just this problem.

#Comment Re: made: 2008-07-02 13:03:13.256857+00 by: topspin

Perhaps it isn't secure enough (FIPS 256-bit AES.... whatever the hell that is) for folks here, but I've been using eWallet on a PC/PDA/Phone for a long time. It keeps up with those "once or twice a year" websites, passwords, etc.

#Comment Re: made: 2008-07-02 17:19:53.139502+00 by: Mark A. Hershberger

Dan, there are GUIs for this sort of thing. Gnome Revelation has import/export to other apps like Password Safe for Windows (http://passwordsafe.sourceforge.net/) or My Password Safe (http://www.semanticgap.com/myps/). For our use, plain text is enough since Emacs takes care of encrypting .gpg files and I have her hooked up with Enigmail in Thunderbird.

#Comment Re: made: 2008-07-02 17:29:20.8758+00 by: Dan Lyke

Mark: Ahhh, thanks, I'll just suggest using Emacs.

Dave: The pain of using a Mac for two years hasn't yet faded enough for me to let it into the house. The Mac is great for other people, because I can say "take it to the Apple store!", but I shudder at the prospect of having one inside these walls again.

#Comment Re: made: 2008-07-02 17:33:23.289447+00 by: ebradway

The problem is that I don't have a single, centralized place. I need to access some of these websites from public terminals and some from private machines in other parts of the country. Sometimes, like when I called Equifax, I need the information when I'm on the phone talking to Raj in India.

So I keep it all in a Moleskine. Maybe a web-based app will work... Or maybe I need to come up with some kind of written encryption...