Thursday, June 13, 2013

Nuts Passwords

All the talk about the government snooping on our communications sparked yet another rant. This time it is about security - specifically passwords.

I get it, the online world is fraught with hidden danger and identity theft is a big deal. I have no problem jumping through a hoop or two to prove I am me when I log into a website or call customer service via the old telly.

But as with getting a rectal exam at the airport before heading to the gate, some security measures are ridiculous. There is a limit up with which any sane person will not put (go read your Churchill). I have already cut back on my flying. Does Grandma's wheelchair really need a pat down? Am I really going to mix up a liquid bomb on board with my Evian, Starbucks and Enfamil?  At five bucks each, I am going to drink every last drop of those bad boys myself.

Wait, I said bomb! Hey NSA, my cell phone number is 516-647-7466. You know where to find me - trying to eke out a living, put two kids through college and raise a special needs child.

But let's take this to something more mundane and really only an annoyance - passwords. Why are some so simple and some so complicated? My first Libertarian reaction is that everyone is covering their collective backsides trying not to get sued. Hey, we made your password so strong that even you could not remember it. I  don't even bother with some of them anymore and opt just to reset the damn thing each time I use a particular website.

I think we all agree that simple passwords are really good enough for boring e-commerce sites like Poland Spring. They deliver water jugs to my door and if someone wanted to get into my account they could stop delivery or have the company dump 20 or more 5-gallon jugs at my door. Hey, go ahead and change my credit card to yours, I don't mind. Any password should be a-OK on this site.

Then there are sexier retailers such as electronics, jewelry and other products that can be delivered anywhere. Yeah, I don't want anyone monkeying around in there ordering flat screens and blue diamonds. They can require say at least six characters with at least one letter and number.

Finally, there is the heavy stuff - banks, social security, credit cards - where serious damage can be done in an instant. Eight characters with letters, numbers and maybe even capital letters is perfectly acceptable, especially since my browser saves them anyway.

So, why then does one bank and one credit card I have require the least secure version? Why does JetBlue say that if I change my password (reset it after forgetting it) that I cannot use any of the last 20 passwords I have used already. Forget that it is just an airline where the credit card and traveler name must match. I can see not reusing the last three passwords but 20? Come on, you are not that important.

I can understand why the New York State tax website demands exactly eight characters but why does E-Z Pass NY - the electronic  bridge and highway toll service - demand letters, numbers and capitals? Is somebody going to void my electronic tag? Maybe. Perhaps someone wants to switch their car to my account? Nope, I still have the tag. Or order themselves a tag? Nope, it will be delivered to my address.

I get why my online merchant account requires long upper and lower case with numbers passwords but so does Kohl's. And AT&T.

But here is the real pièce de résistance. My daughter's college account not only requires letters and numbers but also special characters. But not just any group of letters and numbers - no email addresses and names. OK, that's cool. But no actual words, either. So, "blunt@1234" is no good. Neither would "youhavetobekidding$3."

This is a college account, not a mortgage loan. I had to actually think of sounds and made-up words from when I was a kid so I would not have to resort to a random letter generator. And speaking of that, if the restrictions are that tight, why not just assign something to us when we sign up? The only reason to let someone choose their own password is so they can choose something they can remember.

I'd love to tell you what I ended up creating but I don't need the government looking at my daughter's grades.

So listen up on-line people, most of you are just not that important in terms of need for security. Identity thieves are not registering for classes or buying me a new iPhone.

Nobody is going to rush the cockpit now that they are secured. Nobody is going to take the time to crack the code of some website unless there is a payoff worth the risk (money theft, SEC or FDA rulings, the military).  Nobody is trying to blow up the passenger pickup area at the airport so how about stationing some of that security at the entrances to the LIRR train tunnel in Queens?

Can we please be reasonable and make the security commensurate with the risk?


Blogger said...
This comment has been removed by a blog administrator.
Blogger said...
This comment has been removed by a blog administrator.