Keeping Secrets

LockThere are a lot of codes that I need to remember in order to get through a day of work. I’m talking about passwords, combinations, personal identification numbers, credentials of all kinds. Most of these, I keep in Web Confidential, a Mac OS X program expressly designed to encrypt and store this kind of data; it’s pretty much the best utility of its kind in my experience, but I’m no big fan of it. That’s why I notice acutely when I have to open it more often, and over the past six months, I’ve been looking up the 280 or so passwords I’ve stored in it almost constantly.

I’m actually not trying to advocate for a monolithic, single-sign on access system like Microsoft’s lamentable Passport, but I do think we need a better way of managing all the credentials that 21st century life and work require. Just for the fun of it, I sat down and tried to make a list of all the various codes that I’ve had to access over the course of the past several days.

Real World Credentials

  • Combination to open my gym lock
  • Bank account number to deposit paycheck
  • PIN number for my ATM card
  • Speed dial numbers on my mobile phone to call my girlfriend
  • Phone number and 14-digit PIN to use my international calling card
  • Social security number for various purposes
  • Credit card numbers for purchases
  • Five to ten frequently dialed phone numbers

Workplace Credentials

  • Passwords to access two user accounts on my Mac
  • Code to disarm the office security system
  • User identification to access network servers
  • User name and password to access accounting and time tracking system
  • Five to ten user names and passwords to access various project extranets
  • Passwords to access various Macs via Timbuktu
  • Password to accces content management system for our Web site

Web Site Credentials

  • Password to access Subtraction.com FTP server
  • Password to access Movable Type on my server
  • Passwords to access three POP mail accounts
  • Password for my DreamHost control panel, for managing my Web server
  • Password for my domain registrar for managing my domain names

Web Surfing Credentials

  • Password to access my LinkedIn account
  • Password to access my three instant messenger screen names
  • Password to access my Amazon account to check on a recent oder
  • Amazon Associates ID for creating links to products in my weblog posts
  • Passwords to access Yahoo Mail and Gmail accounts

Don Norman’s “The Design of Everyday Things,” first published seventeen years ago, included an accounting of the codes that a person might need to remember in a day in 1988. Almost two years later, we’ve compounded that average number many times, I think, and we’ll probably keep doing so for at least another decade. It’s a secret agent future, where everything is locked away from everybody. It’s a little scary.

+
  1. My first thought as I read the article, was that a combination of biometric entry and password would be the ideal solution… but then realized that such a “simple” solution doesn’t appear to meet the mantra of security system gurus: ductility.

    * sigh *

    Although it would be nice to have the bio+ system interfaced with an app like web confidential. Might make accessing the vault a little easier for the user.

    * walks away still thinking *

  2. Interesting how passwords rule our everyday life. Hopefully they’ll make an app for Mac that detects finger prints or retina scans via iChat camera to use as a password. (maybe it’s been done already?).

  3. On my Mac I use Safe Place, but I use Strip on my Palm/Treo. Both are encrypted on the device and password protected. The problem is they do not syncn. I have run across a tool with the same properties and has Mac, Windows, and Palm applictions that will sync, but for the life of me I can not track it down.

    I have a similar problem as I have six servers at work with different passwords, a desktop, and e-mail access. I also have many application layers that have their own log-ins that I keep track of. On the personal side I have six e-mail addresses I can pull, over 75 site log-ins, various servers and application layers that run different components, and numerous finance pass codes.

    In all it is over 130 different passcodes and usernames (I try to keep them all different) and I can only keep about 20 to 40 in my head at one time (I only have about 10 phone numbers in my head and the rest are in addressbooks and phones).

    I am following some of the digital identity conversations that are going on and am keen to see what happens at Digital ID World (http://conference.digitalidworld.com/2005/).

  4. But… What’s wrong with Keychain? Of course you’re still dealing with all those nasty passwords, but in what ways is better than Keychain? Hadn’t heard of it before, so I’m just wondering…

  5. SplashID for the Palm syncs via a conduit. I’ve been using it for over two years now. I moved away from keychain mostly because I found myself lacking access to my passwords when not using my own computer. Newer versions of SplashID have a “generate password” feature which is pretty handy. It’s probably better for your brain if you don’t think of passwords as things to remember, but rather as things you need to recall. My brain is already littered with all sorts of detritus, from ex-girlfriends’ phone numbers to lyrics from the 70s and 80s to radio and tv station call letters from places I’ve lived or visited. I’d rather offload things like passwords to a device, quite frankly, if only out of fear that when I go senile I’ll start randomly unencrypting the contents of my brain, mumbling “3ufs8829fg1” over and over to the kids, the grandkids, and park benches.

  6. Most passwords can be user defined. What I have done is use a system whereby all my passwords are the same or derivatives of the same thing, and these I alter every 2nd week. So for example, I would use sBmail5204 one time for all my passwords, and then Bshyah1466, the next time. If I had a combination lock, I would set that to just the numerical part, or convert the letters to numbers using my cellphone. Sure, the CIA could work it out, but if they wanted it that bad, they would get it!

    I just found that using all these passwords was killing me, and I ended up writing them down as imaginary telephone numbers in my diary – even less secure!

  7. Well, I think Microsoft is hitting the nail on the head with it’s “FingerPrint” idea, but I don’t understand why they says:

    “The Fingerprint Reader should not be used for protecting sensitive data such as financial information or for accessing corporate networks.”

    Why not? I mean, I would think your fingerprint is a substantial amount of data, making it hard to just randomly enter data into password locks and get the code right?

    I just wanted to see if anyone agreed with me, because I don’t understand how your fingerprint is “unsecure”, as Microsoft seems to put it.

  8. recently, i tried to look at some of my husband’s books on calculus because i was a math wiz in high school and thought “hey, i think that i can still do this stuff!” i passed out of all my math credits for college and haven’t touched it since. the calculus book left me feeling strangely dumb, though, because i couldn’t remember any of the formulas or calculations.. why? because i got rid of all that useful information in my brain so that i could store all of my usernames and passwords instead. seems like a trade down, no?

    i primarily use keychain for all of the things that i can’t remember and then i change my passwords at shopping sites every 6 to 8 months. i also use ridiculously long passwords that have series of characters and numbers that mean nothing so that you can’t throw a dictionary at it and break it. this is what life is like living with a computer security specialist.

Thank you! Your remarks have been sent to Khoi.