David J. Danto
Business travel
thoughts in my own, personal opinion
eMail: ddanto@IMCCA.org Follow Industry News: @NJDavidD
Password Pain – February 2023
No, not that Password. (With extra-credit
to those that identify the photo to the left and “Aristophanes.”) Password is
a game show that began in the 1960s, but it also represents today’s hell
for on-line users. In order to do any
kind of business or detailed activity on an internet device, one needs to have
a password. It is a great idea that has
completely devolved into a nightmare of draconian IT rules and breached
personal data. And with hackers dying to
get into confidential files and steal things it won’t get any better anytime
soon.
The person who created the current guidelines about
strong passwords has
already apologized for the huge error that wastes all our time. As he said in the
2019 article excerpted below:
“Much
of what I did I now regret,” Bill Burr admitted to The Wall Street Journal. He
had wanted to provide guidelines based on real life data but there wasn’t much
empirical data on password security 15 years ago. In the end, Bill Burr had to
rely heavily on an outdated whitepaper on computer password security written in
the 1980s.
So
what’s wrong with Bill’s advice? Two things:
· Length makes a password strong, not complexity. Here’s why.
· Passwords don’t need to be changed regularly. Password
expiration has a negative impact on usability – only change your password if it
has been stolen or hacked.
Despite this obvious logic and his mea-culpa,
employers and e-tail firms still require insanely complex passwords, and they
still require you to change your password wayyyyyyy
too often.
If anyone were to stop and really think about it, the
ridiculousness of today’s password rules would become obvious.
A password that I use to access a site is mine, not
the site’s. I should be the only judge of what works for me. Telling me I need to come up with a password
that is XX characters long, must contain special characters, must contain
some capital letters and some numbers, etc. – and using multiple sites that
each require their own version of acceptable password formats – only
means that I’m not going to be able to remember the password easily – so I’ll
have to write it down somewhere, immediately destroying the security of a
private password. Of course, I can
choose to use one of the many password manager programs, except they’ve
been hacked and breached so many times that they actually provide less
security than writing down the passwords on a post-it note on your PC.
Then there is the even worse ridiculousness of
requiring users to change their passwords.
Many large enterprises require their employees to make this change every
three months. Users are often not
allowed to use any form of their last password.
Here again, the firm forgets that the password is mine, not theirs, and
they shouldn’t dictate to me what form it needs to take. By forcing me to create a new password that
is far more difficult to remember than the last one I’d been using, here again
I’ll have to write it out or save it in a notepad file, completely negating the
security that the enterprise actually desires.
One egregious e-tail site that is this ridiculous is
Amazon.com. Love or hate Amazon, they
have single handedly changed the way we consume content and products for all time. I personally access Amazon from about four
PCs, a half-dozen Alexa devices, two Rokus, one Fire stick, my mobile, my iPad
and a slew of third-party sites tied to that account. My wife also accesses my account from her PC,
mobile, iPad and Kindle. Somehow, suddenly, I can no longer log-on to
Amazon from any device other than the ones above. I’m typing this blog from my new Windows 11
(yuck) PC. I’ve been trying to set it up
for everyday use for the last few days.
All my passwords transferred EXCEPT Amazon’s. Their website is insisting that I change my
password. They have my mobile number and
email for two-factor-authentication – which they want to immediately use to send
me a one-time password – but then they REQUIRE me to make a change REGARDLESS
of this clear and obvious method of confirming it’s me. Much to my shock, there is NO WAY to contact
ANYONE at Amazon to have them rescind this requirement, and obviously no one
there that is willing to accept and pay my bill for the hours I’d need to put
in to change the passwords on the 20+ devices and accounts that I legitimately
use to log-on to their systems. It
clearly makes me rethink all the business I give them when there are now
alternate e-tail sites.
The incredibly bad customer service is not unique to
only Amazon or only password issues.
Companies have severely cut-back on their customer support teams. There are countless stories about this, such
as people
who’s Facebook accounts have been hacked and have not
been able to get help recovering them, puppies
for sale scams that Facebook does nothing about…and then that of course
brings us to the travel industry. As we
saw during the recent Southwest
Airlines meltdown, or as anyone who has tried to call their airline during
bad weather clearly experiences, there are not enough people dedicated to
helping customers resolve issues. And if
you think it is easy to get technical support from your airline, just buy a
ticket with your name misspelled and try to get them to fix the error.
Airlines, hotels, enterprises and e-commerce sites are
very reluctant to make changes on the systems they expect us to use. IT people tend to think they’re always right
regardless of any facts that prove the contrary…until all that is left are
smoldering ashes and their CEO needs to go on an ‘apology
tour.’
Also, p
So, in the face of all this, I suggest we just buy a
blank journal and label it “Passwords” in big block
lettering. Write-down every password you
have on every site, and leave it in the middle of your desk. The next time someone breaks into your home
or office it will be easier for them to find and use it to hack-into all your
accounts. That is clearly what the
current set of rules is driving all of us to do, so we should just get it over
with. It’ll probably turn-out to be
easier to work with the crooks than it is to work with the IT departments of
many websites.
This article was written by David Danto and contains solely his own, personal
opinions.
All image and links provided above as reference under
prevailing fair use statutes.
Copyright 2023 David Danto
++++++++
As always, feel free to write and comment, question or
disagree. Hearing from the traveling
community is always a highlight for me.
Thanks!