<![if !vml]><![endif]><![if !vml]><![endif]>
David J. Danto
Business travel thoughts in my own, personal opinion
eMail: ddanto@IMCCA.org <![if !vml]><![endif]>Follow Industry News: @NJDavidD
Password Pain – February 2023
<![if !vml]><![endif]>No, not that Password. (With extra-credit to those that identify the photo to the left and “Aristophanes.”) Password is a game show that began in the 1960s, but it also represents today’s hell for on-line users. In order to do any kind of business or detailed activity on an internet device, one needs to have a password. It is a great idea that has completely devolved into a nightmare of draconian IT rules and breached personal data. And with hackers dying to get into confidential files and steal things it won’t get any better anytime soon.
The person who created the current guidelines about strong passwords has already apologized for the huge error that wastes all our time. As he said in the 2019 article excerpted below:
“Much of what I did I now regret,” Bill Burr admitted to The Wall Street Journal. He had wanted to provide guidelines based on real life data but there wasn’t much empirical data on password security 15 years ago. In the end, Bill Burr had to rely heavily on an outdated whitepaper on computer password security written in the 1980s.
So what’s wrong with Bill’s advice? Two things:
<![if !supportLists]>· <![endif]>Length makes a password strong, not complexity. Here’s why.
<![if !supportLists]>· <![endif]>Passwords don’t need to be changed regularly. Password expiration has a negative impact on usability – only change your password if it has been stolen or hacked.
Despite this obvious logic and his mea-culpa, employers and e-tail firms still require insanely complex passwords, and they still require you to change your password wayyyyyyy too often.
If anyone were to stop and really think about it, the ridiculousness of today’s password rules would become obvious.
A password that I use to access a site is mine, not the site’s. I should be the only judge of what works for me. Telling me I need to come up with a password that is XX characters long, must contain special characters, must contain some capital letters and some numbers, etc. – and using multiple sites that each require their own version of acceptable password formats – only means that I’m not going to be able to remember the password easily – so I’ll have to write it down somewhere, immediately destroying the security of a private password. Of course, I can choose to use one of the many password manager programs, except they’ve been hacked and breached so many times that they actually provide less security than writing down the passwords on a post-it note on your PC.
Then there is the even worse ridiculousness of requiring users to change their passwords. Many large enterprises require their employees to make this change every three months. Users are often not allowed to use any form of their last password. Here again, the firm forgets that the password is mine, not theirs, and they shouldn’t dictate to me what form it needs to take. By forcing me to create a new password that is far more difficult to remember than the last one I’d been using, here again I’ll have to write it out or save it in a notepad file, completely negating the security that the enterprise actually desires.
One egregious e-tail site that is this ridiculous is Amazon.com. Love or hate Amazon, they have single handedly changed the way we consume content and products for all time. I personally access Amazon from about four PCs, a half-dozen Alexa devices, two Rokus, one Fire stick, my mobile, my iPad and a slew of third-party sites tied to that account. My wife also accesses my account from her PC, <![if !vml]><![endif]>mobile, iPad and Kindle. Somehow, suddenly, I can no longer log-on to Amazon from any device other than the ones above. I’m typing this blog from my new Windows 11 (yuck) PC. I’ve been trying to set it up for everyday use for the last few days. All my passwords transferred EXCEPT Amazon’s. Their website is insisting that I change my password. They have my mobile number and email for two-factor-authentication – which they want to immediately use to send me a one-time password – but then they REQUIRE me to make a change REGARDLESS of this clear and obvious method of confirming it’s me. Much to my shock, there is NO WAY to contact ANYONE at Amazon to have them rescind this requirement, and obviously no one there that is willing to accept and pay my bill for the hours I’d need to put in to change the passwords on the 20+ devices and accounts that I legitimately use to log-on to their systems. It clearly makes me rethink all the business I give them when there are now alternate e-tail sites.
The incredibly bad customer service is not unique to only Amazon or only password issues. Companies have severely cut-back on their customer support teams. There are countless stories about this, such as people who’s Facebook accounts have been hacked and have not been able to get help recovering them, puppies for sale scams that Facebook does nothing about…and then that of course brings us to the travel industry. As we saw during the recent Southwest Airlines meltdown, or as anyone who has tried to call their airline during bad weather clearly experiences, there are not enough people dedicated to helping customers resolve issues. And if you think it is easy to get technical support from your airline, just buy a ticket with your name misspelled and try to get them to fix the error.
Airlines, hotels, enterprises and e-commerce sites are very reluctant to make changes on the systems they expect us to use. IT people tend to think they’re always right regardless of any facts that prove the contrary…until all that is left are smoldering ashes and their CEO needs to go on an ‘apology tour.’
<![if !vml]><![endif]><![if !vml]><![endif]><![if !vml]><![endif]><![if !vml]><![endif]><![if !vml]><![endif]><![if !vml]><![endif]><![if !vml]><![endif]><![if !vml]><![endif]><![if !vml]><![endif]><![if !vml]><![endif]><![if !vml]><![endif]><![if !vml]><![endif]><![if !vml]><![endif]><![if !vml]><![endif]>
So, in the face of all this, I suggest we just buy a blank journal and label it “Passwords” in big block lettering. Write-down every password you have on every site, and leave it in the middle of your desk. The next time someone breaks into your home or office it will be easier for them to find and use it to hack-into all your accounts. That is clearly what the current set of rules is driving all of us to do, so we should just get it over with. It’ll probably turn-out to be easier to work with the crooks than it is to work with the IT departments of many websites.
This article was written by David Danto and contains solely his own, personal opinions.
All image and links provided above as reference under prevailing fair use statutes.
Copyright 2023 David Danto
As always, feel free to write and comment, question or disagree. Hearing from the traveling community is always a highlight for me. Thanks!