Take a moment to consider how many passwords are in your life. If you do banking online, with more than one bank, or have an email account (or half a dozen), or if you shop online, or sell online, or use a genealogy site, or subscribe to a newspaper, or access online accounts for taxes, social networking, technical forums, schooling, stock market, insurance or employment benefits, et cetera, et cetera, ad infinitum.
Just about every website you encounter allows you (and much of the time requires you) to register an account with them. So after a few months of internet use, you probably have accounts at 3 banks, 2 auction sites, 5 social networks, 8 different email accounts and over 20 shopping sites. Not to mention a couple dozen others outside the aforementioned categories.
Let me ask you this: do you use the same password for each of those? How about the same username? Did you sign up using the same email address for all of them?
As much as you'd like to, you can't. Think about that for a minute. Why would you want the same password? Because there would be too many to memorize if they were all unique. Why can't you use the same one for all of them? Because each site has its own criteria for allowable passwords. Some require: mixed case, mixed numbers with alpha characters, at least one special character, no repeating letters, no discernible words, no reference to your username or email, must be at least (6, 8, 12) characters long, cannot use a previous password and so forth. Many sites also include challenge questions along side your password. So now you have to remember what you entered as the name of your first pet, or middle school mascot, or siblings middle name. Sometimes the questions are more obscure and you can't remember the name of the hospital in which you were born, or whether you used caps or included punctuation.
Imagine you are taking 30+ pieces of luggage on a cruise and you have locks on each of them of varying shapes and sizes. Imagine the keyring you'd be carrying around. Now imagine if the lock disables itself after the first three keys you try because you can't remember which key fits in the lock. Imagine further that every (1, 3, 6, 12) months the lock requires you create a new key for it. The most logical thing to do in this case would be to carry on your person a detailed list indicating which key went to which lock. This diary-sized book has its own little lock on it. (Some third party apps or web browsers will remember your passwords for you. This is like that diary.)
How do you make all this easier on yourself? You try to make passwords as similar as you can, using the same one on multiple websites if possible. You use birthdays, names or your children or pets, your military serial number, or maybe your favorite cartoon character. When it comes time to change the password, you simply increment the number to the end of it. To track all your passwords you might use a specialized password keeper, but you most likely either use a document on your computer or a spiral notepad or a series of yellow sticky notes on your monitor.
If you don't keep records you will end up forgetting passwords and have to click the "forgot" link. And then you will have to remember which email address or user name you entered a year and a half ago when you really needed to buy those (shoe lifts, rubber stamps, motocross tires) that only that site sells. Now, they'll send you a temp password to the email address on your account. You *DO* remember the email you used, right? And the username?
Cause and Effect. You make your passwords as simple and as easy to remember as you can because websites are concerned about security. You use the most obvious names/numbers in your life because websites are concerned about security. You are forced to compile a list of passwords/usernames/emails because websites are concerned about security. You keep a copy of your passwords within reach of the computer because websites are concerned about security.
Let's sum up the reasons why passwords are equivalent to luggage locks:
- obvious words and numbers are used
- a copy of the words and numbers are almost always nearby
- a virtual bolt-cutter can snip those little locks faster than you can say "script-kiddie".
Why can't companies realize that the more complicated they try to make it, the more likely it is that people will fall prey to self-defeating practices? A company can require a convoluted combination lock -- with a key -- and a fingerprint scanner, but it wont matter. If someone really wants in to your luggage, there are other ways in besides through that lock.
"My... voice... is... my... passport... ... ... verify... me..."
