What the experts aren't saying about usernames & passwords

There's a lot of talk about how to create passwords and how secure they need to be and how they need to be unique and multi-factor authentication and so on and so forth...

...but what I am not hearing about is the more fundamental problem of the basic understanding of why we have and need more than one password.

On a fairly regular basis I find myself trying to explain to customers that their Gmail password is a different thing to their Facebook password...but you have to use your Gmail address to get into facebook (for example).

For people new to computers or uncomfortable with them the simple relationship between a thing and what is needed to unlock it can be very, VERY confusing.

I am often called to untangle various problems with the one machine that all stem from mixing and matching usernames and passwords.

It seems the prevalence of systems requiring that your email address IS your username may be part of the problem.

In the old days, when not everyone had an email address and before companies wanted to email you (and survey your every action with them), you could have a user name that was...well...anything.

So calling yourself Maddog of your favourite messageboard #oldskool and using a password for it like puPP13$rCUTE made sense to you.

There was a relationship between the username and the password that you understood and as a reult did not necessarily need recording in hard copy anywhere. It was inherently memorable.

On the next thing you could call yourself ManChild72 and use a password like scalextr1c5 and it again, made sense and had a one-to-one relationship.

But since we've been forced to use our email address for nearly everything suddenly and frequently there's a question about "what password did I use with this?" because the first part of the key is always the same. Your username is always the same. It is ALWAYS your email address.

This confusion made people get lazy and so often they'd use the same password on everything...but they couldn't...because some systems required upper and lower case, some systems needed special characters...

...and your default password for everything wouldn't satisfy those...so you'd create slightly different versions of the same thing...and screw yourself even more.

For example, my scalextr1c5 exmaple doesn't satify the special character requirement, so I am forced to do something like scalextr1c5#.

Add to that the uppercase requirement and it ends up like this scalexTr1c5# and you can see why confusion reigns supreme.

Even diligently written down records often seem incomprehensible in hindsight. Especially if you don't understand why you've made those notes in the first place.

Maybe your handwriting is as awful as mine?

On top of that, I can't think of any reasonable and common real world analogy I can draw upon to explain this to people.

The closest I can get is something like this...

"Usernames and passwords are like the doors to your house but each door has 2 deadlocks on it.

One deadlock on each door is keyed like all the others.

The other deadlock on each door has its own key.

So you can use one key for all doors but you need an extra unique key to get into a specific door."

Unweildy sure, but is it good enough?

I've written a lot of posts about passwords and you can find them all here: https://www.ihatemypc.com.au/blog/categories/password-management-tools-advice

So I won't repeat myself here.

However, there's an added sting in the tail.

Often people have more than one email address.

Often people sign up to things with one email address and then change internet providers or the email address goes away for some other reason...so now you don't have access to one of the keys anymore...and do you even remember what email address you used to sign up with 10 years ago?

...and have you ever tried getting help from someone who you aren't paying anymore? Let alone an internet service with potentially millions of customers? Of course you have. It rarely works out.

If it is too much for you, but you have to use these services, then you are going to need help. You are also going to need better-than-average records and written procedures for accessing these things.

If your memory isn't up to it, then don't trust your memory.

Write it all down verbosely and store those notes in a very safe palce (but that's another blog post altogether).

Good luck.

Have fun.

David

P.S. IMPORTANT: by the way, never use the same password on everything. Use a unique password on everything and be specially careful on things that have access to your money and private information.