Sunday, February 10, 2013

Remember (and Protect) the Important Stuff: Part One- On the Horns of the Password Dilemma

The Setup

Last weekend I had two of my children in the car and we were headed somewhere (I have forgotten where, which is one of the points of this post, so read on).  I stopped at the corner store (it might be a BP, it could be a Circle K-- it doesn't matter -- again read on) because I was dangerously low on fuel. (One reason I had run it down below empty is because I spend so much time keeping thousands of things in my head that crowd out the need to be mindful of important information like fuel levels).

When I went to turn the pump on, I could not remember my debit card PIN (not "PIN number").  While this lapse was not catastrophic, because I could choose the "credit" function, I wondered what I could do to make sure this did not happen again.  (And lest you point out that I could store my PIN in my smartphone, you are absolutely correct but that is not the point I am making here).

The Challenge

I (and you) have a limited amount of time and energy to expend in a day.  And as I have discovered as an adult (when these things have mattered), I simply cannot remember (or do) everything, but have to pick and choose wisely.  As Scott Hanselman put itProductivity is not about about doing everything; it is about doing the right things and ignoring the rest.  And when I cannot remember something important (like a PIN), I choose to believe that is the result of unimportant things crowding out that fact.

So what "unimportant things" do I choose to remember?  Well, in addition to regrettably unforgettable commercial jingles from the 1970s, the entirety of School House Rock, and movie lines from my youth, one likely group of suspects is the myriad usernames, passwords, PINs, etc. I use online.  I am pretty sure that these online presences are the "right things," because I can't conceive of physical banking and shopping anymore.  And it doesn't appear that the Internet is going away.  But the exercise of recalling how to access these services, as well as the attendant time and frustration involved in retrieving and resetting user credentials when I cannot recall them, are both unproductive and inefficient.

In short, I need my day (my time) and my brain (my energy) for the important stuff.  It wouldn't be a post on this blog without yet another tip of the cap to The Checklist Manifesto: How to Get Things Done Right, and Gawande's point that making sure all of the little stuff is taken care of frees us up to do the heavy lifting.  Put another way, as I have written here as well, I only have a finite amount of brain energy to expend in a given day, and I can scarcely afford to burn it trying to remember a password. 

The Dilemma 
Of course, one option is to use one password for all your sites.  Less to remember, so fast and easy, what's not to like?  I would be willing to wager that most computer users (i.e you the reader) do just that because it is so easy and convenient.  However, using the same password for more than one site can have disastrous consequences in the event just one site you use is hacked.  Put it this way:  you wouldn't even consider using one "master" key for your all your physical locks (office, home, etc.), even though that would certainly be easier.  And  you don't because if the one place with the weakest security is compromised (e.g. a former employee fails to return an office key) the whole system can be compromised.  That is exactly what you are doing if you have one password.  And you are in even bigger trouble if your password is so simple it could be compromised by a brute force attack, or if it can be easily guessed (like . . . wait for it . . . "password").  If you need further convincing,  please read James Fallows' "Hacked" in the The Atlantic to make this point sink in.

On the other hand, although the process of creating, changing, and keeping track of strong, unique passwords is essential, doing so taps time and energy.  Establishing and routinely modifying a unique case-sensitive,12-character password with letters, numbers and characters for multiple sites is the stuff of cryptographers and mathematicians. And recall the the way you felt the last time you couldn't remember your password, (or your username, reminder, or challenge question), and the frustration you experienced in stopping your transaction or interaction and going through the process of retrieving and resetting.  Heaven forbid you actually have to get on the phone with someone to get logged in. 

So until a better password system comes along,  wouldn't it be nice if you could conserve your time and energy by keeping only one password in your head (leaving more room for other important stuff), while at the same time browsing and transacting safely and securely?

In the next post, I will discuss one such solution.