is a blog about design, technology and culture written by Khoi Vinh, and has been more or less continuously published since December 2000 in New York City. Khoi is currently Principal Designer at Adobe. Previously, Khoi was co-founder and CEO of Mixel (acquired in 2013), Design Director of The New York Times Online, and co-founder of the design studio Behavior, LLC. He is the author of “How They Got There: Interviews with Digital Designers About Their Careers”and “Ordering Disorder: Grid Principles for Web Design,” and was named one of Fast Company’s “fifty most influential designers in America.” Khoi lives in Crown Heights, Brooklyn with his wife and three children.
I’m actually not trying to advocate for a monolithic, single-sign on access system like Microsoft’s lamentable Passport, but I do think we need a better way of managing all the credentials that 21st century life and work require. Just for the fun of it, I sat down and tried to make a list of all the various codes that I’ve had to access over the course of the past several days.
Real World Credentials
Combination to open my gym lock
Bank account number to deposit paycheck
PIN number for my ATM card
Speed dial numbers on my mobile phone to call my girlfriend
Phone number and 14-digit PIN to use my international calling card
Social security number for various purposes
Credit card numbers for purchases
Five to ten frequently dialed phone numbers
Workplace Credentials
Passwords to access two user accounts on my Mac
Code to disarm the office security system
User identification to access network servers
User name and password to access accounting and time tracking system
Five to ten user names and passwords to access various project extranets
Passwords to access various Macs via Timbuktu
Password to accces content management system for our Web site
Web Site Credentials
Password to access Subtraction.com FTP server
Password to access Movable Type on my server
Passwords to access three POP mail accounts
Password for my DreamHost control panel, for managing my Web server
Password for my domain registrar for managing my domain names
Password to access my three instant messenger screen names
Password to access my Amazon account to check on a recent oder
Amazon Associates ID for creating links to products in my weblog posts
Passwords to access Yahoo Mail and Gmail accounts
Don Norman’s “The Design of Everyday Things,” first published seventeen years ago, included an accounting of the codes that a person might need to remember in a day in 1988. Almost two years later, we’ve compounded that average number many times, I think, and we’ll probably keep doing so for at least another decade. It’s a secret agent future, where everything is locked away from everybody. It’s a little scary.
+
Silus Grok
My first thought as I read the article, was that a combination of biometric entry and password would be the ideal solution… but then realized that such a “simple” solution doesn’t appear to meet the mantra of security system gurus: ductility.
* sigh *
Although it would be nice to have the bio+ system interfaced with an app like web confidential. Might make accessing the vault a little easier for the user.
Interesting how passwords rule our everyday life. Hopefully they’ll make an app for Mac that detects finger prints or retina scans via iChat camera to use as a password. (maybe it’s been done already?).
On my Mac I use Safe Place, but I use Strip on my Palm/Treo. Both are encrypted on the device and password protected. The problem is they do not syncn. I have run across a tool with the same properties and has Mac, Windows, and Palm applictions that will sync, but for the life of me I can not track it down.
I have a similar problem as I have six servers at work with different passwords, a desktop, and e-mail access. I also have many application layers that have their own log-ins that I keep track of. On the personal side I have six e-mail addresses I can pull, over 75 site log-ins, various servers and application layers that run different components, and numerous finance pass codes.
In all it is over 130 different passcodes and usernames (I try to keep them all different) and I can only keep about 20 to 40 in my head at one time (I only have about 10 phone numbers in my head and the rest are in addressbooks and phones).
I am following some of the digital identity conversations that are going on and am keen to see what happens at Digital ID World (http://conference.digitalidworld.com/2005/).
But… What’s wrong with Keychain? Of course you’re still dealing with all those nasty passwords, but in what ways is better than Keychain? Hadn’t heard of it before, so I’m just wondering…
SplashID for the Palm syncs via a conduit. I’ve been using it for over two years now. I moved away from keychain mostly because I found myself lacking access to my passwords when not using my own computer. Newer versions of SplashID have a “generate password” feature which is pretty handy. It’s probably better for your brain if you don’t think of passwords as things to remember, but rather as things you need to recall. My brain is already littered with all sorts of detritus, from ex-girlfriends’ phone numbers to lyrics from the 70s and 80s to radio and tv station call letters from places I’ve lived or visited. I’d rather offload things like passwords to a device, quite frankly, if only out of fear that when I go senile I’ll start randomly unencrypting the contents of my brain, mumbling “3ufs8829fg1” over and over to the kids, the grandkids, and park benches.
Most passwords can be user defined. What I have done is use a system whereby all my passwords are the same or derivatives of the same thing, and these I alter every 2nd week. So for example, I would use sBmail5204 one time for all my passwords, and then Bshyah1466, the next time. If I had a combination lock, I would set that to just the numerical part, or convert the letters to numbers using my cellphone. Sure, the CIA could work it out, but if they wanted it that bad, they would get it!
I just found that using all these passwords was killing me, and I ended up writing them down as imaginary telephone numbers in my diary – even less secure!
Well, I think Microsoft is hitting the nail on the head with it’s “FingerPrint” idea, but I don’t understand why they says:
“The Fingerprint Reader should not be used for protecting sensitive data such as financial information or for accessing corporate networks.”
Why not? I mean, I would think your fingerprint is a substantial amount of data, making it hard to just randomly enter data into password locks and get the code right?
I just wanted to see if anyone agreed with me, because I don’t understand how your fingerprint is “unsecure”, as Microsoft seems to put it.
recently, i tried to look at some of my husband’s books on calculus because i was a math wiz in high school and thought “hey, i think that i can still do this stuff!” i passed out of all my math credits for college and haven’t touched it since. the calculus book left me feeling strangely dumb, though, because i couldn’t remember any of the formulas or calculations.. why? because i got rid of all that useful information in my brain so that i could store all of my usernames and passwords instead. seems like a trade down, no?
i primarily use keychain for all of the things that i can’t remember and then i change my passwords at shopping sites every 6 to 8 months. i also use ridiculously long passwords that have series of characters and numbers that mean nothing so that you can’t throw a dictionary at it and break it. this is what life is like living with a computer security specialist.
My first thought as I read the article, was that a combination of biometric entry and password would be the ideal solution… but then realized that such a “simple” solution doesn’t appear to meet the mantra of security system gurus: ductility.
* sigh *
Although it would be nice to have the bio+ system interfaced with an app like web confidential. Might make accessing the vault a little easier for the user.
* walks away still thinking *
Interesting how passwords rule our everyday life. Hopefully they’ll make an app for Mac that detects finger prints or retina scans via iChat camera to use as a password. (maybe it’s been done already?).
On my Mac I use Safe Place, but I use Strip on my Palm/Treo. Both are encrypted on the device and password protected. The problem is they do not syncn. I have run across a tool with the same properties and has Mac, Windows, and Palm applictions that will sync, but for the life of me I can not track it down.
I have a similar problem as I have six servers at work with different passwords, a desktop, and e-mail access. I also have many application layers that have their own log-ins that I keep track of. On the personal side I have six e-mail addresses I can pull, over 75 site log-ins, various servers and application layers that run different components, and numerous finance pass codes.
In all it is over 130 different passcodes and usernames (I try to keep them all different) and I can only keep about 20 to 40 in my head at one time (I only have about 10 phone numbers in my head and the rest are in addressbooks and phones).
I am following some of the digital identity conversations that are going on and am keen to see what happens at Digital ID World (http://conference.digitalidworld.com/2005/).
But… What’s wrong with Keychain? Of course you’re still dealing with all those nasty passwords, but in what ways is better than Keychain? Hadn’t heard of it before, so I’m just wondering…
SplashID for the Palm syncs via a conduit. I’ve been using it for over two years now. I moved away from keychain mostly because I found myself lacking access to my passwords when not using my own computer. Newer versions of SplashID have a “generate password” feature which is pretty handy. It’s probably better for your brain if you don’t think of passwords as things to remember, but rather as things you need to recall. My brain is already littered with all sorts of detritus, from ex-girlfriends’ phone numbers to lyrics from the 70s and 80s to radio and tv station call letters from places I’ve lived or visited. I’d rather offload things like passwords to a device, quite frankly, if only out of fear that when I go senile I’ll start randomly unencrypting the contents of my brain, mumbling “3ufs8829fg1” over and over to the kids, the grandkids, and park benches.
Most passwords can be user defined. What I have done is use a system whereby all my passwords are the same or derivatives of the same thing, and these I alter every 2nd week. So for example, I would use sBmail5204 one time for all my passwords, and then Bshyah1466, the next time. If I had a combination lock, I would set that to just the numerical part, or convert the letters to numbers using my cellphone. Sure, the CIA could work it out, but if they wanted it that bad, they would get it!
I just found that using all these passwords was killing me, and I ended up writing them down as imaginary telephone numbers in my diary – even less secure!
Well, I think Microsoft is hitting the nail on the head with it’s “FingerPrint” idea, but I don’t understand why they says:
“The Fingerprint Reader should not be used for protecting sensitive data such as financial information or for accessing corporate networks.”
Why not? I mean, I would think your fingerprint is a substantial amount of data, making it hard to just randomly enter data into password locks and get the code right?
I just wanted to see if anyone agreed with me, because I don’t understand how your fingerprint is “unsecure”, as Microsoft seems to put it.
recently, i tried to look at some of my husband’s books on calculus because i was a math wiz in high school and thought “hey, i think that i can still do this stuff!” i passed out of all my math credits for college and haven’t touched it since. the calculus book left me feeling strangely dumb, though, because i couldn’t remember any of the formulas or calculations.. why? because i got rid of all that useful information in my brain so that i could store all of my usernames and passwords instead. seems like a trade down, no?
i primarily use keychain for all of the things that i can’t remember and then i change my passwords at shopping sites every 6 to 8 months. i also use ridiculously long passwords that have series of characters and numbers that mean nothing so that you can’t throw a dictionary at it and break it. this is what life is like living with a computer security specialist.