INFORMATION SECURITY

Our Modern Dystopia — Password Hell

I have the solution to end all passwords

Living A Daily Hell

I am not an expert on information security (InfoSec). Not even close. I am, however, an ardent user of technology and therefore, a victim of the pain inflicted by the requirements of information security.

Infosec? Enough tech jargon!

I’m tired of passwords! I’m tired of creating them. I’m tired of trying to remember them. I’m tired of forgetting them. I’m tired of recovering them. I’m tired of being asked by my dad what his passwords are. I’m tired of using arrow buttons on my Roku remote to navigate a virtual keyboard to enter my Disney+, nay, my ESPN+, password. I’m tired of creating schemes to come up with new ones because “your password does not meet historical requirements.”

Side rant: Why the **** can’t it use simple English and say “you’ve used that password before — you can’t use it again.” (The stars in the previous sentence wasn’t a colorful word. It was my password in disguise)

Warning…back to tech jargon.

Each day, I enter my Active Directory passwords, both regular and elevated, VPN password, G-Suite password and various other passwords to other services. And if VPN would just stay connected, I would have to enter its oh-so-very-strong password just once per day.

No work day would be complete without doing a little Amazon shopping on the side. So, there’s that password too. If I’m being really honest, I’ll probably check on my bank, crypto, and investment accounts too, making sure they show numbers similar to what I saw yesterday. Yup, those services have passwords too.

But it’s not just the passwords, many of the aforementioned services I use also use Two-Factor Authentication (2FA). Not only do I have to attempt to enter the password correctly, then I have to pull out my phone and find the correct authentication app, and then dutifully enter a 6-digit code before it cycles to a new one. Of course, Microsoft Teams, Coinbase and my VPN client all use different authenticators.

I use four authenticators. FOUR!

Frequently, one of my crypto accounts likes to conveniently forget that I’ve previously authenticated my computer or phone as a private device and that it can stop pestering me for further verification. So what does it do? It sends a One-Time Passcode (OTP) to my phone as a text message. Recently Google recognized this extra pain point and added a feature to Android Messages to automatically copy the OTP code; all I have to do is paste it when asked.

Easy enough to do, sure, but **** it, I’m tired of it.

After much pondering, unabashed consultations with shamans, and study of the human psyche, I’ve stumbled on a solution to end this madness.

The cost of all this security

First, let’s understand the role of all the pieces of information that have become part of my daily process.

My username tells the service who I am. My password proves to the service that I am who I say I am. If there is a 2FA or OTP code to follow the password, it basically tells the service, no, really, itsa me, Mario!

Tied to my username is all the stuff that I’m supposedly hiding, the details of my life that no one else should have, the sensitive stuff that I’m allowed to see because I’m special. My username is married to all the digital information that really shouldn’t be seen or used by anyone else.

It’s the kind of information sought after by the guys who stole data from Equifax, Capital One, Target and other high-profile and not-so-high-profile data breaches.

It’s the kind of information that is protected by PCI-DSS & SOX compliance rules. It’s the kind of private info that is shielded by HIPAA, CCPA, and GDPR, among many others. Whole departments have been created in medium-to-large organizations whose whole purpose is to continually ensure that internal data is secured.

It’s why Touch ID, Face ID, retinal scanning and various other technologies were created; just another way to say, yes, it’s really me!

But it’s not just the passwords, 2FA and the various bio-ID methods. There’s 4-digit PINs, 6-digit PINs, whitelisting, ever-increasing numbers of security questions, and Captchas. While I’m acutely aware of the secret reason I need to identify crosswalks versus bridges, it all just gets in the way of me just trying to prove my identity to a service.

All of this technology came at a price. Millions and billions of dollars in research and development. Whether it’s creating the technology to supposedly ensure my privacy, or creating technologies to circumvent those technologies, or enacting legislature, litigation and consumer settlements, the costs have grown astronomically high, easily surpassing 3-comma figures.

It’s not just about what’s behind lock and key

But the security and legislation is not just about my information, how much I have in my meager investment account, or that I twice tested negative for COVID.

It’s about humans’ desire to have things for free while pushing the boundaries of what can be obtained while toeing the legal line.

Remember Napster? What about Limewire, Kazaa, Grokster, and the Pirate Bay? After decades of legal back-and-forth, what came of all of that?

We got DRM and DMCA.

Apparently, millions of people wanted songs and movies without paying for it. I think we have a word for that.

Stealing.

There’s even a commandment for it.

The solution to all this

There are three reasons NOT to protect anything from being accessed, used or duplicated illegitimately:

  1. We don’t know how to adequately protect the thing from being accessed. Example, VHS Tapes. Passwords are the keys that secure our digital things. Given all the high-profile data breaches that have recently occurred and continue to occur, I will boldly claim that no, we don’t know how to adequately protect them, so let’s just stop trying.
  2. The thing being accessed is worthless. No need to lock up a rusty old car on blocks. The information secured behind passwords only hold value to individuals whose scruples are absent.
  3. I trust that because the thing belongs to me and others will respect that and leave it alone. Generally speaking, people in small towns don’t lock their cars or homes.

The information secured behind passwords only hold value to individuals whose scruples are absent.

The password song-and-dance we do now is only going to get more complicated and more obtuse. Who knows what other biological appendage or orifice will be the next viable candidate used for identification? The near future will only bring more technology to prove I am still who I say I am, goddamit.

I’m constantly lamenting the drudgery and pain of entering multiple passwords daily to people around me. But then I recently had my aha moment of realization. There is a way out of this madness.

And it’s a lot easier than you think.

The only initial costs involved would be to undo the current technology and remove all password functionality, remove all Bio-IDs, recovery techniques, 2FA, etc. Just get rid of ALL OF IT.

Then, all you need are 3 things:

  1. Your username as you’ve always had
  2. This is the secret sauce — A solemn promise to yourself that you will only use and access what is yours (My shaman will smite you for violating this rule)
  3. Another promise that if you accidentally venture into someone else’s info by typing in your username wrong, that you will back out slowly and say, oops, my bad, exit, try again, and not use or share any info you happened to access.

No more passwords needed.

See? Easy peasy.

Software, technology, languages, satire and randomness.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store