washingtonpost.com
Access Denied

By Yuki Noguchi
Washington Post Staff Writer
Saturday, September 23, 2006

Between work and personal e-mail, multiple banking and retirement accounts, two association memberships, photo sites, Web communities, and retailers like Amazon.com and eBay.com, C. David Gammel maintains 130 online accounts, each requiring a user name and password.

Gammel tracks his sundry log-in information in a file on his computer, but on at least two occasions he's confused or mistyped his password, and been locked out of his SunTrust bank accounts, forcing him to call the bank or look for an open branch to regain access.

"It's frustrating -- if understandable," said Gammel, a consultant in Silver Spring. He has also been denied access on a news site when he couldn't remember his log-in information, he said. "I bail on them if I'm having a difficult time," he said.

Password peeves come as a cost of doing business online using multiple computer applications. A typical professional relies on a dozen or more programs or Web sites to manage his life at home and work, and many of those require user authentication for access.

But the increased reliance on technology and the commensurate accumulation of passwords has reintroduced human fallibility into the security equation. Consumers' memories are straining under the pressure of remembering so many passwords. And when they fail to, companies increasingly are having to rely on the judgments of their employees to decide how to field calls from forgetful customers.

The average number of passwords used at work is between six and 12, and is increasing at about 20 percent a year, according to RSA Security Inc., a software and security consulting firm. To make matters more complex, Web sites and workplaces often ask users to change passwords at regular intervals, or require a mix of lower-case and capitalized letters, numbers, and special characters such as "#" or "$" -- a practice that makes it harder for a hacker to guess at a person's password.

But the abundance of frequently changing passwords -- and the confusing jumble of permutations and combinations most computer users create -- are not only inconvenient, they often undermine the very security goal they were meant to achieve.

At two-thirds of companies, workers kept passwords by writing them on a piece of paper kept in the office, according a study released last week by RSA. Another 59 percent stowed them in files on their computer, and 40 percent wrote them on sticky notes pasted around their computer monitor, allowing any passerby to see.

"There's a tradeoff between convenience and security that people don't think about very much," said Jim Harper, director of information policy studies at the Cato Institute, who said he keeps a file tracking at least 50 logins and about 25 password variations. "Technical people have been working on this for a long time, but it's hard to come up with something that's easy and secure."

Like many users, Kimball Brace, president of the consulting firm Election Data Services Inc., rotated between three or four standard iterations of his password, a system that worked for a while.

"I'm a heavy Internet user and a heavy computer user, and as such I'm always hitting various new sites, so I do see a proliferation of passwords becoming necessary," but the convenience and access can come with a frustrating price, he said.

Once, when Brace was on the road, he tried to log into his airline's Web site from a computer kiosk, but couldn't remember his password.

"You've got three chances to remember what you did," he said. When he couldn't, the site blocked him and he was forced to fly another airline.

Password management has become such a problem that it has spawned a small technology sub-industry.

Dozens of companies such as Siber Systems Inc. in Fairfax make software that consolidate various passwords under a single master password. Siber Systems, for example, has a program called Roboform that automatically unlocks all the sites users visit, by consolidating all log-in information into one master password. (Even password management has its limitations. If users forget the master password, they're simply out of luck and must re-register.)

Sites like Bugmenot.com have surfaced in response to the frustration of having to register for an account just to read a news story, for example. That site lists generic usernames and passwords that anyone can use to gain access, as well as a system that allows users to note whether the name and password worked or not, keeping the list fresh.

Many users permit Web sites to send cookies, or small bits of identifying information, back to the computer so the site remembers when a registered user returns. Many password-protected sites also anticipate the need and offer "forgot your password?" links that e-mail the password, or send a new one, to the user's e-mail address.

In the future, biometric markers such as fingerprint scanners -- some of which are on newer computers -- might be the future of solving the problems of password protection, some security experts say.

Acquiring someone's password by masquerading as someone who has forgotten one is often the pretext criminals use to obtain private information -- a major security problem that's entered the limelight in recent weeks.

Password fatigue has created a rich environment for identity exploitation, said Robert Douglas, an information security consultant. Reinstating customers like Gammel -- rightful users who get blocked from accounts after failing to enter the correct password -- creates a problem for companies, which then need to authenticate a customer's identity through other means.

"Look: I can't remember all these PINs or passwords, and I'm about to get on a plane" a criminal might say to a call-center operator to cajole them out of a password, said Douglas, a former private investigator who researches non-technical methods people use to hack into private information. Often, the only additional information the hacker might be required to provide is easily obtainable biographical facts like the last four digits of the account holder's Social Security number, or their mother's maiden name, he said.

"We live in a generation that wants instant access, and they want it yesterday ," he said. "Companies don't want to anger a real customer" who might have forgotten a password, he said, but in accommodating that request, they might be giving information to a criminal.

View all comments that have been posted about this article.

© 2006 The Washington Post Company