Is pasword management possible the way we are told it should be

I just bumped into this story about 51% of internet users share their passwords. The  research result showed that

  • users are putting their personal information at risk by sharing user names and passwords with family, colleagues and friends and
  • they are potentially putting their personal information at risk by leaving themselves logged in to applications (e.g. email and social network) on their mobile devices.

Based on recommendations by security experts we should:

  • have a different password for every service/website/app we use
  • choose password of 8/10/12 chars long with a combination of letters, cases, symbols, numbers
  • never write down any of these passwords
  • never share any of these passwords
  • change passwords every X days
  • log out of any website/app when not using it

Is this possible?

I have 297 different passwords for web pages alone not counting routers, servers (ssh), etc. Do I know them all? Not really. The above recommendations are not feasible for the plethora of services we use today! Knowing them all would be mind blowing and time consuming. There are password managers that are of great help here. But this means that these passwords are written down and usually accessible with a master password. So one password to access all of them.

What about changing passwords every X days. This again would be an overkill. Having a calendar and change passwords for services we don't even care about or use every now and then. Not possible.

What about sharing. Sharing passwords with a partner is reasonable for many people. While some accounts can be shared among two or more (e.g. ISP, Netflix and even a bank account), people often share their-only-services' passwords (e.g. email) in case of hit-by-a-bus scenario. Not everyone is prepared to do it but many do. Sharing with colleagues can happen in some cases when several people cover each other or when they check the same service (e.g. an email account). I suppose the password sharing in this group is way lower than between partners. And sharing passwords with friends ... well ... maybe if they fix your IT equipment ...

And about logging out of web pages and apps. On the desktops where we are sole users I don't see the point. Well I don't see the point to logout of gmail (facebook,, twitter, you-name-it) on my mobile phone either. The point is to be logged in to get email/tweets/you-name-it in real time. This is why we have a lock screen.

So there is nothing surprising about this study. We can't really manage the passwords the way security managers want us to. There are a few security issues we have to sacrifice to make our life easier.

I use different and strong passwords for every service but I know by heart just 5 of them. I keep all passwords in a password manager with a strong master password which I share with my wife. On my desktop computer my browser knows all these passwords (which are not synced on any other device). I have my screen locked on my phone so people can't just access apps I'm logged in. And gosh, I probably changed some of these passwords over a year ago :/.

I don't see the problem in users. Rather the problem lies in the technology and how AAA is currently designed and implemented. There are other methods of authentication like: hardware and software tokens, digital certificates, challenge-response, biometrics, out-of-band authentication, one-time passwords like TAN, etc. While some might be more secure they are harder to implement and impose additional burden on users.

Another solution are OAuth and OpenID. The problem with the former is that many services take advantage of accessing other pieces of information besides authentication token (and many users don't know this). The problem with the latter is that its implementations are different and there is no uniform user experience. Besides, web pages don't get anything in return and users are more or less anonymous to them which is now addressed with OpenID Connect. If big companies don't push it forward (and why would the as e.g. FB has already Facebook Connect) it will not be easily adopted by general public. Besides a few successful stories (e.g. StackOverflow) OpenID doesn't really thrive.

Do I have a better solution? Unfortunately not. Until then we are left with username/password couple as the less costly and easiest solution for the benefits provided.

The other side of could storage: how cloud storage can save the day

A few posts back I wrote about a Dropbox disaster. To be fair, on many occasions Dropbox can save us as from our own mistakes

I was talking about it with a friend who wanted to close Dropbox account and took these steps:

  1. Opened Dropbox webpage and logged in.
  2. Deleted all the files stored on Dropbox.
  3. Then he uninstalled the client from his computer.

Only to realise that all the files were deleted on his computer as well! Fortunately Dropbox keeps the backup for 30 days and he was able to restore all his files.

Although I wrote that cloud storage can save us from our own mistakes the blame for what happened here is partly also in how Dropbox is designed. I suppose the designers haven't predicted all possible user actions and they just expect (as many times) the user to understand the cores of the technology. If one deletes everything on the website a BIG RED waning should be in place :).

Another friend shared this story. A night before submitting his thesis he permanently deleted it by accident (thinking about another file) from his Dropbox folder. He opened a website and realised that it was deleted there too. Only a few moments later he found a bin on the website and restored.

And I was able to get an old version of a file once after I have deleted a substantial part of the content.


As there are plenty of Dropbox related disasters covered online, there are plenty of stories of Dropbox helping to recover from a disaster:

Just don't let the cloud storage be your only backup!

Costly spelling mistakes in filenames

I was searching for a file for about an hour before realising I made a spelling mistake in the file name. I searched the web for similar stories. Unfortunately there aren't many. And the ones I found were not about one's own mistakes.

  • A builder for bootsptrap (written by a person) saved a bootstrap javascript file with a wrong name. There were many posts about this bug that made a lot of people wonder why the file could not be found.

"At javascript.html I can build bootstrap.min.js via but return filename is boostrap.min.js. First time I didn't seen typo and saved it as is. Then I was unable to access bootstrap.min.js served by nginx and notified typo in filename."

  • I suppose this person had a similar problem than me (or maybe not) and posted a Superuser question about real-time spell checker for folder names. By the way, this is not possible in real-time at the moment but it is a really good idea to implement in current operating systems.

"Many programs are available to check for spelling mistakes or wrong grammar. Is it possible to use spell checking on folder names?"

I'd love to find more stories about it. I remember Keeping Found Things Found project that had a forum dedicated to PIM stories/mistakes - Tales of PIM. But it never got a spin and is under maintenance at the moment. Apparently people don't want to talk about their PIM problems or they just don't think about them. Once I read about how people feel guilty if not knowing something about technology and they rather pretend to know how to operate it than admit the lack of knowledge. I also read about how people feel ashamed at mistakes made even if interface is to blame. I just can't remember the sources. Maybe PIM is similar in this respect - people maybe feel that they are the only ones to blame for mistakes made.

A vending machine with a remote interface - very confusing

I wrote once about vending machines, their current interfaces and their (futuristic) designs. The worst interface is the ones in which items are distinguished by a random code. Well, this one is even worse.

The vending machine had no slot to put money in or a pad to select an item. I was puzzled for a bit. I looked on the left and right side, but nothing there.

Then I looked at the separate vending machine on the right and although it's a coffee dedicated machine it had two pads: (1) the top one for the machine on the left and (2) the bottom one for the machine on the right. The money for both has to be inserted on the top pad. Weird and confusing.

Lifehacker: How Much Personal Data Do You Share with Your Partner?

There has been an interesting discussion a month ago about sharing personal information in a relationship. The question posted was:

"Being in a relationship necessarily means that you're going to share some of your digital life with your partner. How much is too much? Do you prefer no boundaries at all, or do you keep your partner at arm's length? .... Do you prefer to keep your lives separate and share information on a case-by-cases basis? Or do you let your love interest into every nook and cranny of your digital life?"

Most of the replies tend to be on the share-all information spectrum. Although this approach needs a complete trust and respect for each other's privacy. For example while one might have a password of their partner's Facebook account it does not mean that they should read it without permission (except when the account is shared which some people do).

"Wife and I share everything, but maybe that's because we respect each other's privacy and space too. She'll keep her Facebook signed in, but that's because she knows I won't use it/browse it/whatever. And vice versa. When the need arises, we tell the password to the other person."

Some people go even beyond sharing passwords:

"My boyfriend and I share our GPS location via Find My Friends and I love it. It's less creepy than it sounds because we're not really going anywhere we don't want the other to know about and it's hella useful, especially since we both run on odd schedules. I don't have to ask if he's home yet, or how long it'll be. I just look and see he left work but is stuck in traffic."

Several others that shared GPS location claimed that it adds to the convenience. There's definitely a distinction between what a partner needs to know an what she/he could know. Sharing some data and information happens because of necessity to make their life easier in case of a demise while some information is shared simply for the convenience (e.g. letting a partner check my email while I don't have access to it or using a phone while I drive). And as the first comment above puts it it's the trust that lets one's privacy intact even if information is shared.

"Also, I distinguish between stuff a partner might want to see (email, Facebook) and stuff they would need if I, for example, died suddenly (bank account numbers, ATM PINs, etc.). For the latter, we have affirmatively made sure each has a copy of the other's. For the former, it's more upon request, or just a consequence of living together (i.e. my Facebook and gmail are usually signed in and open on my computer)."

Another issue is the privacy of other people involved. For example if I write to my colleague would I want his/her partner to read it as well? But this again involves trust that the partners would not read each other's information without a permission or request.

"The biggest "respect for privacy" thing we both try to stick to is not reading each other's personal correspondence with friends, and even that is mostly because those friends should have the right to know who knows whatever they are sharing with us individually, not because we really are particular about our own personal privacy."

In all of the above comments it's the trust that pops up as a central issue. But at the end, if we trust system administrators -- usually complete strangers -- not to browse  through our personal information (e.g. email we keep on an email provider's server) only because they are "professionals" why wouldn't we trust a long time partner. And here's another thing that pops up which is time. It is probably safe to say that people don't bring all the cards out when they start the relationship. Sharing happens gradually with a growing trust and respect.

One big question is how to act in the case of a breakup. Sharing is easy, un-sharing is not. We can change passwords of services we use. But whatever information ended up in our former partner's space of information is likely to remain there.