I’m a security threat to myself
November 9, 2010
I’m a security risk. To myself.
That’s what everybody says when I tell them I’ve had the same e-mail password for about 10 years. It’s also my password for various most of the Internet.
I’m going to make it even less secure by giving you some hints. There are seven characters. The first is a capital letter, the rest are letters or numerals. And I’ll even knock one out for you; it’s not Wilson1. That leaves you with 1,476,806,125,183 possible entries. Happy hunting.
I thought that was secure enough, and 10 years of safe e-mail seems to back me up on my theory. But nooo, that’s not good enough for other sites.
We changed to new work e-mail addresses about a year ago. It used to be email@example.com, which I didn’t like due to length. I felt like I was giving people a homework assignment when I was spelling it out over the phone. Never mind the one customer who thought “underscore” was the actual word, and not the thing above the hyphen.
As you can see below, our addresses have become simpler, which I think is great for customers. They only have to use the Shift key once to tell me I’m bad at my job. That’s the good news. More good news: I got to use my standard e-mail password.
Bad news: I had to change that password 90 days later. And the next one 90 days later, and so on. If we forget about the magical 90-day deadline, which the system does not remind us of, we’re locked out of our e-mail for a few hours on Day No. 90 and we become ashamed of how dependent we are on our e-mail.
Why not rotate between a few easy passwords? Our site doesn’t like that idea, because it won’t accept your previous 24 passwords, or anything that feels too similar. So if I’m a 49er fan and I use “GoJoe16” to honor Joe Montana, I can’t switch to “GoJoe49.” (Neither of those are my password; you’re down to 1,476,806,125,181.) It will be six years before I could go back to my reliable password – the one that will no doubt still work for my private e-mail address.
Never mind my online bill paying sites, which have other requirements, like eight or nine characters, and one must be a capital letter, and one must be a symbol, and there must be a prime number. That extra layer of security is awesome, because there’s nothing more frustrating than the guy who tries to hack into my site and pay my bills for me.
So, there’s a 1 in a bazillion chance somebody figures out my passwords, so I guess I feel safer. But these systems do nothing for the times I walk away from my computer while still logged in. There’s a 1 in 1 chance of that. I did it Monday when I left to mail a letter.
At least I didn’t pay the price that time. I once left a personal site open, and a friend posted, “I’ve decided to end it all, because I’m sad in the pants. Many things make me sad in the pants, like forgetting to log out of this site before I use the bathroom.” For the record, I had two friends say to not end it all, another friend who said the joke was funny and one more who said, “Might as well; you always were kinda pathetic.”
It’s just like the kid who’s hiding the Playboy magazine in his room. He’s got a Batcave full of security failsafes to hide the magazine, but he gets caught because he’s late for school and throws it on top of his bed in the rush to leave.
I guess you could make a corollary to all security, whether it’s TSA workers or our county jails. You can have all of the security measures in the world, but true security is achieved through proper operator execution.
So who’s the top safety risk? It’s me … or in password terms, Iamthe1.
It’s not that either. Only 1,476,806,125,180 left.