Forgot Your Password? No, I Forgot Your Stupid Password Policy. We Need Universal Identity Management.

Oct
27
2005

OK. I'm not even going to try to disguise this rant as anything but. For the umpteenth time, I go to some site that requires membership. I've got accounts on literally THOUSANDS of such sites over the years. And, there are a few things that universally piss me off when they happen. And, if you run a web service, a web site, a forum or a blog, there's a pretty good chance your implementation (and many of mine unfortunately) are in my sights.

  1. Inane password security "rules" like requiring a number. Having worked on enough web apps and seeing passwords go by, I can tell you that the only difference between cracking accounts at sites like these and sites that don't require it is adding a "1" to the end of every dictionary word you use.
  2. When that inane policy isn't posted ANYWHERE near the login box. If you force me to deviate from my normal password routine (the routine has a definite pattern to it, but not the same password) that means that the next time I visit your site (which isn't likely to be any sooner than 6 months based on past experience), I'm going to attempt my normal routine and fail. And have to hit the "lost password" link. And have to choose another password that doesn't fit my pattern. That isn't the same as "any of the last 10 passwords" on your system. However, if you just put the damn inane password policy right there on the login page, I'd go, "Oh, yeah, I need to deviate and use that *other* pattern to get in here" and I won't spend the next 3 days badmouthing your site and company to everyone I meet.
  3. Making "my email address" my account name. Look, I understand your desire to have uniqueness constraints in your database table 'users'. I really do. However, you can still use the email address as unique, just let me choose a username. Do you have any idea how many email addresses I have? And how often they change? The first time I used your site I may have been using my corporate account, but now want to use the site in a personal capacity. But, which email address did I use? After my experience with Comcast ever changing naming and aquisition a few years ago, the idea that any email address you don't own the domain for is some sort of permanent thing is a joke. I had cable internet for 4 years and the company changed names (and forced me to a new email domain) 5, yes 5, times. I hadn't yet bought wynia.org for the first few and had to face trying to change my email address flipping everywhere.
  4. Using my "home" phone number or the address *you* have on file as the way to prove who I am. I recently dealt with a company over the phone who hung up on me because I wasn't calling from my "home" phone number and didn't give my "right" address. Turns out (after speaking with "Jacob"s manager) that I would have had to break into a house I lived in 6 years ago in order to be "myself". If they'd been able to give me the city, I'd have rattled off the address with no problems.

Which leads me to a final point (and maybe a way to salvage some value besides the rant). I want a single place to authenticate. Make that one place really secure and easily revokable. Make it addressable at a single point, but portable and redirectable. Do NOT make it tied to email address. When I go to a forum, a new blog or your store for a single visit, I want to be able to just say, "This is who I am" and be done with it. If I happen to come back on a regular basis, great. But, I am just SO sick of creating new "accounts" every . . . single . . . #$%^&* . . . day.

Fortunately, there's a lot of work going on in this space and this week Phil Windley has a great series of posts from the Internet Identity Workshop that are well worth the read to see what's going on with Internet Identity.

Posted in Essays and Rants, Personal |

 

Comments on this post

Feedback is always welcome. Read some from other folks or leave your own below. Just keep things civil and remember that what you post lives on in public. Forever.

Thanks,
J

6 Responses to “Forgot Your Password? No, I Forgot Your Stupid Password Policy. We Need Universal Identity Management.”

  1. Beth Says:
    October 27th, 2005 at 8:11 am

    J, have you heard anything about Open ID? It's something Sixapart and some other people have been using, so you can keep one ID across many different sites. As far as I know it's just used for blogs at the moment, but it would be great if other sites could start implementing it as well.

    On a similar note, I hate blogs that require a log-in to post comments. It's one thing if you're a news style site like Gawker's blogs, but I hate if I happen upon something on say Blogger, and I go to comment and I get the door slammed in my face.

  2. J Wynia Says:
    October 27th, 2005 at 8:21 am

    Yeah. I've looked at that one and there are a couple of others that are similar. I actually attempted setting up an OpenID, but couldn't manage to log into any of the OpenID sites using it. As a general rule, if *I* can't get it working, I usually shelve it as unworkable on a larger scale for the time being. But, that was a couple of months ago, so maybe it's worth another look.

  3. Roy Says:
    October 27th, 2005 at 9:10 am

    Essentially, this is the Single SignOn problem. I share your pain, believe me. I also have a host of seldom-used "accounts". The big problem is that SSO requires some authenticating authority. Microsoft's Passport tried to address this, but was met with user distrust and low uptake among non-MS services. Eventually, MS pretty much killed Passport (though my XP laptop still tried to persuade me to create a Passport after the last round of updates). i-names are an interesting approach, but many will balk at spending USD$25 up front, with an implication of more to spend after the year of i-name hosting runs out.

    Ultimately, I think the authenticating authority will have to be independent of any specific service and have a low barrier to entry for both users and services using its auth protocol. But I'm not sure where the busioness model will come from.

  4. Mayde Says:
    October 28th, 2005 at 3:21 pm

    Might I suggest BugMeNot.com? I'm sure you've heard of it but if not, it's a website that will give you a name and password to login with at sites that you may only visit once every six months, without having to create your own identity. I haven't used it too often, but when I have, it's been pretty successful.

  5. J Wynia Says:
    October 28th, 2005 at 7:03 pm

    Bugmenot works well for things like the NY Times that require registration just to view content. I like tools like that for sites like that. However, the bigger problem are things like that for Google, I've got a Gmail account, Google AdSense, Google AdWords, etc. because they actually don't share across. Every new tool that comes out, every new service, etc. asks me to 'create a new account', every online store, etc. My concern isn't that I want to be anonymous. For almost all of the accounts, I'm actually not looking to be anonymous. I really am aiming to identify myself to the dozens of the site advertising programs, affiliate programs, services, etc. out there.

  6. naing mon Says:
    January 10th, 2007 at 12:05 am

    How can i reget my old password.

Leave Your Own Comment

By submitting a comment, you agree to license it under the terms of the Creative Commons Attribution license.

People who post comments get the added benefit of visiting the site without advertising.

© 2003-2008 J Wynia. All original content is licensed under the terms of the Creative Commons Attribution license unless otherwise noted. Content from other sources is licensed under its original terms.