Anil Upadhyaya
The Maze of Passwords

There was a time when the Internet was used only for purposeless browsing. That did not call for a password. Passwords were something that you heard of in war and thriller movies. As regards real life, yes, there will be a password required if you leased a locker in a bank. However, thankfully, few officers would bother to ask you the password if you were carrying the right key and could tell them the correct locker number which was kept different from the key number on purpose.

Then came e-mail and the era of passwords. To use e-mail safely, you had to make the password extremely difficult for others to guess while keeping it easy to recall yourself. How do you do that? There are two ways. One is to concoct a random mix of characters on the keyboard. It makes it equally challenging to divine it for others as well as you, but for the fact that you created it. But, then, you were admonished not to write it down on anything. There was a possibility that you could lose the paper you used for the purpose and lose your intellectual property (banks were yet to offer Internet banking and thereby putting financial assets too in the basket)!

The other way is to use some information that only you know. Okay, so I decided to use the initials of a distant cousin together with the date of my graduation from the University. But which one do I put first and what format do I use for the date? Also, since the inclusion of a special character is highly recommended, which one do I use and in which position? Remembering the data components could be easy, but the structuring is not. However, as it was just one password for the e-mail, and I was young, I could or thought that I could commit both to memory for future recall.

Then there was an explosion of services on the net. Moreover, every service worth its salt wanted you to register and log in. To register, you had to choose a username and a password. You might decide to use the same password that you had created for your email account: Like a master key that could open many locks. But, then, many of these apps used your email id as the username and hence it would be a grave mistake to use the same password. Even if you chose to ignore the risk, you might find that the service provider was far more strict than the email provider and would not accept anything less than eight characters which must contain at least one lowercase and one uppercase character, one numeral and one special character. As an easy way out, you might decide to add two zeros at the end to achieve the prescribed length, insert a special character and make one of the characters uppercase. However, when you visit the site the next day, you could be wondering whether you capitalised the first alphabet or the last. Did you put the padding of 00 before the special character or at the end? You make more than a couple of tries and are promptly locked out. Fortunately, a ‘Forgot Password’ option is available, but to use it you must be able to check your mail using the correct password for your email account.

So now you have a set of two passwords, one for your email and another that you have decided to use for all other sites / services. But now those services have started sending you too many emails, and so you decide to use another email service exclusively for personal correspondence leaving the first one for unsolicited ones. Now you have a set of three passwords to remember.

Then comes the invitation to use your bank’s Internet banking service with many attractive offers. Internet banking is a far more serious matter, so you decide to coin a really strong password and do so, bringing the tally to four passwords. A fifth one may be required if you are banking with a bank that requires one password for viewing your accounts and another for transacting online. Just as you were consoling yourself that it is a matter of no more than four (or five) passwords, the bank informs you of their password policy. You are required to change your password(s) every 180 days; you cannot use any of the previous four passwords and, of course, each change of password must not dilute the rigours of coining a strong password. Thus with time, the number of passwords required for one bank grows from two to ten! You need five for viewing and five for transacting presuming that later you will recycle the passwords.

Now the very thought of having a relationship with another bank must make you cringe. But this bank is offering better interest rates or a better investment management software. If you fall for it, you need to have 20 banking passwords!

It is not that our woes were going unnoticed by the IT community. They provided a feature in their browsers to remember the passwords. Again these saved passwords were made available on all platforms / devices used by you as long as you were using the same browser and were logged in with your credentials. However, this feature was disabled by bank’s internet banking sites for obvious reasons. The browser could remember your passwords for other sites, but remembering banking passwords remained your responsibility.

However, this comfort provided by browsers was not to last long. With the advent of tablets and smartphones, apps appeared on the scene. The apps gave the browsers a go-by. Apps do remember you till you log out, merely closing the app may not lead to a fresh log-in when you invoke the app again. So you tend to forget the password over time. These apps do provide the “Forgot password” option in case a new version logs you out, and you are not able to recall your password. So where is the problem? The problem is our desire to possess more than one of these fascinating gadgets. You have been using your first gadget for pretty long and have forgotten the password. You load the app on your new gadget and try to login but are not able to recall the password after repeated attempts. Now the only option is to go through the “Forgot Password” drill and generate a new password which has to be fed not only in the new gadget but also the old one. The issue resurfaces when you buy your third gadget! Remember that you cannot use the “Change Password” option on your earlier gadget on which you are already signed in. It is so because before you can change the password, you must enter your old (and forgotten) password first.

Aware of these problems besetting our digital life, app developers have now started providing options to use our Google or Facebook credentials to log into the new app. Since we use these two apps heavily, they remain alive on our gadgets in a logged-in state and are used to log us into other apps that rely on them for user identification. Now, suppose that a new version has logged you out and is asking you to log in, you wonder, “How did I log into this app the last time, through an id and password or Google or Facebook?” Sometimes you make a wrong choice and log in, say, using Google or Facebook only to find all your history, bookmarks and saved lists missing. Then you try the other of the two options and if that fails too, “Forgot Password” is the last option provided you remember your user id!

Perhaps, the only way to save us from this maze of passwords would be to use biometrics universally. Moreover, if biometrics is not considered strong enough, it could be combined with a universal software token relieving us of the need to construct and memorise silly passwords.

And now, before I close and save this write-up, I must make sure that I remember my cloud storage password (and user-id) correctly so I will be able to retrieve it later on.

The author is former AGM(IT), Bank of Baroda. The views are his own