Very interesting story ideas there.

Passwords:

I was just at a major computer manufacturers website a couple days ago. I spent over an hour picking out products and adding them to my shopping cart. I went to checkout and was prompted for a login and password. We'd ordered from this company many times before. I had no idea what the password was any more. It was a hard type password with required upper case, numbers, and all that annoying stuff. After trying about 10 different variations, I gave up and went to reregister. Apparently we have had the same thing happen before because it told me that all five of my stock email addresses had prviously been used at the site. There was no option to email the password becuase I couldn't remember my login name associated with whatever password. I finally got such a case of web rage, that I just left and ended up ordering those $15k in machines from their competitor.

Welcome to WebmasterWorld stevesimons!

After trying about 10 different variations, I gave up and went to reregister.

One of my biggest concerns. I'm trusting that the site I just entered those 10 different variations in is not recording those in any way. While most of us are going to be alert to these issues, the general public will not. I would think that capturing failed password attempts is at the top of the list of features at some of these phishing sites.

I've gotten into the habit of requesting my password via email which I know ranks right up there in the top 5 things not to do, but I just can't remember all of them and I'm a bit concerned about relying on any third party tool to manage them for me. And I surely don't want to make multiple attempts using "possible passwords" not knowing if that information is being captured and/or assimilated for further use. Who knows...

Heh, Brett's story reminds me of Amazon.ca. I don't have problems with the .com site, but I have never ever been able to get the password retrieval to work on Amazon Canada, and so I've had to re-register several times.

I mention it mainly because, of all the companies in the world, you'd think Amazon would have gotten this right by now.

In fact, I was at a certain environmental charity website just last night, trying to give them $1,000. Well you're not allowed to do that unless you register, which I must have done last year because my email address was kicked out as a duplicate. So I did a password reminder, and of course 20 minutes later the email still had not shown up. Like Brett, I resorted to re-registering with a backup email address.

In terms of stories about the binds that people get into when they forget (or dont share) their passwords, see this one:

YAHOO NEWS

The family of a U.S. Marine killed in Iraq was denied access to the soldier’s Yahoo e-mail account due to the company’s policies, raising questions of whether businesses should balance privacy with special requests.

The Marine, Justin Ellsworth, 20, was killed in November by a roadside bomb in Falluja while assisting civilian evacuations before the large-scale military offensive against insurgents in the city, according to a report in the Detroit Free Press. But when Ellsworth’s father John tried to recover his e-mail account, he was barred due to Yahoo’s policy of not giving e-mail passwords to anyone besides the account holder.

A Yahoo spokeswoman said the company’s terms of service require the company not to disclose private e-mail communications for its users. Yahoo will turn over the account to family members only after they go through the courts to verify their identity and relationship with the deceased. After 90 days of inactivity, Yahoo deletes the account.

I have an address book where I keep all my login names and passwords, hidden of course.

I also keep a copy of all my accounts, login names and passwords in a safe at my bank. Only my wife, oldest daughter and myself are authorized to have access to the safe.

There's plenty of software available for keeping track of passwords. I use Password Safe, which is free, open-source software. There are plenty of commercial packages as well (most probably more fully-featured than Password Safe.)

These programs store your passwords in an encrypted file. You need a password to decrypt the file (the program asks for it when it starts up) but then you only need to remember one password.

These programs make it as easy as possible to access the passwords. You can cut and paste them easily, some of the programs will track your web browser and offer the password associated with the site currently being browsed, etc. A minor - but important - feature of these programs is a random-password generator for creating new passwords.

If you aren't using one of these programs, you probably have weak passwords, because they are ones you have remember.

Forget about the passwords used to protect access to your computer (PC, Mac, etc.) Any Geek Squad technician can get you in in a few seconds flat. The solutions vary depending on OS (A Linux "rescue CD", for example, will give you access to a Linux system as "root" simply by booting from it.) And the data can be read easily without even having to bust the password by simply plugging the hard disk into another system.

If you have valuable or sensitive data on your PC, the only way to protect it is with encryption software. That will requires, of course - another password.

--stories of complicated situations created because someone forgot their password.

I experience the most common example of this two or three times a year:

One of the important points that gets overlooked is that the actual registration and control of the domain name requires a passworded login at the registrar's web site.

Often I am presented new customers who are unhappy with their current host and want to move. This requires altering the domain registration account to point to the new host. They have forgotten their domain registration account login, or don't even remember who it's registered with.

A variation on this is they've changed their email address since registering, so they never get the emails that their domain name expiration is pending. One day their site just disappears.

The complication is that most domain name registrars require a robust identification process involving faxing your driver's license on a company letterhead to reset the domain registration account password. In cases where the domain name has been purchased through a reseller, this can get exponentially more complex.

stories of embarrassment when a person had to reveal a password to someone else and the password was something they had assumed they would never have to reveal to anyone.

Who can forget Senfeld's George Costanza having to reveal his secret code, "Bosco." :-)

--stories of companies or large and powerful institutions being brought to their knees because of something the tech person did (perhaps vindictively).

I'd like to think there is an unspoken code among developers that rises above this and aligns with the law of kharma - but I'm a romanticist.

I know of one developer who did exactly this, when leaving a company he entered one simply typo into a bit of the code. The company-wide software still worked, but on a particularly important function it failed to calculate correctly, making the whole thing worthless. Apparently they spend months trying to debug the issue, and eventually had to scrap the system for a more expensive one.

Easy enough to tie the two together- Techies can rule the world by assigning passwords that no one can easily remember and don't allow the user to change them. :)

I don't mean to hijack this thread, so I will simply say that here is a Firefox add-on that enables you to hash out unique strong passwords for every login form from a single master password. I have found it to be very useful:

[addons.mozilla.org...]

(note to admin: for some reason url style codes don't work with the above URL)

[edited by: engine at 5:09 pm (utc) on Dec. 30, 2007]
[edit reason] Note to member: https will not hyperlink [/edit]

Passwords, and providing security for account access has become a challenge for many, old and young alike. It is not likely to get any easier for the foreseeable future. IMHO

There is talk about biometrics, fingerprint recognition, retina scans, etc., to help provide acknowledgement of identity, but, this worries me more than a simple text password. Forgers will not need to create a copy of the data, but will simply need to steal the data. This data has to exist in at least two places: The eye, DNA, or a fingerprint, etc., and at the bank, or business, etc.

How many times do you touch an object, look though a lens, or leave your DNA behind. I'll wager it is more than you might initially think. These are all good ways to get hold of one side of the advanced password.

No, that worries me.

I used a password based on an anagram of a service back in the late 80's, but unfortunately when I had to give my password to an admin of that service so that they could log into my account and experience the problem I was having. It was based on the fact it was a free email account so my password was based on free UK electronic messaging (fukem), we both had a laugh about it.

I had a college instructor that pushed me daily. He pushed me to levels well beyond the average of that day because he knew I was not challenged by the standard curriculum.

One day, I decided to one-up him with a little mischief. I developed what looked to be a login screen on the college mainframe computer. After developing the display I created a simple database table to store userids and passwords. I had a student login, as did we all, so I would find an empty computer and log in to it. I would call my program which merely sat on a display screen that looked exactly like the college login display. It was that simple. I would login, call up the program and then walk away. It took me about 3 seconds to stop at an open workstation and set this trap up. An unwary user would sit down, key in their personal information and upon pressing Enter I had them! Sound familiar? It should! Another form of this deceptive action is now termed "Phishing" and it is one of the oldest scams around! Old scam, different delivery, new name.

After running quite a few entries into my database tables I decided to let the instructor in on the fun as I now had his details as well. We sat down together and I showed him how it worked. After a few moments a cross look came over him. He proceeded to list the college policies I had just violated and that I would be expelled for my behavior. My heart sank. My mentor seemed quite disappointed. He then smiled as he knew he had turned the tables and now one-upped me! Next, he showed me areas where I could improve, areas I had not yet thoughtfully considered. We had a thorough analysis and discussion. Directly afterward he went off to limit student application possibilities and tighten up security.

My college instructor was much more than a teacher, he was truly a great mentor. He taught me not only advanced programming skills but also a little something that would echo years later while I watched the first movie release in the modern day theatrical series of the comic book hero Spiderman -- with great power comes great responsibility. He passed away a few short years after I graduated his program. We talked often throughout those years and I thanked him many times for not only the education, but for my education ;)