Your password has expired, said the message. It suggested a change for access to the site.
Since this was happening every three months on this website—a bit too often for my comfort—I called up a customer care executive who told me rather gently that the quarterly change in password is a security feature. Changing frequently protects from being hacked or stolen or misused.
I don’t want to change my password, I mumbled, because it’s so darn difficult to remember them.
Sorry sir, the lady patiently continued, there is nothing we can do about it (except for me to change it or stay locked out).
There are 43 apps on my phone that require a password. This excludes some of the other sites/services that I use which need a password as well. I don’t use half of these apps but that’s a different argument.
When I first counted the number, it seemed huge. When I cross-checked with some friends, it still seemed to be a fairly high number—the average was in the mid 20s.
While I may not need to feed in a password every time I power up the app, I would still have to remember it. To recall over 50 passwords—if I were to use a different one for each site/app I use as advised by cyber experts—is beyond my rather limited memory. So, even if I am not forced to change it because of some inbuilt security, I have to often change because I have forgotten them.
So, reluctantly, I tried to change the password of the above-mentioned site, with grating consequences.
Error: Your password needs eight or more characters.
Error: The password should be alpha-numeric.
Error: You need at least one special character.
Error: At least one of the alphabets should be in upper case.
Error: Your password should not be similar to the last three passwords you used.
By this time, irritated and getting increasingly frustrated and normally not given to such language, I typed out some rather abusive words as password.
f***thiss***, I hammered out on the poor computer.
Sorry, change that to F***thiss***1.
Your password has been changed.
Besides these 50 or more passwords, there are also the corresponding usernames. Then, to recollect at the appropriate time which username applies to which password and for which service. I feel this strange joy when some sites have emails as username—one less thing to remember.
The most active smartphone user in India spends about four hours a day on his/her device, according to a study. The least active users do about one-and-a-half hours on it. Shopping, travel and games are the top categories for apps. So I am not the only one trying to come up with unique passwords.
The problem with having easy-to-remember passwords is that they are also easy to hack into. With the amount and kind of personal data that we have online, this could be dangerous. That’s why we are advised not to use the same passwords for everything and to change them frequently.
Having complicated ones, on the other hand, makes it not only tough to remember, but also, in case one is suddenly incapacitated, it becomes difficult for survivors to access important information.
For every argument, there is also a counter-argument, further confusing naïve users like me. The UK’s National Cyber Security Centre actually advises against changing passwords because it exposes the user to attackers. A study by a Microsoft researcher, quoted in PC Mag, has found that the task requiring a minute per day from every working adult in the US costs about $15.9 billion a year. It’s therefore a waste of time and money.
Obviously, there is no simple solution to this password conundrum except: keep a complicated password and share it with the one person you trust the most.
Now what could that complicated password be? There are a limited number of combinations of names and dates you can come up with. So how does one remember them all?
There are now apps that help you remember names—it’s like having one password to rule them all. LastPass, KeePass, Identity Safe, RoboForm and 1Password are some of the “password managers” I saw. These apps are themselves “hack-proof” and not all of them are free.
An article in Forbes suggests the use of a common key—four to five characters in a complex combination, followed by two alphabets for the site it is used for (FB for Facebook, for example) and a number/date that gets added every year. While this may sound complicated, the only thing one has to remember is the first few characters. The rest are fairly automatic.
If you get locked out or forgot your password, sometimes the process of getting back on track can be a bit cumbersome, as elucidated in the beginning. India has a pretty meticulous system of cyber security—you get a one-time password for many transactions on your cell phone. Sometimes you get an OTP on your mobile number and another on email and might need to enter both in order to change the password.
I once got an OTP for trying to log in to an app—the OTP came on the very phone with which I was trying to log in, which sort of beat the purpose.
Sites and applications also send you scary emails about someone trying to log in to your account from a random location. I used to get worried for some time because some bloke was trying to log in to my email from Noida before realizing that my own laptop shows up as being in Noida.
If passwords were not tough enough, “captcha”, which calls the user to replicate a bunch of distorted characters, is the other big challenge. It takes me three or more attempts to get it right, which means I am certainly not a bot but perhaps have some sort of comprehension disability.
While in the “olden days” one remembered landline telephone numbers, now we try to remember passwords. It might be a good thing too. Working our brain to remember might delay the onset of Alzheimer’s. You can treat it like a puzzle from your childhood—this password fits in here, that one fits it there. I am just looking for a silver lining here.
Technology was supposed to make our lives easier. It certainly does, in many ways, but also complicates it—with these passwords and OTPs. Do we increasingly isolate ourselves and build digital walls around that others can’t enter and we can’t exit?
Some weeks ago, I had called another service provider—yep, I am a sucker for punishment—for a query. I had to go through a range of automated verifications—including date of birth and some other numbers.
By the time a human came on the phone, after I blurted out the problem in my hurry to get it over with, she wanted my date of birth again for verification.
I just gave it to the automated machine, I said.
That information does not get captured with us, she told me calmly. We need it again for verification.
f***thiss***, I thought.
In my mind, I did visualize it as F***thiss***1.
Letter From... is Mint on Sunday’s antidote to boring editor’s columns. Each week, one of our editors—Sidin Vadukut in London and Arun Janardhan in Mumbai—will send dispatches on places, people and institutions that are worth ruminating about on the weekend.
Comments are welcome at firstname.lastname@example.org