This article is more than 1 year old
Either my name, my password or my soul is invalid – but which?
Devising complex new passwords is character-building
Something for the Weekend, Sir? Try as I might, it won't go in.
I have entered pretty much everything else so far but this time I'm getting a definitive "no". I respect that, of course, but it leaves me jolly frustrated. Despite all my powers of persuasion, I'm left standing in the cold with one hand on my lock.
Yes, lock. The site keeps rejecting my password, you see.
Growing bored of retyping likely alternative usernames and/or passwords repeatedly in various combinations, I begin typing random characters and/or bollocks into both fields just to see if this produces a different kind of response. Maybe the error message will get angrier and/or redder?
By the way, I haven't forgotten my login credentials: I am registering with a new service as a new user but for some reason it doesn't like what I'm typing. Who knows, perhaps it doesn't like the way I'm typing. I try typing lightly. I try typing forcefully. I try typing while hunched and laughing maniacally. I try typing with big campy flourishes. (I bet you wish I'd captured all this on my webcam.) No luck.
Ah now, I seem to remember something like this happening while working on-site at one of my old newspaper clients. It was one of those places where the CTO would be systematically replaced every year and each fresh-faced, middle-aged jock would insist on heaving his seniority-enhanced paunch into everyone's faces for a few weeks upon arrival before getting everything wrong, messing everything up and eventually being systematically replaced 11 months later.
One of these just-passing-through guys insisted on a hurried rejig of the Active Directory sign-ins to force us all to change our passwords on a monthly basis. Annoying, yes, but I was prepared to go with the flow in the interests of corporate security. Joking aside, this stuff matters when the livelihoods of thousands of staff worldwide are at stake.
For example, despite the valid criticism thrown at British banks for their historic laxity when it comes to personal login credentials, I give credit to Barclays for its recent TV campaign explaining how easy it is for customers to sabotage their own security via social media.
Unfortunately, the AD changes at my client were rushed through by a harassed IT Support Desk still struggling with the public shame of being rechristened Customer Delight Providers by the latest short-term tenant of the glass office in the corner with the nice view over London. As well as expiring every calendar month, the passwords were now expected to have a minimum 12-character length and include at least two upper-case letters, two numbers, a special character, a Japanese hiragana, a Cyrillic consonant, a typographical thin space and any emoji representing a sexually suggestive root vegetable.
Oh, and the new password system had been set up to automatically reject – again without explaining why – recognisable strings resembling dates, surnames, local streets, Beatles song titles (I kid you not) and, worst of all, the names of all nearby pubs.
Not a problem, I hear you cry. Well, it is if no one got around to adding these rules into the New Password prompt. Again and again we'd type in new but not-quite-right passwords only to be told they were invalid – but not why. The poor sods on the ex-IT Support hotline spent the next 48 hours Providing non-stop Delight to their Customers until someone got around to updating the password prompt.
With this memory still stinging in my mind, I phone a friend for assistance. He tells me it's my own fault because my kind of email address is "wrong".
Er yeah OK bye. Idiot.
I should have known he'd come up with a daft suggestion like that. This is the bloke who would casually sabotage his own monthly New Password prompts by changing his password 11 times immediately and, for the twelfth, reset it to his old one again so he could carry on as before. He even kept his 11 non-passwords on a sticky note attached to his display bezel so that he could run through the same routine in the same order every month.
Why should I be surprised when research suggests that 45 per cent of infosec professionals, who really ought to know better, reuse the same passwords across multiple accounts? It's not a lack of awareness, it's a clear admission from within the security industry itself what a pain in the arse it is to sign in again and again dozens of times a day with different credentials.
And don't get me started on two-factor authentication, as this invariably means little more than two-password authentication: if you can bypass one, you can bypass another. This is especially so if the second factor is merely a detoured PIN sent to your smartphone: all a thief has to do is nick your phone and he sits and waits for the second password to light up in front of him.
Nor am I sure about biometric ID such as those built into EU passports to speed up airport security checks. If I'm facially scarred in a road accident, for example, my biometric passport will no longer work. I'd have to apply for a new one – by submitting a birth certificate, a utility bill and other such conventional, easily faked paperwork.
Perhaps we need to go full-DNA, as nothing short of being bitten by a radioactive spider or being locked in an Intrinsic Field Subtractor is going to alter the arrangement of my chromosomes. Take a swab, darling! Need a specimen to unlock the door? No problem! From where? Ooh missus. Love is the key, I suppose...
Demonstrations of commercial DNA identity products such as Parabon's Snapshot certainly look like they can work magic. Or too much like magic?
Nope, I'm no Doctor Manhattan. I certainly don't fancy standing at passport control after a vacation on Mars sporting an ultra-violet tan, rippling thermodynamic muscles and my knob hanging out.
With a sigh, I turn back to my website sign-up. Hmm. A thought. Why not?
I type in a different email address for my login ID. This works and the registration process is soon completed. It turns out my friend was sort-of correct: there is nothing wrong with my usual email address except that the online service I have been trying to register with has been designed not to recognise strings of fewer than four characters before the '@'. Nor will it accept any kind of ID other than an email address.
In other words, it wasn't that my username and/or password was invalid. It's that the site is mistaken and/or fucked. ®