Matthew Buckland
Matthew Buckland

The web 2.0 password crisis

Users increasingly need to create accounts with logins and passwords on the sites they visit these days. This is because the web today is no longer a place just for brochure sites, but is increasingly a place for online applications and services like email, instant messaging, banking, social networking… you name it.

In the world of web 2.0, I am registered with so many online services these days, that I’ve lost track. Of course, nearly all of them require logins and passwords to unlock their rich functionality.

Apparently, the typical internet user these days has upwards of 21 different accounts that require passwords, says a British online-security consultant NTA Monitor in Wikipedia. Now I’m guessing that most people, like me, don’t come up with a range of different passwords for each and every one of the many accounts they sign up for — but tend to use the same password or at least similar variations.

The reason would be that keeping a separate password for each web 2.0 site that you sign up for would just be a nightmare. This especially so because it all has to be in your head. You shouldn’t write passwords down. Not ever. Not even on that little scrap of paper buried in the corner of your garden, north by north west, five paces from the mango tree, two paces from your mother’s favourite rose bush.

According to Wired, an analysis of the most common passwords found on 34,000 hacked MySpace accounts were: “password1, abc123, myspace1, password, blink182, qwerty1, fuckyou, 123abc, baseball1, football1, 123456, soccer, monkey1, liverpool1, princess1, jordan23, slipknot1, superman1, iloveyou1 and monkey.” Yes, would you believe that even “password” is still used these days. I was surprised I didn’t see variations of “secret” or common first names in there either. If you want to go further, here is a list of 2000+ of the most common passwords. (Yours there, perchance?)

So, here’s the thing that’s been on my mind (and forgive me if this is ridiculously obvious to you): Most sites require your email address as the login these days, instead of some other arbitrary login. Now if you had to combine your email address with your generic password (the one you use everywhere, including your email account)… hey presto… someone potentially has access to your Gmail or Hotmail account: the user name/email address AND password. Then from there, who knows what else?

Granted, there are many reputable online companies out there who protect these details like nothing else. But who knows what will happen? It just takes one disgruntled employee or a company going bust, that isn’t quite on the ball anymore. Security is not my area, but I’d venture an opinion that online applications have created a security nightmare. Yes, I know Firefox has a neat system that stores your passwords, but you don’t always access your account from that Firefox browser.

The solution? It’s simple, really. There is a strong argument to use similar passwords for all the little and big web 2.0 services you sign up to because practically, what else are you going to do? But I’d argue you should choose a completely new and separate password for your email account, your bank account and perhaps a key social networking service you use. Make those passwords the kahunas of passwords, keep them unique and separate from the other generic passwords you use on other sites.