The case for simple passwords
So this website looked promising and I wanted to sign up, so i tried using a password that was simple (so i can remember it), but unique to this site. Apparently it’s not good enough:
Ah crap, now i have to add a more complex but memorable password, the one i use in 1934 other important (to me) websites. Let’s see…
Oh doublecrap, now i’m gonna have to use my more secret password, the one i use for 10 websites including my work email. Sucks but let’s do it…
WTF? The only other memorable password i have is my email password, which i think i use for my bank as well. There are only so many passwords i can remember without confusing them, and i dont want to distribute my main password all around the net, along with my email address.
End result: I did not sign up
Why do we keep enforcing non-memorable passwords, instead of complex but memorable words? The main problem with passwords i believe is no longer their resistance to brute force attacks, but the fact that security leaks from one website can be used to target the user’s accounts on other sites, which can be far more damaging. Non-english users could easily use a phrase in their native language as a password, especially if it contains multiple non-ansi characters, why do they have to add a Capital letter or a number? I also wonder if brute force attacks can’t be effectively limited by imposing a rate limit on login attempts or requiring an email verification every once in a while.
i rest my case.
Hey internet giants, you’re no longer startups, get some customer service
It’s easy to make big money when you get to keep all the profits. That’s how most american IT behemoths work, but it’s time to put an end to it. It’s a well known fact that companies like Google or Paypal, among the world’s most important companies for online vendors don’t offer regular support. “It would cost too much” is the adage we ‘ve been hearing since 2000. The internet is accustomed to it and, in a sheepish way business owners bow down to their overlord’s caprices.
Relying on automated support systems is no longer adequate. As the amount of online fraud grows over the years, automated systems are becoming less efficient. There is no accurate measure for that, however it’s anecdotally known that it’s more common nowadays for google to shut down perfectly well-standing and long-standing adsense accounts for invalid activity without providing the actual reasons for shutdown. Ditto for paypal withholding the funds of customers. Indirect evidence can be found in google trends that shows that, while paypal has a more or less steady account block rate, google adsense has steadily risen its account blocking rate in the past years. These searches most probably are generated by legitimate users and not actual scammers, as it is unlikely that a scammer would actually look for ways to fix the situation.
The anecdotal feeling is nowadays that, while paypal doesn’t offer good user support, it is still better than google at handling user support requests and you can actually reach them if you try hard enough. Google doesn’t offer that option, not even for big customers. As more and more businesses rely on google’s commercial services, with google wallet being integrated in Gmail and a number of marketplaces that Google is launching, there should be pressure to google to expand its user support division. Unfortunately, even if there is a sea of merchants who need that, they are not coordinated enough to lobby big companies for that. One possible opportunity is to get the legal system and governments involved in this so as to require an adequate level of merchant support. In the past, the European Commission has created a number of regulations that actually enabled competition and/or forced companies to change their policies, generally to the benefit of users. As more and more merchants rely on internet monopolies to conduct business, the EU should step in to make a positive change there too.