NY Times Article on Managing Passwords – Implications for User Managed Identity (UMID)

Last week, the NY Times published an article entitled “If Your Password Is 123456, Just Make It HackMe.” There were a number of great points in the article, and in the follow on posts by readers.

  • One out of five Web users still decides to leave the digital equivalent of a key under the doormat: they choose a simple, easily guessed password like “abc123,” “iloveyou” or even “password” to protect their data
  • That suggests that hackers could easily break into many accounts just by trying the most common passwords. Because of the prevalence of fast computers and speedy networks, hackers can fire off thousands of password guesses per minute.
  • Why do so many people continue to choose easy-to-guess passwords, despite so many warnings about the risks? Security experts suggest that we are simply overwhelmed by the sheer number of things we have to remember in this digital age. “Nowadays, we have to keep probably 10 times as many passwords in our head as we did 10 years ago,” said Jeff Moss, who founded a popular hacking conference and is now on the Homeland Security Advisory Council.

This article solicited over 140 comments from all over the world before the NY Times closed the article to comments in just several hours. The most popular responses gave suggestions on how to make your password management more intuitive and secure.

There were some great suggestions for how people can manage site specific passwords, but the bigger question is why should you need to have a unique username and password for every website that you visit? Most corporations have deployed an approach called single sign-on (SSO) to eliminate this problem for their employees. Once you login to your corporate intranet, you can instantly access sales, marketing, supply chain logistics, accounting, payroll, benefits, travel, 401K services, and a host of disparate web-based services via your corporate SSO identity – no unique usernames and passwords for each service.

Wouldn’t that be a great solution for people trying to access all their services on the web? Do you really need to have a separate username and password for your newspapers, magazines, phone company, utilities, airlines, college alumni websites, cable operators, hardware and software vendors, federal/state/local government agencies, car dealers, hotels, insurance companies, online retailers, etc.?

If you only had one or a few identities, it would be much easier and more practical to implement some of the article’s recommendations like picking a complex password or resetting it periodically. And what if someone was managing that password for you by proactively monitoring it to assure that it wasn’t being misused – using sophisticated technology and procedures like banks are using to prevent credit card fraud. Then imagine that you only have to login with that trusted password management service and your logins on all the websites you use are managed for you by one trusted partner. As a result, your password is never shared with other websites nor distributed across the web. Imagine being able to show up at the websites you use and just click on a button to login. No user name or password to remember for all those websites.

Well that solution is available today on over 9 million websites. The leading solution is based on an open source technology called OpenID which is being supported by Google, Yahoo, AOL, Microsoft, PayPal, IBM, Verisign, France Telecom, Telecom Italia, MySpace, Facebook, NEC, Mixi, and many others. There are also other vendor specific solutions by Microsoft, Twitter, and Facebook that provide similar functionality. The combination of these technologies is generally referred to as “user managed identity” (UMID). The general approach is that individuals create and manage their online identities by choosing one or more “identity providers” (IDP) like Google, Yahoo, Microsoft, PayPal, or Facebook to serve as their trusted agent for registering and logging into websites. You can read an earlier post summarizing recent developments in OpenID and UMID here.

So now is the time to become familiar with UMID. Try it on some websites when you see it as an option. And if you become a fan, request it from the other websites that you use. As more websites begin to deploy UMID options, and as more internet users demand it, we’ll achieve the momentum necessary to make this a standard part of everyone’s web experience.

See further comments here.