Wednesday, October 01, 2008

It's Me. No, Really, It's Me. Again.

Under every login and password field on every site that has one, there's this checkbox these days. Like on Yahoo.

checkbox under Yahoo login

I do not have a clue what it does. Well, I have some idea of what it is supposed to do. But it doesn't do it, whether I check or uncheck it, I still have to enter my password at random times. I tried to tell Yahoo about a new email address I wanted to use for a group, and I had to enter my password 4 times during the session.

Hotmail has one.

checkbox under Hotmail login

It seems to do something: when I log in and restart my browser, the mail page is open without me having to log in again. I do not use Hotmail enough to know if that is consistent behavior. But is that what either checkbox should mean? If it just pre-fills in your password, hasn't it fulfilled what it says it should do already?

Almost every site with a password has a checkbox like this, to somehow make it easier to re-log. Slashdot has a reverse one.

checkbox under Slashdot login

It does the reverse: it will log you out when you close the window or tab. Otherwise, Slashdot seems to let you be logged in forever, every time you return, which I like. The words used for this checkbox is awful, though. It barely tells you anything.

So so far, I have noticed a number of behaviors associated with these "remember me" password-checkboxes:
  • I am always logged in when I return

  • I am sometimes logged in when I return, and sometimes I am taken to the password page

  • I am always taken to the password page, and my login name is filled in

  • I am always taken to the password page, and my login and password is filled in

  • I am always take to the password page, no matter what I click or not

  • While using the service and being logged in, I get asked for my password. Sometimes repeatedly. (WTF, Yahoo? I mean, seriously.)

And in the cases where login and password are filled in, I am wondering what the point of the checkbox was, since every modern browser, even on phones, will remember the name and password for you. Which means that either this checkbox was supposed to log me in and bypass the password page and didn't work, or the programmer is doing extra work the browser could have done anyway.

Passwords on the web are hard. You have to, as a web service provider, somehow make it safe enough for your legal team to approve, easy enough for users to use, and there are a lot of conventions but few standards on what really is good enough. Users will try to log in from every terminal on the planet, mobile, kiosk, at home, work, with different levels of security and snooping, and you want to minimize fraud to keep your costs down and make users like you. The result is this hodgepodge of checkboxes that more or less work, and, oh yes, the fact that all of us web-users have about 200 passwords to keep track of, or so. Or 2000, or 20, I have no stats here.

But even 20 passwords means you, as a user maintaining your passwords, need a system. For most people the system is to fill in the same password everywhere. You are not supposed to do this, but we have no choice: our memories, varieté acts excluded, simply are not built to remember 20 completely different strings of letters and numbers of various cases, flawlessly, unless we have to enter and use them almost every day. And nobody wants to do that. The ability to do mental password management to the level that would make security teams happy has simply not been an advantageous trait long enough (40 years? 20?) for evolution to select on it. No really, it will take longer than this for us to evolve to have password super-brains. In the meantime we will do what security experts tell us not to do because it makes us unsafe and will allow people to usurp our online identity: write them down, use easy words, use an easy pattern of mixing up the same words, repeat the same passwords and patterns. And since these checkboxes are actually making us fill in those passwords less, we are less prone to remembering them and more prone to use 'easy' passwords. But without these checkboxes, who would want to use the web, having to enter their 20 random strings per day?

Oh, by the way, now try doing this on the mobile web, with its T9 or touch-the-glass keyboards with lousy ways of implementing the shift keys. Fun fun fun. Is it any wonder people opt for all number birth date passwords? Can we blame them?

I am getting fed up with more logins and passwords. I am at the point where I will order at a premium from Amazon just so that I do not have to give my identity information to a random site yet again. I feel like every time I make a new login I am increasing my chances to be snooped on or defrauded or have the site owner look at my password and think "Hmmmm, I wonder if he used that one on other sites as well..." I have more recourse if someone runs off with my credit card than if someone logs in as me and ruins my reputation through posts and comments and reviews.

I wish OpenID was used more. I switched to Disqus for my comment system here so that I could have threading, but also so because I could set up the whole thing at Disqus for this blog without having to create another password, I could log in using OpenID on Clickpass with GMail account. It's like finding PayPal on a merchant's site: you choose your stuff, click on PayPal, get taken to the PayPal site to pay, and get sent back to the merchant. PayPal is your identifier for payment at the merchant site, just like OpenID allows big name websites to be your identifier at sites that otherwise would need you to make a new password. Google, like Yahoo, LiveJournal, and AOL, are OpenID producers in that you can use your logins at those sites as a login for sites that are OpenID consumers, like Disqus and Ma.gnolia. I like that. A quick redirect, a confirmation, and I am done. Feedburner did make me make a new login and password, but once that was up I could use OpenID to have it recognize this blog as being mine. I would still have to enter my credit card number and addresses if I made a purchase -- I haven't paid for anything on a site that used OpenID for identification -- but as said, my card has good fraud protections. My passwords do not.

But isn't it unsafe, trusting your identity at one site with the security of another? Should Amazon rely on Yahoo keeping passwords safe? I think this is a non-issue. Sure, of course I have the brain that has created 2000 mixed-caps numbers-and-letters totally random non-patterned strings for use as passwords on the web, and I remember them all flawlessly going from site to site as I do without ever having written them down, honest no srsly, but I think very few other people have. Having looked at users I feel pretty confident in saying that people recycle logins and passwords so much already that the web in general is vulnerable to the fact that if you get one password for one site for Pat Webuser, you pretty much have them all. I do not know why phishers try so hard to recreate banking sites: just find a way to have people make an account for something nice you actually have and can send them, and I am sure just using the same login and password on the top 20 US banks will hit jackpot. But as said, I have no hard numbers. It's just what I think is true.

While using Yahoo's or AOL's password systems as identification across many websites will only make cracking those passwords more attractive, I'd rather trust them than the next shop that uses their own deployment of WebMerchantInABox 3000 on god knows what server where. It's why I still like finding PayPal on a site even though they are scary scum when it comes to conflict resolution: I get to pay the merchant without telling the merchant my data, and I know PayPal will do its true best to keep my payment data safe. OpenID is much like that.

Except for the little problem that there's more useful web sites trying to be OpenID producers than consumers. When I read Yahoo and Google were embracing OpenID, I was all up hoping I could get rid of at least one password, or merge the indentities. Not so. Each site will let you use their name and password at sites that are OpenID consumers like Disqus, but they aren't OpenID consumers themselves. Even LiveJournal, which has strong ties with OpenID, allows a web user only to use OpenID identification for comments, but if you want to set up a blog, or get specific privileges on other blogs on the site, you still have to set up a full LiveJournal identity. This lack of support on the consumer side is annoying -- I really would have liked to have cleaned up a lot of my identities, and it would only have made me more loyal, not less. And I would be less confused by password checkboxes.