Tougher Passwords Are Easier to Forget and Lead to Productivity Loss, Occasional Misery -- Campus Technology

Share this Page

Tougher Passwords Are Easier to Forget and Lead to Productivity Loss, Occasional Misery

04/26/06

OPINION

By Terry Calhoun

In the last year, how many hours have you spent trying to remember a password or a user name? How many minutes waiting for unconcerned servers to spit out a “reminder” email message? How many times could you not access something because your search for a reminder did not succeed? Have you created new and duplicate accounts because it was easier than getting reminded, or remembering?

I know, I know…people who are well-organized probably have every user name and password that belongs to them in their handy printout in their wallet, or encrypted on their handheld device. But what happens when their wallet gets stolen? Or when their handheld’s memory gets trashed?

If I look back to 1996, a mere decade ago, and reflect on where I thought we would be in this regard in ten years…well, surprise. It isn’t where we are.

Rant: Whatever happened to all of the wonderful things biometrics were supposed to be doing by now, anyway? I know that some newer laptops have thumbprint pads built in, but I’m not seeing them used by people I know.

I have a number of sets of passwords and user names that I need. There are those that relate to the University of Michigan (UM), those that relate to the Society for College and University Planning (SCUP), and those that relate to my volunteer work with various other nonprofits like the Professional Disc Golf Association (PDGA), the Association for the Advancement of Sustainability in Higher Education (AASHE), and more. And there are those that relate even more to my private life, such as MySpace, Yahoo!, and Google Groups, my Consumer Reports online subscription, my New York Times Select membership, and a whole lot more. That d'esn’t even count bank accounts and things like that.

To top it off, many sites now have semi-intelligent programming that forces you to choose a high security value password. That translates to an “easier to forget password.”

I have a small savings account. It is the only account I have with a particular bank. It collects a monthly stipend from the Veteran’s Administration (a remnant of my Vietnam tours of duty). Tiny bits of money get put in monthly and then, once or twice a year, near someone’s birthday or the winter holidays, I go to the bank and have to explain that I have no idea what my account number is, but can I please withdraw a sum of money. Of course, they accommodate me. They also tell me I’m far from the only one. I bet that’s true to some of my other password and username practices.

That’s why I am looking forward, this coming weekend, to sit down to read the entire 160-page new ECAR report, “Identity Management in Higher Education: A Baseline Study.” I’ve already skimmed the Key Findings document and the Roadmap, both of which are downloadable without a fee on the EDUCAUSE Web site. This seems to be one of the more important ECAR reports in a while (and they are all good), so I recommend that you look at those two subsets, too.

Bonus: Last winter I interviewed Richard Katz (who heads up ECAR) and Dianna Oblinger (who heads up the ELI) of EDUCAUSE about future trends. You can read that article from my employer’s quarterly journal, Planning for Higher Education. It is entitled “Looking Forward to the Campus of the Future.”

I enjoyed reading the ECAR Key Findings, but didn’t really think of writing about that report until I read the Reuters story, “Password Overload Hitting Firms’ IT Security: Study." This report, based on a study in Great Britain, notes that British industry loses something like $20 billion per year due to various security issues like hackers, viruses, spyware, theft of hardware, and the like.

In light of the number of serious security risks, I found it interesting that the study emphasizes the risks (and financial losses) created when employees (students, faculty, and staff) have to keep track of too many passwords and ID combinations. The report said that “Poor IT procedures can make companies vulnerable. The study found that employees have to remember an average of three different user IDs and passwords, while in two percent of companies, staff have to recall 10 different IDs. The more IDs and passwords users have to remember, the more likely the business is to have had unauthorized access.”

To be frank, I had not previously thought of the need to simplify ID and password combinations because we poor humans simply can’t handle that much information. When we have to, we do things like write passwords on sticky notes, etc. But there are other, less obvious losses. Some of these are due to loss of productivity because of user inability to gain access to resources.

For example, my wife’s employer requires an employee ID be slid into her laptop (which she just got for the first time from her very, very, very big global company), along with an ID and password combo, just to turn it on. For her to log in from outside the company’s LAN, to check email for example, she also has to reset and watch a pager-like device that produces a new 8-digit code every 20 seconds. That code has to be punched in while it is still a valid – before it changes in a few seconds.

She’s had the laptop for two months now, but has not yet successfully logged in to her email from home. That’s a lot of productivity that her company could be getting from her but is not simply because its IT is a little too complicated. It d'esn’t help that the same company consolidated all of its IT support in a physical location over 1,000 miles from here!

Even here at the Society for College and University Planning, we have several sets of passwords for our members and constituents to access or do various things online. We’d love to get to a single log-on, like our colleagues here at the University of Michigan have for so many things, but we’re just not there. It helps to see a chart in the ECAR study Roadmap that shows that only 10.2 percent of higher education institutions have “arrived” at reduced or single log-on passwords and identities.

If you haven’t experienced it yet, one of the worst things that can happen to you (especially if you are someone who d'es a lot of environmental scanning and has identities to access hundreds of online sites) is to lose the cached info in your Web browser. It’s happened to me (once or twice a year, actually) and it not only takes forever to recover, you never really know if you have fully recovered or not.

More lost productivity. Where is the answer to identity management in higher education? Who knows, but the recent ECAR study provides a nice baseline to measure forward progress. And it might help you feel a little better about what your institution can’t do. You, also, are not alone.