The Computer Vet Weblog

Peterme pointed to Bonnie Nardi’s interview about designing software to be easier to use. The article itself makes plenty of good points, and ties in a lot with The Inmates Are Running the Asylum, which I’m reading now. But Peter picks up on the one point she makes about not liking passwords, and in his short comments seems to dismiss them enPeterme pointed to Bonnie Nardi’s interview about designing software to be easier to use. The article itself makes plenty of good points, and ties in a lot with The Inmates Are Running the Asylum, which I’m reading now. But Peter picks up on the one point she makes about not liking passwords, and in his short comments seems to dismiss them entirely. Maybe he’s had some bad experiences with passwords in the past.

As a sysadmin myself, I suppose I’m one of those “IT types” who has “convinced us that we NEED these things.” I agree that managing passwords can get out of hand, and having to enter them constantly seems like too much of a hassle for little benefit. But, if I may play devil’s advocate for a while here, the computer password is not the only intrusive and annoying security (authentication?) device out there. I don’t hear people complaining much about keys (“You mean I have to carry this little metal thing with me everywhere just so I can drive my car?”) or IDs (“What do you mean you won’t let me withdraw $2,000 from my account without an ID?”) or combination locks (“It’s so annoying to spin that little dial when all I want to do is take my bike off the rack”). I see a password as just another way to protect what’s yours, and make sure that access to your stuff is limited.

It all comes down to a matter of trust. Do you trust the public at large to not steal your car or bike or touch your bank account? Do you leave your house unlocked when you go out for the day, trusting that no one will just walk in and help themselves? Do you trust that no one will log into your e-mail account and go through your Inbox? Sure, if you forget a password, you’re locked out of your computer, just the same as if you lose a key, you’re locked out of your car. That doesn’t make keys unnecessary, any more than it does passwords. The difference seems to be that people have had time to get used to keys, where password computing is relatively new.

At my company, we have a high level of trust. Most passwords are simple, and all the same. Most usernames have access to almost everything. It’s the same as living in a building where everyone trusts each other and leaves their doors unlocked. But, a stronger system is there, just lurking under the surface. The higher-ups have complex passwords. Some of the network shares have restricted access. A security plan is in place just in case we need it, where we could change passwords and lock down data. It’s the comfort of knowing that your door does have a lock, even if you never use it.

Protecting data is sometimes necessary. We need a system that lets certain people in and keeps others out. In the real world this is done with doors and windows, locks and keys. On the computer, passwords are just about all we have. You can tell the night watchman that Sally is allowed in the building after 8pm; the watchman knows Sally by sight, so he’ll let her in when he sees her. You can tell the computer that Sally is allowed access to the accounting data, but the computer has no idea who Sally is. Sally can only interact with the computer through a keyboard and mouse, so the possibilites are very limited. The computer asks “Who are you?” Sally can type *sbergman*, her username. But how does the computer know it’s really Sally? What’s to stop Richard from the mailroom from typing *sbergman* and being able to look at all the accounting data? Sally needs some way to prove her identity, and a password is just about all there is right now.

We do need something better, since passwords aren’t all that great. PassFaces are out there, but they seem even worse. Biometrics are up-and-coming, but still pretty expensive. What else is there? How else can Sally prove to the computer that she really is *sbergman*? Like them or not, passwords are here for a while.