Beef: Usernames are a Terrible Login Requirement

Loren — Wed, 20 May 2009 21:51:28 +0000

I tried to log in to an old last.fm account today, which I have not accessed in years. This should be simple for me using my handy-dandy password algorithm method – except that Last.fm wants to throw a curveball my way. They require a username and password to login. And, as their designers cackle maniacly smoking Havana cigars in their evil island fortress, they even require a username to retrieve forgotten passwords.

Let me make it clear to Last.fm and every other website in existence: I haven’t the foggiest clue what your specific username requirements were when I registered, or whether I decided to use my first name, full name, moniker, or favorite Steinbeck character. But I do remember something very well – the same email that I’ve used for the last 6 years. Ask me for that for login credentials, and we’ll get along just fine.

Interaction Designers – I’m looking squarely at you. This is our job. In my opinion, a username is a completely invalid login requirement for all but the most fundamental credentials, such as your OS account, or for bank accounts (which can claim the “higher security” excuse). What do you think?

— Update —

@salConigliaro points out, “At the very least let me use my email address as my username.” While I agree, this also means that your publicly displayed username, assuming that’s why the user name exists in the first place, has to be your email address. For both privacy and formatting concerns, this may be less than ideal.

Password Algorithms: Create and Remember Unique Passwords for Every Account

Loren — Tue, 20 May 2008 00:33:39 +0000

Like most people, I have hundreds of accounts for various websites, software, and services. Unlike most, I have a unique, strong password for each site – and can remember every single one. In essence, I take the name of the site, run it through a standard mental algorithm that also does a little encryption, and use that as the password.

This means I never have to use a password manager, have many unique passwords, and can even “guess” my password for accounts that I haven’t logged into in years. There are many security benefits to having unique, strong passwords for all your accounts.

Here’s how to do it:

1. Take the “title” or “name” of the website, company, or service – whichever jumps out at you first.

Example: We’re going to use Yahoo, located at www.yahoo.com. The name and URL of this website are pretty obvious – so the word “yahoo” is what we’ll start with.

2. Choose a length.

Many sites will enforce a 6 or 8 character minimum, so I’d recommend something at or above 8 characters.

Example: Let’s choose 10 characters for our Yahoo password. At this point, we have 10 blanks to fill in: __________

3. Begin the algorithm.

What you want, ultimately, is to use some of the characters from the site name, transformed enough to be difficult to decipher, mixed in with various other characters to form a strong, random, and yet recreatable password.

Example: We’ll start by using the last letter of the name to fill in the first blank, and the first letter of the name to fill in the second blank. In the case of yahoo, we now have oy________. In my opinion this is still too easy to crack, so let’s take the third letter of the name, increment it by one letter, and use it for the last letter of our password. For yahoo, the third letter is ‘h’, which becomes ‘i’ when we go up one alphabetically. Now, we have oy_______i

4. Fill in the blanks, using alphanumeric, capital, and non-alphanumeric characters.

Capitals, numbers, and non-alphanumerics greatly increase the strength of your password by using a larger set of choices. Keep in mind that these characters will be the same in every password you have.

Example: I’ll use the last four digits of an old phone number but hold down the shift key to produce some tough characters. The number is 4321, so holding shift while typing these produces “$#@!”. Now our password is oy$#@!___i

I’ll add a caps and number that I’ll remember – 2EZ. Our finished password is: oy$#@!2EZi

5. Repeat, repeat, repeat!

Keep using this technique for all your passwords, using the same algorithm each time.

Example: Our algorithm might sound complicated, but is memorized quickly. Last letter of the product, first letter of the product, $#@!2EZ, third letter of the product incremented up one. It becomes clockwork.

6. Remember…

Be creative in your algorithm, keep the fact that you even use one a secret, and make sure the “variable” letters are tough to determine. If I host a random site called www.blah.com and I see your password in my database is “halb1234″, your algorithm will not be that tough to figure out!

Once you have put this technique to full use, upon arriving at a site, your account password is simple to recreate by using the same algorithm.

A Clean Design » passwords

Beef: Usernames are a Terrible Login Requirement

Password Algorithms: Create and Remember Unique Passwords for Every Account