The Secret Life of Passwords


IMG_9923.jpg

This week, the New York Times published an article written by Ian Urbina, titled 'The Secret Life of Passwords'. I have been talking with Ian about this article for a few months now and a lot of research on his part has gone into this extensive, fascinating investigation. I am quoted in the piece a couple of times, but I thought it might be worthwhile publishing my entire responses to Ian, as a supplement. So, here they are, pulled out of emails, slightly edited for clarity.  

Dear Ian, what a very interesting line of inquiry. 

You are right, this is not something I have focused on specifically in my published work, but I have given some thought to this in the course of my research. In particular, I have two comments to make, one around the prevalence of data mining for passwords and the other related to the future of verification. Here are some thoughts which may or may not be useful. Feel free to quote anything or seek clarification, if useful/interesting.

I agree that passwords are a very interesting gateway to personal life stories and what we has been meaningful in our lives. I think we could quite reasonably say that the passwords we choose relate very closely to the things that matter in our lives. They are our secret autobiographies.

Unfortunately, mattering is a problem vis a vis security. This is because what matters to us, increasingly, is also embedded within our extended digital lives. Consider an anniversary, the date of which could be tagged in Facebook. Previously, someone might have used an anniversary as their password - perhaps their mother's birthday - but these dates are much more public now and so these meaningful passwords are much less desirable. In fact, if you look at the most secure systems, randomized, temporal, unique codes are the preference. The best passwords, it would seem, are those which are devoid of any meaning and impossible to guess.

Furthermore, it has become preferable for these passwords to be valid only within a fixed temporal period. The platforms which host our content ask us to change them regularly, sometimes every time we login, as is the case for things like online banking. In this sense, the concept of passwords as being closely tied to what we care about is disappearing, as the number of places where we need to verify who we are expands. Instead, verifying ourselves is becoming a matter of series of having a unique string of zeros and ones - almost like our DNA -  as more and more of our semantic selves is shared online. It seems that the more public we become, the more vulnerable we are.

So, in terms of the future, I think it is very interesting to reflect on present systems of verification, beyond passwords. For example, the Captcha verification system utilizes a kind of primitive Turing test to verify we are human, by requiring us to demonstrate we can understand letters, words and place them alongside each other. Yet, even here, one can envisage improvements that, for instance, take into account our character on a computer - how fast we type on the keys, the pressure we exert on them. This kind system would get closer to something like a unique digital signature.

Did you see that Google just acquired SlickLogin - which verifies id using sound waves? That's a nice example of how I think passwords will become a thing of the past - in your terms - part of our digital memoirs. I think one crucial element of this debate is the fact that passwords have, for a long time, been chosen on the basis of what we are able to remember, so they do, as you suggest, access aspects of our personal psychology in a very intimate way. What we choose is closely tied to our memories of the things that mattered most to us.

This is changing also as verification becomes a matter of biometric measurement. Already, the iPhone 5 uses a fingerprint verification and we have been aware of retina verification as a way of authenticating ourselves for some time now. So, the erosion of memory as a means of verifying who we are is, i think, inevitable. After all, it is a matter of reliability and our memories are more fallible than our biology.

In terms of academic research on this, in my studies, I have come across a great deal that talks about personality and choice over passwords. For instance, some research discusses how, what we choose as our passwords, reflects what sort of people we are. We might choose meaningful people in our lives to whom we have emotional bonds, or we might choose things of which we are fans, for instance, a football player's name. In some cases, these choices may be relatively subconscious, they say something important about ourselves, even if we don't consciously identify them as such. What appears salient to us in terms of memory may just reveal itself to us, without much in-depth thought or consideration.

In my view, we have also to take into account two life courses when thinking about this. The first life course relates to our actual age; where we are and what we've gone through. If you are 13 and starting a facebook account, you are less likely to choose a meaningful anniversary than a favourite popband or sibling birthday perhaps. If you are older, your range of memories from which you can choose will be far greater. The second life course is our journey through technology.

If you have had to renew your work email password every 12 weeks for the last 10 years, you may well have exhausted your most memorable moments, but there again, what an interesting thing it would be to examine all of those passwords over the years and build a picture of somebody's life. I think it would be a wonderful window to their world and their lives.

We also have to take on board how universal passwords are being generated now by logging in with large social media applications, like Twitter or facebook. This again changes how we project our sense of history and identity - in this case we tie those memories increasingly to the lives we have lived within these social media platforms.

I hope some of this may be useful, but happy to dialogue a bit more, if that's useful.

best wishes,

Andy

 

Some additional quote sent subsequently:

"If passwords do become a thing of the past, there is something that we will lose as a result. Our daily encounters with personal memories, which have no place to be recalled elsewhere in our lives will cease to be present."

"Passwords are a window to what matters to us in a most personal sense. They are not like anniversaries or like significant public landmarks in our lives like weddings or children being born. Instead, they are the things that may matter only to us. And so it is a loss of intimacy with our past that we sacrifice by ceasing to remember."

"While their demise will not change the fact that these things will still happen to us, we may stop thinking about these moments in the same way."

"In some small sense, we will lose part of our selves and, as a result, we will need to renegotiate our personal histories in the process."