[an error occurred while processing this directive]
BBC News
watch One-Minute World News
Last Updated: Monday, 18 October, 2004, 07:10 GMT 08:10 UK
My online password jumble
We will never make the online world a reality while we are stuck with multiple user accounts and passwords, argues technology analyst Bill Thompson.

Hand on keyboard
Now, which password did I use for my Gmail account?
Windows wants me to change the password on my laptop, as I have had the same one for three months now.

It has been telling me this for the last week, and it is starting to get irritating.

Not welcoming the prospect of having to think of yet another memorable but hard to guess collection of letters, numbers and punctuation characters, I sat down this morning and used the control panel to set my password so that it never expires.

I know that I should change the password regularly, in case it gets compromised, but I already have too many to remember and I just could not face the hassle of inventing and remembering a new one.

It is not just Windows. I have got passwords and secret words for my bank accounts, loads of online shops and services and subscriptions to various newspaper and magazine sites.

Total mess

The mailing lists I subscribe to have web-based interfaces that require a password too, and then there are the logins for the Unix server that runs my personal website.

At a rough count I have 30 separate accounts with different services.

In fact most of the passwords are variants on four main ones, ones that I have used for several years. I am fully aware that this is really bad practice, but I am just not up to remembering more.

Bill Thompson
I want a single login, where I can control what personal information is shared between the various services
One or two are different - the password for my Cahoot account is a maximum of eight characters, so I have had to shorten one of my usual passwords to fit, and I need to remember this each time.

It is not just passwords. I also have dozens of different logins. Some sites require me to use an e-mail address, others will not let me.

Some are happy with punctuation in names, others will not allow it. It is a total mess.

I opened a Gmail account last week, in the spirit of investigation (and not for real use as I still don't trust the ad-serving model Google have built), and had to come up with yet another username.

But I reused one of my standard passwords, because I simply do not have the time to think of new ones.

Sadly, few publishers or site providers seem to care about the situation, even though it is probably damaging people's willingness to sign up.

Single identity

My friends at openDemocracy.net are currently in the middle of redesigning their user registration system, but all the focus is on what the database should hold.

Nobody has considered the possibility of using a standards-based shared solution.

Biometric keyboard
Biometrics are making their way into computer products
I do not want something like a password manager or vault that will store all of my separate logins. I want a single login, where I can control what personal information is shared between the various services.

The dream is a single online identity that can be validated once, perhaps with a series of passwords and questions, or even some biometric measurement like a fingerprint or iris scan, and accompanied by a hardware token like a smartcard.

Once authenticated, the identity can be used anywhere.

Microsoft's Passport was supposed to be the solution, and for a while after it was launched the company touted it as the only sign on you would ever need.

The idea was that companies and websites and service providers would sign up to use Passport, and then Microsoft would validate your identity.

At the same time Microsoft would store all your confidential data and the details of all your accounts. Microsoft would also keep your digital cash in a Passport-linked wallet. And Microsoft would control the technology to ensure that it all worked smoothly.

You can probably see the subtle flaw in the plan.

Single sign-on

A number of well-publicised security flaws in Passport meant that it was never widely adopted, and now it is little used outside Microsoft-owned sites and services.

The alternative is the Liberty Alliance's federated digital identity scheme, an open, standards-based approach that provides a technical infrastructure that anyone can sign up to and use.

Despite its technical success, it too has failed to achieve the necessary level of support, meaning that websites and services are still implementing their own sign-on services, relying on the provably inadequate user/password scheme, and even creating their own arbitrary rules for password construction.

Three years ago government online services started experimenting with providing digital certificates, to be used instead of password login for access to tax payment and other sites. The take-up was so low that the idea was dropped.

But if the new e-government team wanted to do us all a favour, they would look at a single sign-on system for government services that could be adopted easily by commercial websites too.

After all, if I had the same login for reading Media Guardian, buying from Amazon and filing my tax return, I might have been more tempted to go to the Inland Revenue site last month instead of filling in the paper form.

Bill Thompson is a regular commentator on the BBC World Service programme Go Digital.


RELATED INTERNET LINKS:
The BBC is not responsible for the content of external internet sites


PRODUCTS AND SERVICES

News Front Page | Africa | Americas | Asia-Pacific | Europe | Middle East | South Asia
UK | Business | Entertainment | Science/Nature | Technology | Health
Have Your Say | In Pictures | Week at a Glance | Country Profiles | In Depth | Programmes
Americas Africa Europe Middle East South Asia Asia Pacific