Password hygiene and my word of the week

Crogglement: The state of being paralysed with shock or surprise.

That’s my word of the week. It is one way to describe my state of mind last week when I was doing some password hygiene. Other words would be more familiar to you, but less polite.

My experience overlaps two topics that are critical to all of us: security and privacy. I’ll recap on two essential principles, and then share my experience.

A privacy principle

Every company that stores user information is aware of the risk of data breaches. Every company in South Africa must know that the POPI (Protection of Personal Information) Act takes effect on 1 July 2021. And companies in other countries must already comply with similar legislation, like GDPR.

One cornerstone of data privacy is that an organisation must have a business or legal reason to keep a user’s data. You can’t collect user data for fun. And without a compelling reason, you can’t keep it if the user doesn’t want you to have it. I’ll come back to this in a moment.

A security principle

Nobody wants their bank account hacked or their identity stolen or their private medical history made public. When it comes to passwords, we want everyone to act responsibly.

  • You, as the user, are responsible to use a strong, unique password. You must keep it secret and change it often.
  • You, as the developer, must store that password responsibly and provide as much protection against hacking as possible.
  • You, as educator / trainer / support, must teach and encourage users to exercise good password hygiene.

Good password hygiene is an ongoing process. It means having strong, unique passwords that you keep secret. And it means checking the health of those passwords and changing them if necessary.

Passwords are like rabbits

Passwords multiply.

I like the convenience of doing things online – shopping, paying accounts, or whatever else. Why waste time travelling (or waiting for a call centre agent) when I can do it with a few clicks of the mouse? As a result, I have a lot of username/password combinations for different sites. Some of these I might only have used once, or a long time ago. One example is an airline logon created when I bought a flight to the UK in 2015, and the airline needed to send me flight status updates.

I also store document passwords and other important information in my password manager. So it should come as no surprise that, according to my password manager, I have a few hundred items.

Why I am croggled

As part of my password hygiene, I know I need to change some passwords. These are for old accounts and sites, when I was still trying to remember some of my passwords. (If you are still trying to memorise your passwords, please read my article about passwords managers.) A good password manager will tell you if you have duplicate, weak or compromised passwords.

While checking passwords, it also made sense to delete accounts that I no longer need.

My good intentions ran into three problems:

  1. Some sites no longer exist. I wonder what happened to my data? Frustrating but futile – there is nothing I can do about this.
  2. Some sites will not let me delete my account. Aaaagh! See the privacy principle above. If a user has the option to create an account, the user should have the option to delete it as well.
  3. And one glorious site will not even let me change my password! Double Aaaagh! (I changed my email address to garbage and deleted whatever information I could.)

Update on 2021-05-13: I experienced some more new and interesting problems during my daily task of updated 5-10 passwords:

  1. On one site, the login is a 4-digit PIN. There is no password. I can change the PIN – to another 4-digit PIN. Not exactly a strong password…
  2. On another site, I can only change the password by pretending to have forgotten my password. But then it created a whole new profile for me without the rest of the account information!

Do you see why I am annoyed? I tried to do the responsible thing, and some (unpolite adjective) developer wouldn’t let me!

Hence my state of crogglement. I don’t even know what to say. Please, please don’t do this to your users.

Have you had this problem as well? Or maybe you know why I am not able to delete some of my accounts.

Leave a Comment

Your email address will not be published. Required fields are marked *

Thank You

We're Excited!

Thank you for completing the form. We're excited that you have chosen to contact us about training. We will process the information as soon as we can, and we will do our best to contact you within 1 working day. (Please note that our offices are closed over weekends and public holidays.)

Don't Worry

Our privacy policy ensures your data is safe: Incus Data does not sell or otherwise distribute email addresses. We will not divulge your personal information to anyone unless specifically authorised by you.

If you need any further information, please contact us on tel: (27) 12-666-2020 or email info@incusdata.com

How can we help you?

Let us contact you about your training requirements. Just fill in a few details, and we’ll get right back to you.