Earlier this week, Microsoft put out a little blog post detailing the latest tactic it is using to help keep its users' accounts secure. By watching the millions of attempted attacks that happen daily, Microsoft can build a dynamic list of passwords that attackers are using as guesses and then ban you from using those, automatically! The new restrictions come on the heels of a 2012 hack of LinkedIn that leaked about 117 million passwords and emails, and they will help make millions of users' accounts more secure. It's what any reasonable company that cares about the security of its users would do!
Advertisement – Continue Reading Below
Ugh, I hate it so much.
Let me be clear: I don't think that people who don't pick good passwords deserve to pay some sort of price. It's not even because I am too lazy to create a good, strong, unique password, though I will admit that this plays a part. I hate it on principle.
Any time a service tries to tell me that my password isn't good enough, it is making a value judgement on my behalf.
Any time a service tries to tell me that my password isn't good enough, it is making a value judgement on my behalf. It is making the tacit, self-important assumption that the account in question matters more than my convenience. It's making the presumption that this account is not only worthy of protection by a password, but worthy of the best protection by a real top tier sequence of letters and numbers. The assumption that, surely, this account is so important that not only should I protect it this way, but that I must.
You don't know me, man.
I'm not the kind of person to argue against things like mandatory seatbelt laws. The value of something like a human life is something I think we can all (mostly) agree on. The value of the ones and zeros I make with my dumb emails? Up for debate!
Think of it in terms of boxes for a minute. Some of the boxes in your life will be used to hold some very important and perhaps irreplaceable things like a family heirloom, or important documentation. The cost of losing these things is very high and so is a thief's incentive to steal them. On top of that the urgency and frequency with which you'll generally need access to them is so low, that it only makes sense to protect them as well as you can.
But other containers—like the tupperware you bring a sandwich to work in or the little plastic box where you keep your paperclips—are on the other end of the spectrum. The cost of losing them is low, and so is the likelihood that anyone wants to steal them. Not only that, but you'll open them daily if not more often. Why would you ever want to protect these things with the same, annoying degree of security as you do your most prized possessions?
Welcome to the internet, where every box has a lock! It's already bad enough that passwords, on the whole, tend to be mandatory. It's been that way for so long that it feels like a no-brainer. Why would I want to leave an account open to anyone who just says they are me? But some accounts really don't need this kind of protection.
It's already bad enough that passwords, on the whole, tend to be mandatory.
The Imgur account I made to host pictures I share on the internet so I can find them again if need be? Have at it! The Scribd account I made because, well, I don't quite remember why? Sure! The Pinterest account I decide to try using once every three months? Fine! If you can be bothered to try to get into these, have at them. They're like open-topped boxes I keep on my desk; they're for organization, not security. I am thankful daily for wonderful services like Mailinator, which embrace a password-free philosophy with open arms.
So it's only worse when passwords I already considered to be cursory suddenly have to be unique and strong. If just any old password will do, fine. I will just use the single, easy-to-remember password that I use on all accounts I don't really care about. But if it needs to be "strong," then what? I probably should take the time to come up with something unique for that account, but I'm far more likely to just use the same "strong" password I've already used for accounts I do care about, the same key I use for boxes with stuff I care about inside. I shouldn't but I will. The end result is that my whole digital life is just slightly less secure, and why? Because some dumb shoebox demands I keep it locked up tight because obviously that is where I keep my life savings.
I'll admit that I am an edge case. I have an extra Gmail account that I log into when I'm trying to work distraction free. I have bad joke Twitter accounts I use maybe twice a year, and a handful of ill-advised and exceedingly unimportant Tumblrs. To a normal person, any one of these accounts might be wildly important—my main Twitter and Gmail and Facebook accounts are to me! And no, it wouldn't be fair or smart for these companies to let millions or tens of millions of people accidentally leave themselves open to attack. I understand why the world works this way and I don't have a great alternative. Also yes, I could (and do) use a password manager, but even having to log into that can be a pain, especially if you don't pay for access on mobile devices, are on a strange computer, or are using a different browser.
It's the principle of the thing that really gets to me.
Regardless, it's the principle of the thing that really gets to me. Until the fine—and hopefully close—day when the password is replaced for good, I'll have to keep doing this little dance. No you cant use that grubby little password; this is an important account and it deserves the top-notch protection, every stupid, one-use, not-quite-disposable-but-almost service will say. And I'll roll my eyes and type in a 15-character alphanumeric password with twelve non-repeating letters (alternating upper and lower case), three numbers, two symbols, my deepest regrets, a wingding, and a middle finger emoji.
Whatever you say, man. I mean, what else am I going to do?