So I was sending out rapid-fire emails yesterday morning like I do every day, and after a few hours I started to wonder why no one was writing back. To my horror, I realized that I was sending out all of my work emails under my aunt’s email account instead of my business email address.
She had sent me her Blogger.com login over the weekend to help her set up her blog. Because I didn’t consciously log off as my aunt, and then log back in as me, Google (who owns Blogger) assumed that I was still my aunt. When I accessed Google Mail, I was still logged in as my aunt, so all of my emails went out from her account. It was an epic fail.
Passwords used to be very application-specific — one password for your blog, one for email, one for your photo Web site, one for YouTube, and so on. Because people complained about having to login for so much stuff, Google, Yahoo, WordPress, Facebook and others have started creating “Single Sign On” password credentials. Once you’re logged into one of these master accounts, you can pass seamlessly between their Web properties without being prompted for a new login.
For example, if I am logged into Google as my aunt, I can change her Google login page to display pictures of chocolate cake every day instead of her current selection of maps and weather statistics. I can also change her analytics settings (which would mess up how her website traffic is reported), delete her Adwords account, or set up a really expensive campaign. I can also change her profile photo to something really unflattering, send legitimate email under her account, upload or delete her YouTube videos, change her settings so that her Google desktop displays only in Spanish, I can delete all of her RSS feed subscriptions, and pull her website out of Google’s index. And that’s just for starters.
Every Web property owner (like Google) offers ways to invite your friends to access your account data without being able to “become” you.
What does it look like? As the owner of the account, look for a place within your applications that says “Users with Access to this profile” or “Invite to Account.” With these tools you can then add the email address of whomever you would like to grant access. You can also select the level of access to the account. In this way, your friends have access to work with the account at whatever level you feel comfortable, and their activity is logged as theirs just in case a mistake is made.
Like every awesome innovation in Web technology, there are equal and opposite benefits and risks. So why did we move to single sign on passwords? Because super users of the Web were being forced to login at a rate of four times per hour. (This statistic is based my own usage pattern — it’s not very scientific, but you get the picture, right?)
Something had to change because the more often users logged into different sites, the more pedestrian their login credentials became. For example, my password will use a good security protocol I only have to type it a few times a week. It can be secure — like this: Pe@nutBu#r79. However, after the fifteenth login of the day (the old way), my password was slipping into an insecure protocol because I was burned out on logging in. A personal low point was when my password was simply “snoopdog.”
The big idea here is that people may actually create and engage a secure (difficult) password if they don’t have to login so often. The flip side is that these passwords really shouldn’t be shared, because much more is at stake.
We are all standing by to see if the Web public can manage this new way of securing sites and personal information. I suspect that there will be a bumpy transition. For example, I’m not sure my aunt will ever forgive me for sending emails from her account. But after making a couple of mistakes I am hopeful that users will begin to guard passwords the way they were intended in the first place — as the sacred gatekeepers of data.
I’m looking for articles and blogs to start popping up with the new “cool” thing on the Web being 44 character passwords with lots of nonstandard symbols in them. That’s when we’ll really be safe. Stay tuned…
Marci De Vries is president of MDV Interactive, a web consulting firm in Baltimore. Reach her at firstname.lastname@example.org.