Proliferation of user names

On a typical work day, I log onto multiple computer systems. Some local, some remote, some company-owned, some customer or vendor-owned. And there’s almost no repeat of the names I use to log in.

For example, if my name were George Washington, these are the user names I’d have:
washington: last name only
washingtong: last name plus first initial
washingg: last name (truncated to 7 letters) plus first initial
washig: last name (truncated to 5 letters) plus first initial
washigd: last name (truncated to 5 letters) plus first initial plus “d” for extra developer privileges
123456: employee number
george.washington: first name dot last name
george-washinton: first name dash last name

It’s a pain to remember all of them, nevermind all the passwords.

User names and passwords are the bane of my existence. Some of the federal government websites are especially nasty - you have to change your password every 60 days and the only acceptable passwords are gobbledygook. You can’t even have a real three-letter word anywhere in the password.

To make my life a little easier, the first time I needed to create a password I tried using an Indonesian name, thinking that would be incomprehensible to the system but easy for me to recall. I used to work with someone whose surname was Notowidigdo, so I tried that - but of course that doesn’t work because it contains a bunch of English language words (not, tow, dig). Since my brain switches to Indonesian for things like that, I couldn’t see it.

Anyway, I’ve figured it out now. I have a collection of Indonesian words that don’t have English words buried inside. It helps a little, but it’s still an annoying process.

I’m still trying to think of a system that would be obvious to me but not a hacker.

One of the banks I used to use required you to change your password every 60 or 90 days. You couldn’t reuse a previous password, it had a big list of restrictions, all the normal stuff. But I was constantly typing it wrong and if I got locked out, I’d have to call to reset it.
The kicker is, it locks you out after you enter the wrong password three times. It doesn’t have to be consecutive, just three times period.
I’m sure their call center must have fielded a lot of calls to have passwords reset due to that policy. Personally, any time it said I entered it wrong, unless I knew I mistyped, I’d hit the reset password link, come up with another password, write it down, and that would reset my three chances (only have to call to reset if you’re locked out).

I worked for the Federal Govt in a classified position, so I had a buttload of password requirements, Including the frequent changes. I found the easiest way to handle it was an alpha string - maybe upper case vowels and lower case consonants if required - followed by 2-character month-2-character year. Then I’d just changed the month on the first of every month. It seemed to work for most of my accounts, except for those that wouldn’t allow duplicate characters in a row, so November had to use ! instead of one of the 1.

I expect there may be programs that require more than a single character being changed, but this worked for me until I retired 10 years ago.

What inevitably happens is that people have their various logon credentials written on post-it notes appended to their computer monitor, or else they’ve emailed themselves a Word document with all their passwords for easy retrieval. The folks who implemented the policy are off somewhere congratulating themselves on enforcing high security and the actual security is worse than it was in 1995 .

Yup, I think I even mentioned it in my post, that I’d always write it down. At work, I have a locked file (with a password just about anyone here could guess) with all my usernames and passwords.
I know I should just get a password manager, but for some reason I haven’t wanted to go that route yet. Firefox saves/autofills some of them but not others, so that’s helpful.

I also site creators would make passwords that aren’t protecting anything overly sensitive less complex. Not everything needs to have a dozen restrictions on the password format.

Wow, I guess I really have simplified my life.
No work log-in for the last year. And no time for any social media because I spend too much time here…

I’m just digs.

Regarding the password side of this issue, there’s an XKCD for that:

The last modem I had before the current one had a password of the sort Munroe describes. Shorter, but the same idea. It was like “cheerfulsongbird227” only with different words and digits. I still remember it even though that modem died a year ago.

At my government agency, the passwords have to be at least 12 characters, and have at least one lower case letter, upper case letter, number, and special character. You have to change it every 60 days, and your password can’t be the same as your last fifty or so passwords. The usual gobbledygook.

However, while your new password can’t be the same as your old passwords, it only has to differ by one character. So my first 10 characters are invariant (and based on easy keyboard patterns, not words, but equally memorizable) and include the special character and the letters in both cases. I only change the last 2 characters which include at least one number, but that’ll give me passwords until I retire in < 3 years.

Dunno if that helps you, @CairoCarol, but tossing it in here in case it does.

Here’s a recent discussion of the merits of various password managers.

Nowadays, any other solution, whether that’s patterns as @RTFirefly says just above, @Joey_P locked word documents , sticky notes, etc., just seems silly. And yes, I’ve used all those “solutions” myself.

Yes, there is the one-time effort of logging in to each and every site or app you currently use. But you can simplify that by simply creating your password manager entry the next time you use that site for it’s own sake. Pretty quickly you’ll have loaded the ones you use regularly. You may also be surprised how many you haven’t used in years that no longer work because that company is gone, or has replaced their e-commerce platform twice since you last logged on and didn’t migrate the users, etc.

Bottom line, having done it myself for about 300 logins a couple years ago: It sounds and feels like a bigger project than it is, the security gains are palpable, and the convenience gains are huge. Net, net, I’m very confident my conversion effort has paid off in less total work here ~2 years later

thanks, that’s a great idea.

I’ve had just as many permutations of my username as described in the OP.

Regarding passwords: Several tools I use require that a) the password must be changed every 90ish days, b) cannot be similar so “Mypassword1001” followed by “Mypassword1201” will not be allowed, c) CANNOT BE PASTED INTO THE FIELD. So it has to be something typable.

As in
sh345@@%^*sfrEtW (just random crap from my keyboard) is only good if you can manage to type that without messing it up.

1Password, the vault we use, has the ability to type a password into a web field if you can’t paste it in - but this one piece of software doesn’t even work with that!

I remember one login - and this was a Federal system - where the rules changed to “14 or more characters, some lower, some upper, some numbers, some special”. Again it was something I needed to type in, and I came up with a 15-character keyboard pattern that would be semi-rememberable.

And nothing worked.

I finally called the help desk, and was told “Try EXACTLY 14 characterrs”, and “such-and-such special characters won’t work”.

Really? Really? You don’t think “14 or more” and “a special character” might coulda used a little more detail?? Last I looked, “15” meet that description, as did the parenthesis or whatever special characters I was trying. It’s a subject of a long-running rant in our household: If there are password rules, TELL US WHAT THEY REALLY ARE.

Another website mandated some strong-ish password. I’d do a password reset, it would accept the password, then I couldn’t log in again. Lather, rinse, repeat.

Somehow I found out that there was an undisclosed limit to the number of characters. So I’d type in something like MyPW#123#456$789, type that again to confirm, and the system would say “MyPW#123 sounds good to me!!”.

And the time I got locked out of my laptop for a week because corporate policy mandated a much longer password to encourage phrase use.

So I changed mine to something like “mackdonna handheld shoehorn butterhorse”.

And it worked. For 24 hours. Then I was locked out.

The help desk said I was not the first person this had happened to; apparently the issue was the spaces. “macdonnahandheldshoehornbutterhorse” would have worked.

I once had to have a very complicated pw requirement for work. I would modify a bit of a song lyric and put a special character at the end.

So if the song was Let it Be, the password would be: Wh3n1F1ndMys3lf#.

At least the username proliferation has slowed some: A lot of sites now use an email address as a username. Though that’s generally only places that let the user set up their own account, not the likes of workplaces (though, how many workplaces do you have?).

One workplace, many computer systems, each with their own user name and password systems.

I was beta-testing an online game. I set up my account and posted stuff on their forums. Everything was fine. In the Windows client for the game, I could not log in. After some detailed debugging with their network lead, we determined that the website could accept passwords up to 32 characters, but the Windows client could only accept 24. Oops. Of course, being a beta tester, finding problems like that was the whole point and all in good fun.

If that’s at work, it’s a problem. If it’s at home, it’s not a problem. If somebody physically breaks into your home, you’ve got far bigger issues than worrying that they’ll steal your passwords.

I write down my work passwords, but I keep the list in my shirt pocket.

Yeah, it still seems kinda weird to me that I can change one character on my government computer password, and the system is OK with it.

IIRC, I first tried it one time when I was up against the 60-day limit and I’d run out of ideas for a new, dissimilar password, so I tried changing the last character,of the expiring password and was surprised when it actually worked.

Once every 2-3 years I do a complete change of the password to something totally unrelated to the old one, usually when I start having a hard time keeping track of what variants of the base password I’ve already used. I think I’ve got about 16 or 17 more password changes between now and retirement, so I may or may not have to change my current base password between now and then.

This is the thing that really grinds my gears. Secure passwords are ones that are all but untypable. They should be stored in vaults, pasted (manually or programmaticaly) into PW input boxes, and never be seen by the end user.

Prohibiting pasting serves no purpose except to encourage weak PWs.

My former boss would make a barcode sticker with his password minus the last two characters. He would use a barcode reader to enter it in the field and then manually enter the last two.

Well at the moment: quite a few.

  • My employer - intranet
  • My employer - email (that’s the “can’t paste it in” one)
  • My previous client - database access
  • My previous client - email access
  • My current client - email etc. access
  • My current client - server access