Originally Posted by
peachfront
These are all absolutely terrible suggestions. No offense, guys. I realize they are the standard suggestions, and you mean every good thing by offering them. But there is lots of evidence that more and tougher passwords don't work, more and tougher security questions don't work, and so on. Why is that? Pretty simple. The human brain.
Nobody over the age of 23 or so can remember multiple passwords. Having a different password for every account is guaranteed hours lost out of your week every month -- if not every week. "Where do you go to high school? Corey Feldman." Like you're going to remember THAT eight years (or even 8 montsh later). I remember once chewing out my broker. "It won't let me log in because it wants to know my favorite movie. Hello, I'm an adult? I don't have a favorite movie." Later, when I realized what it was, I felt pretty foolish. I could have googled myself on the internet and found out what it was. Everybody in the world could have answered that question...except me. [Don't get excited, bad guys. I gave up on jumping through hoops every time I wanted to make a trade and closed the account.]
The more passwords, the more questions...the more your account is available only to the evil doer while you can't get into it yourself. You can't store all this garbage in retrievable form in the human brain so there must be some kind of storage system, on your computer, scribbled on a piece of paper, or whatever. Each of these systems leaves you vulnerable to being attacked, while providing an increasingly higher difficulty in you being able to use the program. Meanwhile, because you must have the information at your fingertips, the information is 1) very easy for family members, housekeepers, and other people who have access to your home to steal, and 2) the bank, CC company, etc. will NOT protect you --instead, they will threaten to prosecute you for fraud for giving the password to someone else and presumably splitting the proceeds.
I know a victim very well who is still paying off what her daughter stole from her and she'll be paying off this debt for the rest of her life. On a credit card that would have had zero liability if some stranger in eastern Europe had stolen the money. Making these passwords etc. more difficult does not help older and vulnerable people. It hurts them. Because the company comes back and says, "Well, you must have given her the information because nobody would just figure out, 'where did you go to high school' 'corey feldman.'" And older people don't have enough time to left to go to court and hope justice is done...
I won't say I know all the answers. I will say that I know what DOESN'T work. Making the internet, online payment systems, banking, loyalty programs, etc more and more difficult for busy and older people to use DOESN'T work. That's why more and more people give up and give their passwords over to third party services. When you have someone else control your "wallet," you are responsible and you are out the money, miles, etc. any time you turn your password over to somebody else. I don't think there is any real legal debate about this. I could be wrong. But from what I've seen, all the business in question has to do is point out that you shared your password, and if your account is mis-used, it's YOUR problem. And if it's a family member who got the log in information, even if they stole it by snooping, because it was too much for you to remember so you had to record it SOMEWHERE...the company will CLAIM you shared it, and it will be a "he said, she said" situation.
Not to single out anyone's suggestion, but the idea of having 3 passwords to log into an airline loyalty program is just...ridiculous. Frustrating, time wasting, and, really, just not the way to treat older and busy customers who do have money to spend and shouldn't be forced to jump through endless hoops like trained seals.
So, the premise of that novel of a post is that you're old and don't want to jump through hoops, despite the heightened fraud risk. Multifactor authentication IS the wave of the future. If the internet is so complicated for you at this point where you think that having multiple passwords is a worse alternative than potentially losing the points/miles that you worked to obtain (but aren't worth anything until you redeem, as most of the companies will tell you in a fraud case), then you're increasing the risk of fraud happening to you, and likely aren't taking proper safeguards elsewhere either. It's probably a good idea to step away from the computer, if this is truly the case.
It's like what happened to a number of Priority Club members when they allowed you to buy gift cards online with PC points. People who either worked for the hotels or someone staying at the hotel got access to your name and PC account number, and then it's pretty easy after that. Give them your email address too, and you might as well hand them the keys to the Caddy. It's way too easy to reset many of these loyalty program logins, and if they're as valuable to you as your money in the bank, then you'd be in favor of more restrictive password requirements from these companies.
They're not terrible suggestions in the least, and there are easy ways to maintain passwords secretly, even without using a pw management site. However, until the companies update their websites to bring their password authentication to the 21st century, there will still be heightened risk. PC, Delta and United are the worst, as far as I'm concerned.