Scripts not allowed

We live in an age where passwords and PIN-codes are everywhere. Phones, computers, email accounts, government services, bills and utilities, apps, bank accounts and dozens more. All need and expect some form of password. Here’s a cautionary tale for what might happen if you forget one.

Since the year dot, many many aeons ago (back in the 1980’s, I mean), passwords were invented for electronic ‘stuff’ to keep out people who shouldn’t get in. Keeping private things private. Keeping national secrets secret. Keeping unique technologies unique.

We'll never guess her password cartoon

There are a few password strategies around on how to create and manage strong (ie. unguessable) passwords. Very often, you will find that these strategies can be challenged or even come unstuck in the face of Password Rules. Every system, every organisation, can create their own Password Rule and it’s highly likely you’ve encountered them – for example, your password must contain at least 8 characters, and in those 8 there must be both letters and numbers and at least one capital letter. Some password rules require one or more “special characters” such as $, & or %.

So we end up with a grab-bag of different passwords whether we like it or not.

What happens when we forget one? A classic example is the password to a GMail account. You created an email account using Google’s free GMail service years ago, put in a password that matched their Password Rule at the time. You added that email into your smartphone and tablet, using their quick-and-easy tools to do so. Then you happily started using the email account.

Of course, you never had to put in that password again. Your computer, your phone, your tablet all remember it for you. Or better yet, if you’re like me you have a password manager app that remembers on your behalf, so you can have a ridiculous password that you don’t even know anyway (and couldn’t reveal even under torture or hypnosis!).

Then you get a new gadget, or more likely try to sign in to your email account on someone else’s computer (let’s say while you are travelling). You are asked what your password is. You simply don’t know or can’t recall.

Now you enter Verification Twilight Zone. You need to prove you are who you say you are, that you should be allowed in even though you don’t know the password. GMail do this verification thing sometimes when you DO know the correct password, but are signing in on some device you haven’t signed in on before. They might even do it on your normal device, for some reason.

How do you verify yourself? Well. It all depends…. but it depends on what you did when you created the account.

  • Were you asked a few special questions to which you had to give your own answers? For example, “Where were you born?” or “Mother’s maiden name”. You’ll need to remember the exact answer you initially gave.
  • Did you have to provide your mobile phone number? You’ll be sent a one-off code to your phone which you’ll need to copy back into the sign-in.
  • Did you provide an alternative email address, belonging to yourself or someone else you can trust? A one-off code will be sent to that email address which you’ll need to copy back into the sign-in. You’ll be shown only part of that alternative email address to jog your memory eg. joe***@big****.com, so you’ll need to remember which one you initially gave.

Here’s the thing. If you can’t successfully navigate through the Verification Twilight Zone, you can find yourself going round and round in circles trying to guess the correct answers. If you are unable to provide what is requested – you simply cannot get in. Short and sweet, you have lost access.

For some services (such as online banking), there may be someone you can call so you can prove to them that you are the right person, and they can maybe reset your account password. But don’t count on it in these days of identity theft, fraud, and privacy laws.

As for GMail? It’s too bad. You need to register a brand new email address and tell everyone you’ve had to change. A real pain. You’ve lost access to everything that was in that email account unless you can work through the Verification Twilight Zone somehow.

So the moral of the story is to make sure you have an excellent memory, or more practically to make a secure note of not only your password, but also your verification answers. And keep them updated (once a year or so should do it). Dead alternative email addresses and expired phone numbers are of no use at all.

Beware the Verification Twilight Zone!