The Secrets We Share With Distant Servers

Today the Internet is just another place to be yourself. It's about micro-confessions per second, the tang of authenticity, an ever-widening scope for self-promotion — just like in the meatspace. Once upon a time, you could be anyone online — this was part of the intrinsic appeal. Like guests at some tawdry costume party, we went around introducing ourselves with playful screen names, aired our racism and our fetishes in the back rooms, and more or less suspected everyone else of being some kind of sexual predator.

Now, for the most part, we look things up, buy stuff and pay bills, schmooze with people we already know. We work. We kill time. We look at porn. The newer professional websites, at least in the U.S. and Europe, ooze transparency and minimalism: they're as different from their predecessors as this morning's New York Times is from a Horace Greeley-era Tribune. Online, the respectable mainstream has arrived complete with its own multimedia aesthetic (aided by HTML5, Flash, faster networks, better hardware); its "web-safe" fonts and colors; solidifying conventions about sound, ads, navigation bars, and so on. The domesticated Internet strives to reconstitute the offline world, electronically, with fatter profit margins and lower fixed costs.

Like the 18th-century men and women described by Richard Sennett in The Fall of Public Man, early netizens donned different masks for different spaces, reveling in the sheer performance of their social roles, innocent of qualms that they were or weren't "being themselves." Back then, we went online out of sheer curiosity, for new experiences and the global mapping of affinities in a doubtful medium, rather than the infinite filleting of friendship and discourse. Amateur web designers tossed up wonky, pixelated efforts; raucous listservs and online communities struggled to hammer out rules of the road; cybersquatters stood astride illustrious URLs.

In 2.0-land, the only mask you're supposed to wear is your own unalterable one. Sure, you can still blog anonymously or commandeer a silly Twitter handle, but that's kid's play. Just as any reputable organization knows it has to be online, representing itself, the same now goes for us as individuals. If you've done something meaningful in the last decade, how could it not leave a cybertrace? If you have a name that's at all distinctive, why don't the masters of Mountain View know about you? ("Are you Ross Perlin?", Google would keep asking me when I typed in my name, urging me to create a profile.)

These online identities — even as they move closer to and begin to constitute a significant dimension of our overall personal identities — are secured on all sides by passwords. Doing anything online requires an account: if a shopkeeper can recognize you by face, a snarl of javascript will remember you only by password. No medium has embraced the password like the Internet, except perhaps the speakeasy (but even there a keyhole often served for visual verification). Passwords allow us to access and construct online identities that are increasingly coherent and significant — they are personal by definition, but often knee-jerk and impersonal in practice.

Just as these ciphers are veering towards machine-approved abstraction, this essay constitutes a small attempt at appreciation. Perhaps the state-mandated adoption of surnames, a process that took centuries to spread across the world, is comparable for its admixture of the personal and the technocratic. Or: we know that in wartime, at a border crossing, in the gloomy torpor of a government office, you should always have your "papers" on you, offering proof of identity. But as far as the Internet's concerned, it's always wartime.

The art of the password is found in the setting of it, or else the hacking. In their case-sensitive alphanumeric staccato, many of our passwords remix the names and birthdays of loved ones or heroes, or are keyed to snippets of phone numbers and street addresses. Sometimes a system-generated password is allowed to stand, but usually we choose them ourselves — these split-second decisions make passwords more than just keys thrown around a ring, carved with inscrutably fine teeth; or bar codes made infinitesimally unique by machinic precision. Retyping these talismans at every prompt, whether to make a tiny blog comment or to check a bank statement, we might be accumulating merit, like a Buddhist repeating the Diamond Sutra.

Ten, 20 times daily we mutely confirm that we are who we say we are, notwithstanding "cookies" and "keychains" and cached passwords. How annoying and wasteful is it to tap in these strings again and again? How much time and money is wasted on the retrieval and resetting of forgotten passwords? We'll let paragons of corporate efficiency and economic viziers answer. Those of us who don't like it vote with our fingers, spurning whatever lies behind the encryption: a news article, a plane fare, a free trial. Sites want to "capture your information," but will you trade it for a peek at their wares?

A friend of mine, disdaining this state of affairs, believes that the inputting of old memorized usernames and passwords constitutes a different branch of typing than any other. His fingers fly over the keys, he tells me, in the same unconscious sleep as when they're cradling a pen to scrawl an umpteenth signature. Signatures, their absurdity moderated by legal-historical associations, remain vital wherever paper cultures of bureaucracy still flourish (sustaining fax and telex in their asymptotic deaths) — but the fate of so-called "e-signatures" is uncertain. Personal Identification Numbers (PINs) are ascendant where money is concerned, and little numeric codes control buildings.

But the Internet is truly a cryptographer's paradise: a gigantic realm, mostly built of text, where the means of verification is always right at our fingertips.

Studies abound chronicling the frailty of our passwords. The largest such study, published earlier this month, found that people who were 55 years old and over picked passwords that were twice as strong as those picked by those under 25 years old ( pdf). While weak passwords were common across every demographic group studied – and across most languages – online passwords grew stronger as users got older, wrote Joseph Bonneau, a researcher at the University of Cambridge. There was, he concluded, "no good population of users" that was safe from password-guessing attacks.

Here's the good news: the quality of our passwords is showing steady improvement. Our little, near-constant affirmations of identity are more likely than ever to feature capital letters, irrelevant numbers, exclamation points, and various other keyboard marginalia. We can attribute this in part to the more stringent requirements of websites, to the ceaseless imperative of password change (self-motivated or system-enforced), and to those little instant barometers of password strength, sometimes visible when you're setting one.

"As a kid, I had this notion that a password was supposed to be something like you saw in '80s spy movies," says a second friend, "a name or a word that was so devilishly simple that my enemy (presumably Soviet) could get a sudden burst of insight and guess it correctly. So my passwords were just words, and ones that anyone who knew me could guess. For a while I used the name of whatever girl I had a crush on at the time. That was probably from about age 10-13. But I grew out of that and started to incorporate numbers and letters, usually some combination of initials and either phone numbers or birthday numbers. Now I usually combine a few groups of initials and numbers that only have significance to me."

But there's a dark side to this: these passwords are less and less memorable. Some companies report that a third, or even half, of all communication from customers is about forgotten passwords. A 2004 study by Microsoft concluded that 60 percent of Britons "exhibit extremes of antisocial behaviour with friends and colleagues" because of forgotten computer and internet passwords. This includes 10 percent of respondents who said they are likely to "lash out and thump" their computer in such situations, while 36 percent may "clam up and refuse to speak to friends and colleagues as the pressure of a forgotten password mounts."

This tension between security and memorability is significant. Whatever the personal significance involved, tdh13! will probably never be as memorable as, say, password1 (the most common password on MySpace, according to a 2006 study by cryptographer Bruce Schneier). According to the UK blog Modern Life, "liverpool," "arsenal," and, for some reason, "monkey" are among the top 10 most frequently used passwords across the pond. According to the movie Hackers, wishfully, the four most common passwords are "God," "Sex," "Love," and "Secret."

The fact is that we simply don't think and speak alphanumerically enough to sear into our memories many of the new passwords we're choosing — and computer keyboards remain a distant analog of our language abilities. There's something even strangely comforting about how many of us have been drawn inevitably towards the same passwords. One password security enthusiast writes that he occasionally performs "mouse pad surveys" in offices and discovers significant numbers of "hidden" post-it notes and paper scraps with scrawled passwords (yes, usually right under the mouse pad). Further, he alleges that this practice — undertaken despite the cardinal rule Never write down your password — is even more common for users who are required to change their passwords periodically for "security reasons."

All of this might suggest that we don't take passwords very seriously, despite the specter of "identity theft" which the Internet has done much to enlarge. But from a small sample of responders, it's clear that we share our magic strings with almost no one — at most, a parent, a lover, a child. For some, even this is too cavalier: "I share them with absolutely no one," the friend says. "I have an encrypted file with all of my passwords for everything that I have told my parents about so they can open it if I die or get incapacitated." The password for that file may be the last thing that crosses his lips.

In recent years, it has become increasingly clear that passwords are not enough. Giant hacks of sites like LinkedIn and Last.fm may not always be reported as quickly as they ought to be, but they prompt us to reconsider our passwording, and even to know how bad it is.

Once every few years — on a paranoid whim, after a painful break-up — we might crave a clean break with the past and try to change all the passwords we can remember. This is almost certainly futile. As early as 1988, the Internet Worm cracked as many as 50 percent of the passwords it encountered on various websites — other fairly basic programs, commercially available, have the ability to perform "dictionary attacks," testing every word in, say, the Oxford English Dictionary in a matter of minutes. If a serious hacker wants to break into your accounts, she doesn't have to look under your mouse pad.

On the other hand, the deceptive simplicity of passwords has turned us all into penny-ante hackers. An entire generation wastes idle moments attempting to guess the passwords of closed WiFi networks — the web-equivalent of checking for quarters in the change slot of a public telephone.

So no matter how artfully you've set your unbreakable cipher, or how often you change it, you're bound to face "challenge questions," CAPTCHAs, site keys, and other newfangled obstacles. Take a moment now to remember your first-grade teacher's name or re-confirm your mother's maiden name. Challenge questions are an interesting form in their own right, positing the existence of intimate information not publicly available, but defining of who you are, super-memorable. They are culturally informed, prominently featuring pets, teachers, maiden names, "best friends," and other happy Americanisms — the kind of thing you'd use to cross-examine Martin Guerre.

CAPTCHAs are something else altogether, silly little reverse Turing tests, barely a decade old, by which you prove yourself to be human. It's an acronym, believe it or not — "Completely Automated Public Turing test to tell Computers and Humans Apart." These are generally woozy bits of nonsense text, sometimes half-crossed out, sometimes blurred by atmospheric color distortions — like a vision test administered by a hippie optician. Audio CAPTCHA tests have followed, haltingly, in deference to the blind.

A new implementation, reCAPTCHA, puts all this extra typing to work. As usual, spammers were the pioneers — some have outsourced CAPTCHA solving in bulk to hapless porn-viewers, with each solution bringing them ever closer to orgasm. A more respectable scenario is the following: when you prove to Ticketmaster.com that you are human, and not a spambot, you are also unwittingly helping to digitize old issues of The New York Times, word by word. The developer of this ingenious, maniacal project — good for 12,000 free work-hours per day — is Guatemalan computer scientist Luis von Ahn, who regretted that the original CAPTCHA had created "a system that was frittering away, in ten-second increments, millions of hours of a most precious resource: human brain cycles."

But when will passwords serve some higher purpose? They're being left behind in the arms race fought by cryptographers and hackers online. They're less personal, and less universal, than they once were. Yet the art of the password is concerned with creativity and memorability under a set of strict guidelines, a hot pursuit of le mot juste, a possible text analogue to microphotography or nano-art.

As a security measure, passwords felt archaic on arrival, not much advanced from the watchwords of Greek or Shakespearean tragedies or the code-names of World War II operations. Indeed, they will almost certainly be superseded by some "Identity 2.0" approach (a kind of digital driver's license, rationalized, and random), by biometric data, or something unimaginably worse. Passwords, however big a nuisance, at least have soul.

In only a few centuries, after all, we have accumulated last names, birth certificates, social security numbers, passwords, trackable DNA, rewards cards even, and other identity baggage — it's almost hard to imagine how we wandered the earth before, almost unknown and unaccounted for.

In retrospect, we won't remember passwords for their guarding of secrets, for their greasing of the wheels of commerce, or their upholding of the rule of law. You probably already are who you claim to be. Instead, passwords are a literary genre almost too tiny to read, a banal compression of intimacies, a secret we share with distant servers.