Utterly non-baseball related, except in that BJOL requires me to update my password (for posting articles) every three months.

That’s one of the things that drives me mad about passwords. Isn’t it more or less my business how ferociously I need to keep my BJOL password secret? The worst thing that could possibly happen if it were to get into the wrong hands is—what? Someone would post a stupid, offensive article as "Steven Goldleaf"? How would you tell it was an imposter and not me?

If that worst-case scenario were to happen, I would think an e-mail from me to Rylan or Bill would straighten it out immediately, the offensive article would get deleted, and I could then choose a new password. Why the need for such elaborate security measures? Totally don’t get it. It actually makes more work for Rylan because every so often the password I remember for this site is incorrect, and he has to go through the process of issuing me a temporary password, which I can then change back to my real password, etc.

An additional problem, sticking with BJOL for the moment, is that the passwords must not repeat themselves—I have to come up with a new one every few months. I’ve been doing this for five years (damn—missed my 5-year anniversary earlier this month! https://www.billjamesonline.com/thrown_from_a_moving_vehicle/?AuthorId=23&Year=2015), so I’ve gone through every permutation I can easily remember a long time ago.

I keep a list of passwords on my laptop desktop, though again that is a practice that all IT people warn against sternly—but what is the alternative? Relying on my memory to keep them straight is flat-out impossible. I literally could not remember all my passwords (well over 100) if I devoted my life to that task.

I am not giving away too much to code-breakers if I say that I use a recurring phrase that triggers another recurring phrase in my mind, and in the second phrase, I embed a code specific to the website I’m creating a password for. In the case of this website, that specific code-phrase might be "BJOL" or "BJ" or "Bill" or "LOJB" or any one of a number of variations, so you might imagine that all I need to do is to remember my current embedded phrase, and I’m good to go.

But no! Different websites specify different password lengths, use of capitals, use of numerals, use of special characters, and so on, so no universal password-creation system can apply to all websites. So I find it essential to keep a list recording my (coded) passwords for each website. Further, just to be safe in the event  of a total laptop crash (such as I had in November, and I’ll update you on in my next article) I’ve had to print out my list, which also is easier to keep open in front of me when I need to consult the list, which is often.

A lot of these websites feature an "eye" that makes the blanked-out password visible for a moment, but security demands (I suppose) that the "eye" can’t simply be switched "on" permanently or as a default reading, so I find them irritating (but necessary) to use, to ensure that I’m typing what I think I’m typing. Some websites also do not accept copied-and-pasted passwords, also for "security" reasons, I suppose, though a lot of them do. The least they can do, I think, is to clarify the exact reason it didn’t take my password, rather than the generic "That is an incorrect username or password" message. I mean, the system knows (or "knows") if the password is correct and the username not, or vice-versa, or if both are incorrect: would it be giving away too much if they’d specify at least that much about what I just did wrong? Other types of useful specificity (to the user, but not particularly to a hacker) would include a reminder about the website’s specific demands in a password—length, special characters, etc. Yesterday, I re-typed about a dozen times the 10-character word I was changing my password to (actually, I typed it a dozen times twice, once for "new password" and once for "confirm")  and all the website would tell me is "That password is not allowed" without more specificity. I checked against the website’s requirements and kept using the "eye" to make sure I typed what I thought I was typing, and I finally gave up. (It was the AARP site, btw, which is not manned on Saturday mornings, so no clarification was possible.)  This way lies madness.

Lately, even the websites I have the correct password for aren’t letting me in without an additional "verification" process, typically involving sending me a text message on my phone of six numbers that I have 10 minutes to punch into the website on my computer. This presumes I have my phone with me, which I usually but not always do, that it’s charged, that I’m not in a terrific rush, etc. Again, shouldn’t it be up to me whether I think such a secure system is needed? Some of these sites, like the AARP site, contain no sensitive information whatsoever, so there’s nothing to be compromised, yet they guard them like they were Saddam Hussein’s fortress of WMDs.

In addition to that hurdle, there is also the idiotic barrier of remembering the answers to questions. My chief complaint about these questions is that, in my case at least, there is no unambiguous answer to most of them. "What city were you born in?" might seem unambiguous, except that I was born in Brooklyn, which was an independent city until 1898, when it merged into greater New York City, and still thinks of itself as a city. When someone asks me where I was born, I always answer "Brooklyn" rather than "New York City," though the latter answer is technically correct. Furthermore, if I were to accept historical reality and say "New York City" that answer might be wrong, as far as the website is concerned, because I could (and just might, since I’m often lazy) have abbreviated that as "NYC," which I usually do. I almost never write out the full name, since everyone recognizes the abbreviation. Likewise, my oldest daughter was born when I was teaching in Syracuse, NY.  Except the hospital she was born in is about 100 yards west of the Syracuse city limits, in the hamlet of Onondaga Hills, I believe. Furthermore, the college I was teaching in at the time, and our apartment, was in the macbeth  of DeWitt, NY, just east of the city limits, so I’m not sure if my daughter thinks she was born in Syracuse or not—we brought her straight home from Onondaga Hills to DeWitt, but who knows what her answer to "What city were you born in?" would be. If they’re relying on me to answer these questions instantly and correctly, that’s not happening.

OK, but they give a choice of questions to be answered. All of them are slightly ambiguous, though. My mother’s maiden name? She was born with one last name that was legally changed when she was young. My first pet? My family had a pet when I was very young, but it was more my father’s pet than mine, much more, so do they mean the first pet I shared with my roommates in college? Or the first pet I owned all by myself? My favorite sports team? I rooted for the Mets for a long time, but then I became a bigger Red Sox fan. My high school sports team nickname? I went to two different high schools. What was the name of my first school? In Brooklyn, schools don’t have names, they have numbers: mine was "97," which could be rendered like that or as "Public School 97" or as "P. S. 97" or as "PS 97" or as "Public School Ninety-Seven" or any one of a great number of renderings. And on and on.

I suppose they could let us design our own questions, and the unambiguous answers to them. In my case "Your ex-wife’s middle name" or "What subject did your dissertation advisor hold his own doctorate in?" or "the first name of the friend who taught you how to play the bass guitar when you were 12?" all have perfectly unambiguous answers, and that’s all they want, a sequence of letters I can answer quickly but no one else can. I don’t understand what advantage there is to a drop-down menu of generic questions, many of whose answers could be researched or guessed at. (There are millions of people born in Brooklyn, so a hacker guessing "Brooklyn" will be right a fairly high proportion of the time.)

There are all sorts of sites that claim they can remember your passwords for you, but I don’t trust them, given the hacking that goes on, as with the credit-monitoring agencies (the name "Equifax" pops up, but I don’t know if it was restricted to them) a few years ago. I use the Google Chrome one that keeps my passwords on it, and I consult it from time to time, though it seems ill-designed and subject to all sorts of disasters if it gets into the wrong hands. (By "ill-designed," it seems clogged up with obsolete and redundant passwords—for the BJOL, it remembers about 20 of my passwords, 19 of which I don’t need, and none of them are differentiated by date. I’d much prefer if it would give me an "add or replace?" option when I enter a new password.)  A LATE NOTE: I just tried to post this article, but when I had to enter my current password,  I got the prompt to "remember your password" and I clicked on that prompt, which remembered an old password for me (thanks a lot!)—it then told me that I had tried logging in three times with the wrong password (I had just tried the single log-in attempt) so my account was locked so now I have to write Rylan another request (my third this year) to be issued a temporary password, which I will then have to change to a permanent one and have to change it again as soon as the 3-month period for each password comes up. All to maintain a security on this website which no one in the world is interested in hacking in the first place.

I suspect I’m not the first, nor the only, person to voice some of these complaints but I haven’t noticed a whole lot of adaptation in the last ten years or more of encrypting passwords for websites. Complaining about this stuff feels a little bit like complaining that we don’t have jetpacks for flying yet, but perhaps a little more realistic. Certainly the first person to encrypt his website with a simple password could not possibly have envisioned the complicated machinations we would be using the create 12- or 20-digit passwords in 2020. Essentially, what we’ve come up with is "devise a multiplicity of passwords such that it will be slightly harder for a dedicated hacker to figure out than it is for you to remember them." As I’ve spent alarmingly larger amount of time on the computer these past five months, this problem has seemed (and been?) increasingly a sinkhole of my time and energy. There must be a solution to it that I haven’t thought of yet.

If anyone has found a way to work around the worst excesses, I’d like to learn about it. Describe your method in the "Comments" section, without of course revealing too much about your own passwords.