Tired of entering your username and password Again into your usual websites?

Do you feel like you’re constantly  having to sign in Again to sites that you use regularly? Your angst has been noticed, and the powers that be are working on a solution.


Username and Password Hell: Why the Internet Can’t Keep You Logged In

Ever feel like you’re constantly logging in on the same sites, over and over? Help is on the horizon

After years of figuring out ways for the internet to recognize you more easily, the tech industry is bringing real solutions to market.
After years of figuring out ways for the internet to recognize you more easily, the tech industry is bringing real solutions to market. PHOTO:EMIL LENDOF/THE WALL STREET JOURNAL; ISTOCK

My Google password is mXNkQ3/Dy?Pg. (Or it was, anyway, until I published it for everyone to see.) I’ve had to type that nonsensical string so often I memorized the darn thing. It seems like every time I click a link, download an app or unlock my phone, I’m forced to log in to my account all over again.

The internet has an identity problem. It has never had a simple, universal system for figuring out who we are. As a result, we’re stuck with separate usernames and passwords for every site and app we use—no, I’m not touching that Sign In With Facebook button—and perpetually re-entering them to prove we’re still ourselves. It’s mildly annoying on our laptops, where we have dedicated keyboards. It’s a bigger pain on our smaller phones, and it’ll be near impossible on the smart machines we’ll have going forward. Imagine typing a 16-digit code every time you start your car.

The good news is, everyone knows this is a problem. The tech industry has spent years working on ways for the internet to recognize you, and real solutions are starting to come to market. The bad news? It isn’t an overnight fix.

Logged out

Login trouble has many causes, but it tends to be a two-part issue: how a website or service is set up, and how we now behave on the internet.

Whenever you enter your username and password, the app or site opens a “session,” quickly compiling relevant data to your account and connecting you to the servers and tools you need. That creates a security risk: If your session is still open and another person on the same computer goes to the same site, he or she could have access to all your stuff. As a result, most developers set an end date for your session, automatically closing your connection to the site or app after a specified amount of time. This security risk is also why you have to confirm your identity when changing account settings or shipping purchases to new addresses.

To illustrate, let’s look at our own wsj.com. Years ago, the developers building The Wall Street Journal’s website decided that sessions should expire after 15 days, said Ramin Beheshti, chief product and technology officer at the Journal’s publisher, Dow Jones. That meant twice a month, you’d re-enter your password, so the Journal could make sure it was you and not some account thief sitting at your computer.

Every app and service has its own version of this rule. Dashlane, the password manager, requests your password every 14 days. Evernote will keep you logged in for 30 before kicking you back out. Okta, which gives users access to multiple work apps through a single login, lets its corporate customers decide how often employees must cough up a password.

When you only had one computer, entering passwords every few weeks didn’t feel so arduous. Now you have laptops and phones and tablets and maybe even smart TVs, all logged in to the same things, each demanding a bi-weekly re-up.

And it gets worse. Each device now has multiple browsers and apps—and nowhere is it more chaotic than on our beloved smartphones. If you check sports scores on an app, you have one login, if you do the same on the Safari or Chrome browser, that’s another. If you click a link on Twitter , or someone emails it to your Gmail account, those apps have their own browsers, and you have to log in through each one. It starts to feel like a constant nag.

On an iPhone, each browser is entirely separate from and unaware of the others. And some in-app browsers require you to log in every time, because they don’t carry any session baggage from one use to the next. Android does a better job of helping those apps talk to each other.

This is me

Nobody likes passwords—not even the services that ask for them. “The only people who love usernames and passwords are hackers,” said Alex Simons, corporate vice president at Microsoft’s identity division.

Over the past few years, most big tech players have collaborated to develop standards for managing identity on the internet. Most recently, the World Wide Web Consortium ratified a standard called WebAuthN, which allows websites to authenticate users with biometric information, or physical objects like security keys, and skip the whole password thing altogether. You could log into Facebook or Gmail or Amazon just by scanning your fingerprint, or with a facial-recognition scan. Imagine logging into everything the way you currently log into your phone.

All that’s left is for every app, device and website to integrate these new standards. Which is going to take years. In the meantime, there are a couple of ways to make your logging-in life easier.

If you use a password manager such as Dashlane or 1Password, it can automatically log you in to most sites on desktop and mobile. In a delightful bit of irony, you’ll still have to enter your password manager’s password periodically, and even these apps don’t always work with in-app browsers. Still, in general they turn the drawn-out login process into a click or two. You can also take advantage of your browser’s ability to autofill data and passwords, at least on devices you trust.

If you constantly clear your browser history, your cache and your cookies, you’re also making your login life harder. Sometimes you have to, so that a misbehaving website will load properly, for instance. But whenever you do, you also clear your login data—the so-called “tokens” that keep your sessions open.

Pretty soon, even if you do nothing, you should start to see these things improve, including at the Journal. Mr. Beheshti said he plans to change the session time from 15 days to as many as 90. There’s more work to be done, he said, especially getting all those browsers and apps to communicate with one another. But his goal—and everyone else’s working on this problem in the tech industry—is to keep you around longer. Make it long enough and I might even start forgetting my passwords again.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s