“Do I have a Problem with Passwords?” (A Diagnostic Questionnaire)

Calligraphic text reads: You are cordially invited to stop using the same password for everything.

Only you can decide if you have a problem with passwords. But, questionnaires are fun, so here you go:

How many of the following statements are true for you?

  1. One or more of the passwords that I use has both a year and an exclamation point in it.
  2. My passwords are stored in multiple places.
  3. I have had to contact customer support about a forgotten password in the last year.
  4. I use the same password on more than ten accounts.
  5. One or more of my accounts has been hacked in the last seven years.
  6. One or more passwords I use has the name of the service I’m logging into in the password itself.
  7. My email (which can reset the login for my bank account) has what I know is not a great password.
  8. I don’t know what a great password is.
  9. I do know what a great password is, but my understanding is based on something I heard somewhere seven or more years ago.
  10. I’ve had to contact acquaintances and ask them not to wire emergency funds.
  11. Some of my passwords haven’t been changed in years. I know because the year I set my password is in the password.
  12. I know what makes a great password, I know there are systems available to store and sync them, but I have answered yes to any of the previous questions.

If you agreed with…
none of the statements above, you might not have a problem with passwords.
one to twelve of the statements above, you have a problem with passwords.

It might not be hurting yet, but like any unmanageable problem, once it does, it really does. Consequences could include ad-riddled websites, drained bank accounts, creepy social media activity, and identity fraud. It’s not just that malicious teenage hackers are trying to target you in particular; it’s also that there are legions of merciless bots trolling the internet for unsuspecting targets for malware and ransomware.

Yikes! Are you awakened, but daunted? Could you just change one bad password? Maybe start with something important: think of the email address you use to log into all your overseas bank accounts—the email address that if I broke into I could get access to basically any service I might be able to think of. If you do anything after reading this, change that password today. Gosh, stop reading this and just go do it!

Wait! Don’t go quite yet. Can we talk about what you’re going to change it to? Are you going to just change the last five characters of the password (which are currently 2015!) to 2022!? And then are you going to save that password in an unencrypted Google Doc? Are you going to scribble it on the legal pad in the kitchen drawer?

Before you do those things, I want you to know how to approach making a good password, and how to store passwords well. Both of these things might take experimentation on your end. But let’s start with crafting a good password first.

Three disclaimers:

1. This post is intended for entertainment purposes only. I’m a designer, not a medical doctor!

2. The tips in this post are already obsolete. See Question 9 above.

3. Sharing your answers to the above questionnaire might not be the safest way to publicly engage with this content.

Making Good Passwords

You’ve probably heard these rules before:

  • don’t reuse passwords or parts of passwords
  • don’t use your dog’s name in a password
  • don’t use the name of the service in the password
  • don’t use anything meaningful to you in any way in a password
  • don’t send passwords to people unencrypted

Your best bet is often to just surrender to whatever your password management system suggests. Sometimes, and especially for passwords you’re expected to remember, a passphrase is the way to go. Our client Nina Lanza, PI of the ChemCam instrument on the Mars Curiosity rover, introduced me to four-word passwords. They’re the best thing ever. (Read this cartoon from xkcd.) Here’s why they’re great:

  • they’re easy to memorize
  • they’re as secure as j$-28f~`LM(c sorts of passwords
  • they’re easy to communicate
  • they’re delightful

A word of warning—the four words have to be truly random (not thought up by us) in order to work. Fortunately, there are a bunch of randomized passphrase generators out there.

I like to cycle through useapassphrase.com until I find one that feels like I could make up a story about it. (And yes, I know that hurts the randomness factor, but we’re all about harm reduction versus perfection here.) For example, “folic compacter mauve grafting” doesn’t speak to me—but “crisply fantastic banister wreckage” most certainly does. I immediately see an image. I don’t know what it means, but I see it.

Four-word passwords won’t always work.
Let’s say your four, truly random words are:
ornery cactus unwitting opal

Some platforms require special characters, or don’t allow spaces. Some will reject four words as too many, and you’ll have to use three. Or in some ridiculous cases, the upper limit only allows for two words, in which case you’re better off using your browser’s standard password generator.

You could type your new password in with the spaces—or, you could remove them:
ornerycactusunwittingopal

What if the website demands a number and a capital letter and a symbol? Because the four words are relatively secure and have likely never been uttered together in human history, you could have a few reusable character strings in your repertoire that satisfy most websites’ requirements.

For example, let’s say you were born in New York, and your area code is 212. You could inject NY212! at the end of every four-word password where the special characters were required.

You could have several passwords like this:
ornery cactus unwitting opal NY212!
blizzard handsaw reheat gown NY212!
compacted rice twiddle said NY212!

And so on. Someone could guess NY212! on its own, but they’d have no way of deducing it had anything to do with succulents or gemstones. (Unless, of course, you use one of the passwords published in this blog post. Please don’t do that.)

Please don’t use NY212! or something like it on anything less secure than a four-word password.

Another word of warning: there are brilliant minds and machines out there that can break into an account with one of these passwords. But if you scored anything but perfectly on the questionnaire, a randomized passphrase will most likely be immesurably better than what you’ve got going on now.

Password Storage

You’ve probably heard that it’s not a great idea to store your passwords in an unencrypted Google Doc or on a notepad in your kitchen drawer. You’ve heard correctly! The best way (as of this writing) to store passwords is in a strong password management system, preferably one with two-factor authentication.

I always recommend using the simplest tool available, which is often already installed on your devices. I use my browser’s built-in password management system, and I use the same browser on my phone and tablet. Look up your preferred browser’s recommendations online. (For example, you could search for ‘managing passwords in Chrome’ or something similar.)

If you want something more powerful, search for ‘best password managers’ and see what sounds reasonable and trustworthy. 1Password, LastPass and Dashlane are all systems clients have used with varying levels of success.

Passwords aren’t for sharing, but sometimes they are. For example, if you have to share your domain registrar password with your web developer, you could email it, but you’re assuming both your email account and theirs are secure. It’s better to call, or use a service like onetimesecret.com to transmit it. Some of the password management systems have built in password sharing functionality.

While I’d love if you reformed everything over a weekend in the near future, it’ll be more sustainable if you focus on one or two passwords today. The passwords that matter the most are the ones where real damage can be done—bank accounts, email, and public-facing accounts like websites and social media. Now step boldly, into your secure future, emboldened to eschew vagueness and embrace clarity!

Share your progress in the comments by letting us know what four-word passwords you chose!

A fourth disclaimer:
4. Please do not share your password progress in the comments. That was a joke.

Web Accessibility Is Not a Two-Dimensional Issue

A framed drawing of a two-dimensional person in a wheelchair transforming into a three-dimensional clay figure that rolls out of the frame.

According to the World Health Organization, around 15% of the world’s population—or upwards of a billion people—lives with some form of disability. It’s a part of the human experience, and these days so is using the internet. Think of it this way: Would it be acceptable if only 85% of your emails went through? If your site were down almost two months out of the year? Would it be good business to keep your doors shut to more than one out of every six customers? Granted, not all disabilities affect web use. But designing with accessibility in mind isn’t just the right thing to do: it’s also good for business. But making sure that your sites are accessible also goes beyond simply being compliant with local laws. It’s a complex and dynamic issue that, when considered in good faith, can deepen the user experience for all of your website’s visitors. In this post, we will take a look at why accessibility is important and what the legality entails.

What is website accessibility and why is it important?

In her book Accessibility for Everyone, Laura Kalberg writes:

“Accessibility in the physical world is the degree to which an environment is usable by as many people as possible. Web accessibility is the degree to which a website is usable by as many people as possible. We can think about both kinds of accessibility as forms of inclusion.”

Just because your product or service wasn’t created with disability in mind doesn’t mean that people with disabilities won’t engage with your site. What we’re talking about when we talk about designing with accessibility in mind is empathy: the ability to think outside of our own experiences. 

Web accessibility is all about ensuring that the tools and technologies present on any given site are designed so that everyone can perceive, understand, navigate, interact, and contribute appropriately to the site. Website accessibility must take all disabilities into consideration during the design and development of the site. This will include: 

  • Visual disability
  • Auditory disability
  • Cognitive disability
  • Neurological disability
  • Physical disability
  • Speech disability

The tools that make your site accessible have benefits that reach far beyond the individuals for whom those tools were intended. But fundamentally, accessibility is a vital issue because we live in an age where basic participation in society relies upon internet usage. This has been particularly true during the COVID-19 pandemic as businesses and educational institutions have all moved online. 

The first step toward making your website truly accessible is ensuring that it’s well-organized on the back end. A lot can be done when you’re coding the structure of a page, and smart organization on the part of the designer can make the site easy to use for screenreaders and others who are using the site in nontraditional ways. 

Is it illegal for your site not to comply with the ADA?

First, I’m not a lawyer and can’t give you legal advice. That said, the answer to that question depends entirely on what kind of site you are operating. In the United States, only federal, state, and local government sites are required to meet section 508 regulations. Otherwise, there are few enforceable legal standards as regards the accessibility of your website. That said, there have been a number of lawsuits brought against companies that do not provide accessible sites (including The Wall Street Journal, Hershey’s, and Amazon, to name a few.) So, what does it mean to be ADA compliant, exactly?

The Americans with Disabilities Act set the standards for website compliance, and this applies to the aforementioned government sites, as well as private employers with more than 15 employees, and organizations that are operating for the benefit of the public. But even if your Company can afford the fees associated with shirking ADA compliance, you cannot ignore the negative impact it can have on your brand, and how it may affect the individuals attempting to interact with your site.

Ultimately, the best thing you can do to ensure that your site is ADA compliant is to hire a designer or developer who keeps this at the forefront of your mind when creating your site. Clean, well-organized code on the back end is the first step toward true accessibility on the front end.

Accessibility and ADA compliance are more than just a sticker on your home page. They ensure that the maximum number of people possible can easily navigate all of your content. So do yourself a favor and make sure you’re considering all of your users from the very beginning of the site creation process.

Hand-coded with WordPress and Underscores. Fonts: Brandon Grotesque by Hannes von Döhren and Orpheus Pro by Kevin King, Patrick Griffin, and Walter Tiemann at Canada Type. Printed with electromagnetic radiation on various amorphous non-crystalline solids.
This was a Hiya, Scout! design.