Consumers average 150 passwords; when your credit card expires, you need to remember ALL of them

Bob Sullivan

I recently had to undertake one of the most arduous, perilous tasks consumers face — updating all my credit card automatic payments. My card had expired of natural causes — rare in the age of account hacking —  so off I went, chasing after every card-paying account I have. These kinds of things make me skin-crawling, hair-raising, blood-pressure exploding, whiskey-shot needing anxious. And I’m sure I’m not alone.

I only had to update my expiration date, but as I’m sure all of you know, this process is fraught with disaster. I once failed to properly update an EZPass account, and faced a whopper of cascading penalty fees.  That’s the perilous part.

The arduous part is logging into every freaking account I had and….well, I mean trying to log into every account I have…and making the small change.  That means dealing with all those user names, all those passwords, and a different process every time.

Taking inventory of every auto-payment isn’t as easy as it sounds.  Some accounts are charged monthly. Some quarterly. Some just occasionally, if I use them rarely.  My bank (USAA) provides a helpful, but incomplete, list of possible automated payments. So I scan through about 6 months of bills, eyeballing potential accounts that USAA might have missed.   Some services have arrangements with banks to ease the expiration change, but you just can’t count on that.

Next, I go through the process of logging into (hacking into?) all these accounts. At some sites, it was enough to just change the expiration. Other places required removing the old card and adding it back in with the new expiration. And at still others, (I’m looking at you, SlingTV) the web update simply didn’t work. Try as I might, the tool wouldn’t let me update my account. So I logged into an online chat, and after an authentication song and dance…well, they told me to call. About half an hour or my day, vaporized.

All this hassle is sort of my own fault, as all these firms are rightly paranoid about credit card security, thanks to journalists like me writing so many stories about credit card hacking.  So I’m glad it wasn’t easy.  But here’s the rub: A recent report claims that consumers now have an average of 150 passwords to remember.  ONE HUNDRED AND FIFTY!!

No wonder I need some whiskey.

More about passwords in a moment, but before I leave the topic of anxiety, let me say that these kinds of stories are precisely why The Red Tape Chronicles came to be.  My anxiety isn’t really about the passwords. I know one way or the other I’d be able to get into these services and update my card.  The stress comes from my assumption that behind every one of these accounts lie the potential for a massive GOTCHA.  If my card were declined, perhaps I’d face a late fee. Perhaps my account would be cut off at a critical time. Perhaps I’d be bumped off whatever discount plan I’d arranged, and end up paying a higher price.  These are not imagined fears. These are real booby traps that create real anxiety, born of experience, and maybe just a little PTSD from all those hacked credit card accounts I’ve had to update during the past few years.  If I could assume that these providers would handle the situation reasonably, then I’d be a lot less on edge.  But you know better than that. It only takes one mistake in the wrong transaction to cost you, bigtime.

So, I’m paranoid. And while I think I updated every account correctly, I don’t trust any of them. I’ll go through the same process in 30 days and make sure all those payments went through. Hey, it’s not paranoia if it’s real.

Now, as for passwords — IBM is out with a password report this week showing that consumers are willing to suffer a little inconvenience in exchange for security, and they are open to use of biometrics (enough with passwords already). Not surprisingly, people are most open to fingerprints, but fully 87% said they were open to other kinds of biometrics, like voiceprints. Companies should take this to heart. Every biometric has its special problem (like in the movies, when an iris scan is foiled by cutting out a victim’s eyeball. ew).  But while we keep arguing about imperfections, security still lags in the password/poorly-implemented-two-factor-authentication world.

Since we have to live in that world, here’s IBM’s tips for now: Note that passphrase recommendation, which is probably the best you can do right now.

IBM’s consumer Tips:
§ Use Multi-Step Authentication: Where possible, enable two-factor authentication (2FA) that confirms a login on multiple levels, such as password + a mobile alert or email confirmation. 
§ Opt for Passphrases vs. Passwords: Skip complex passwords and instead use longer “passphrases” – several unrelated words tied together, at least 20 characters. These are actually harder to crack and easier to remember. 
§ Choose a Password Manager: Rather than try to memorize multiple passwords or store them insecurely, use a password manager, which not only acts as a vault for existing passwords, but can also generate stronger passwords for you

Leave a Reply

Your email address will not be published. Required fields are marked *