Must include at least one number. Must be longer than six characters. Cannot have more than four sequential characters from your previous seven passwords. The rules for password creation vary wildly from site to site, an effort to protect users from those who would hack their identities.
These protective measures don't go very far, according to the New York Times, because hackers can get ahold of passwords with software that remotely tracks keystrokes, or by tricking users into typing them in. The story touches on a range of issues around the problem, but neglects to mention the obvious: the march toward a centralized login for multiple sites.
A universal login could solve a lot of the issues around password security, from keylogging to the problem of users having their passwords discovered after writing them down.
It would also solve the problem of password-overload. Managing logins for all the Web sites that require registration is a pain, and any frequent Web user who says differently is either lying or has a photographic memory. Browsers have taken some of the pain away by remembering passwords for us, but clear your browser's history and suddenly you have to answer secret questions and email your username to yourself for umpteen different sites.
One or more options for a universal login is inevitable and progress is well underway. More and more sites are supporting the easy-to-use Facebook Connect, which lets users register for a site with their Facebook profile instead of creating a site-specific username and password. As of last year, there were more than nine million websites using OpenID, the openly-developed standard that users can use to log in across multiple sites.
Standards like OpenID carry their own security problems (and other problems - see The Troubles With OpenID 2.0), the obvious being that a successful hacker can gain access to all the sites and services you use at once. But the convenience of a universal login is irresistible, especially for the myriad sites where there's no danger if your password is hacked, such as news sites. Users who try it won't want to go back - which is why it's important to talk about the security issues around these new protocols for users and the sites that implement them.
How do you manage your logins?