Open Sesame! (please)

SO there I was, half way through a vicious column attacking Bill Gates and all his evil works, when something went wrong with…

SO there I was, half way through a vicious column attacking Bill Gates and all his evil works, when something went wrong with my computer. The memory of the problem has long faded but the solution was to reinstall some file or other. I was in the US on a business trip, using a borrowed notebook PC in which I had installed programs from my own set of CDs. It was only when the appropriate CD was already inside that the machine demanded a "key" - a set of magic numbers written on a scrap of paper in London, 5,000 miles away, where it was now 4 a.m.

More obvious alternatives having failed, I was two hours later reduced to calling up the Evil Empire itself in Redmond. After a brief stay in voice mail purgatory, I was saved by a charming vice president of something or other who helpfully read out the key from his own copy of the package.

The incident had two consequences. First, it made the arguments against "billg" seem less convincing than they had an hour earlier. Second, it set me thinking about the growing irritation that keys and passwords now represent in the lives of most computer users.

It is not only computer software that comes with passwords. So do operating systems and even computers themselves - the machine this column is being written on has to be returned to its manufacturer if you forget its eight letter login. As the sale of information and services over the Internet has taken off, even Web sites have adopted passwords.

READ MORE

So me months ago, I invested £30 in a subscription to the Wall Street Journal's Interactive Edition, a Web site that includes useful things like a searchable newspaper database. I then promptly forgot the password. Three months later, not having used the service once, I sent the company an email asking it to tell me what my password was. Someone replied with the details. Unfortunately, I can't find the email, so I still haven't used it.

Sometimes the problems are worse. Each one of the three different Internet service providers I use requires a password to dial in. Even the mail forwarding service that allows you to keep the same email address wherever you are in the world or however you access the Net requires amagic cookie" - a password by any other name.

You may be tempted to dismiss me as disorganised. But many PC users face similar problems. They don't want to write down a clear list of passwords on paper, because that seems to compromise the security that is their original purpose. They cannot hide pass words in their address book, as they can with the four digit codes for bank teller machine cards, by disguising them as extensions in the phone numbers of fictitious people.

So what can be done? The trouble is that some PC users pick the easy option. They use the same password, or a similar one, as often as they can. More, they tend to ignore the common exhortation to choose a mixed string of upper and lower case letters and numbers.

Programs like Crack, used by hackers and security conscious network administrators, test for passwords by crunching through the dictionary looking for matches word by word.

The further companies go in tightening their security, the harder they make life for customers and employees - and the greater the danger that whatever measures they take will be circumvented and frustrated, by simple devices such as slapping a yellow sticker to the computer and writing the secret code on it.

One answer is to have not one password, but a whole set of information which will only be partly queried on each occasion. My bank, for instance, asks for two letters from a password plus the answer to one out of four prearranged questions. That makes it almost impossible to breach security by simple interception, since a hacker needs to listen in to seven interactions before having more than a 50 per cent chance of getting the information needed to make a successful fraudulent login.

Another answer could be to use a piece of software to keep track of passwords. Instead of consisting merely of an encrypted list of passwords, which would be little more use than locking keys up in a cupboard, the package could prompt the user for a new but memorable password every day, such as "the name of the first person you ever went out with", or "the ice cream flavour you like most".

But ultimately, not even this would be invulnerable. Two bigger changes will have to take place before we can be delivered from password tyranny.

One is for companies to be more thoughtful in their use of passwords.

The other change will be the arrival of cheap, ubiquitous, standard devices which can read fingerprints or retinas.

This has been technically possible for years, partly via smart cards, but consumers have balked at paying a couple of hundred dollars for something that hardly improves their own convenience.

If the price of a finger or eye ball reader guaranteeing that the person sitting in front of my PC is really me could fall to $20 then it might become a seriously successful consumer product. Perhaps Microsoft should build it.