One of two posts to end the year regarding authentication.   This one is about that link on on-line logon screens that is almost always labeled “Forgot Password” or “Forgot your password.”  Go ahead, check every on-line relationship you have and see what the link is labeled.

Well, what if I didn’t forget and I still don’t know it?  What if I chose to not remember it because:

1. I do not write down passwords
2. I do not let my browser remember my credentials
3. The site’s password construction rules are too hard to keep track of
4. I do not log on to that site that often

In fact, I purposely do not bother to remember passwords for a number of accounts that I have.  And for at least three of those four reasons.  Now here’s the interesting part.

There are sites that do not yet offer Multi-Factor Authentication but DO have sending a one-time text to your phone as part of the password reset procedure.  SO, when you go through the “Forgot your password” procedure, you actually go through an MFA flow to authenticate.

So, here’s a modest proposal for firms that do not wish to offer MFA but have sending a code to a text or email as part of the password reset procedure: let me CHOOSE an option called “Forget my password.”

Even if they don’t have the one-time code sent to text or email, there would still be a modicum of extra security in being able to tell the site that I want my password to expire in 12 hours so I will almost always go through a reset procedure.  I’m telling you: forget my password.

I say make it the default that passwords expire after 12 hours for non-MFA authentication flows on consumer web sites.  Why?  Most of us suspect that far more sites have been hacked to mine user id/password pairs than we know about.   There’s an entire phishing scam based on sending an individual an extortion email threatening to publicly post the recipient’s [filthy] browser history if X dollars in bitcoin is not deposited post haste into some account or other.  The phishing email tries to establish its credibility by providing one of the recipient’s passwords in the email.  Sometimes the password is made up, but sometimes it is one the recipient has used on damn near every on-line site requiring registration that they have ever signed up for.  The crook is counting on the latter.

So, even though I have no browser history to hide and I COULD find a way to track every password for every site I log on to, I beseech all the sites I visit once a month or less: forget my password.