PERSONAL TECHNOLOGY: DAVID PIERCE

Username and Password

Hell: Why the Internet
Can’t Keep You Logged In
It’s torture typing in usernames and passwords for
every site and app we use, and it’s only getting worse
as we add more devices. The good news: Everyone
knows it’s a problem, and they’re working on it.

By David Pierce

My Google password is mXNkQ3/Dy?Pg. (Or it was,

anyway, until I published it for everyone to see.) I’ve
had to type that nonsensical string so often I
memorized the darn thing. It seems like every time I
click a link, download an app or unlock my phone, I’m
forced to log in to my account all over again.

The internet has an identity problem. It has never had

a simple, universal system for figuring out who we are.
As a result, we’re stuck with separate usernames and
passwords for every site and app we use—no, I’m not
touching that Sign In With Facebook button—and
perpetually re-entering them to prove we’re still
ourselves. It’s mildly annoying on our laptops, where
we have dedicated keyboards. It’s a bigger pain on our
smaller phones, and it’ll be near impossible on the
smart machines we’ll have going forward. Imagine
typing a 16-digit code every time you start your car.

The good news is, everyone knows this is a problem.

The tech industry has spent years working on ways for
the internet to recognize you, and real solutions are
starting to come to market. The bad news? It isn’t an
overnight fix.

Logged outLogin trouble has many causes, but it tends

to be a two-part issue: how a website or service is set
up, and how we now behave on the internet.

Whenever you enter your username and password, the

Whenever you enter your username and password, the
app or site opens a “session,” quickly compiling
relevant data to your account and connecting you to
the servers and tools you need. That creates a security
risk: If your session is still open and another person on
the same computer goes to the same site, he or she
could have access to all your stuff. As a result, most
developers set an end date for your session,
automatically closing your connection to the site or
app after a specified amount of time. This security risk
is also why you have to confirm your identity when
changing account settings or shipping purchases to
new addresses.

To illustrate, let’s look at our own wsj.com. Years ago,

the developers building The Wall Street Journal’s
website decided that sessions should expire after 15
days, said Ramin Beheshti, chief product and
technology officer at the Journal’s publisher, Dow
Jones. That meant twice a month, you’d re-enter your
password, so the Journal could make sure it was you
and not some account thief sitting at your computer.

Every app and service has its own version of this rule.
Dashlane, the password manager, requests your
password every 14 days. Evernote will keep you logged
in for 30 before kicking you back out. Okta, which gives
users access to multiple work apps through a single
login, lets its corporate customers decide how often
employees must cough up a password.

When you only had one computer, entering passwords

every few weeks didn’t feel so arduous. Now you have
laptops and phones and tablets and maybe even smart
TVs, all logged in to the same things, each demanding a
bi-weekly re-up.

And it gets worse. Each device now has multiple

browsers and apps—and nowhere is it more chaotic
than on our beloved smartphones. If you check sports
scores on an app, you have one login, if you do the
same on the Safari or Chrome browser, that’s another.
If you click a link on Twitter, or someone emails it to
your Gmail account, those apps have their own
browsers, and you have to log in through each one. It
starts to feel like a constant nag.

On an iPhone, each browser is entirely separate from

and unaware of the others. And some in-app browsers
require you to log in every time, because they don’t
carry any session baggage from one use to the next.
Android does a better job of helping those apps talk to
each other.

Many services are already working on ways to share

this kind of data across apps—for instance, allowing
you to link your news website and social network
logins, so that when you log into one it automatically
authenticates the other.

Meanwhile Google, Microsoft, Twitter and others are

finding password-free ways to extend your session and
make sure you’re still you. Apps can check if you’re on
the same phone, on the same network, doing the same
stuff. Even the way you type or move your mouse can
be a useful signal. Think of it like the fraud alerts on
your credit card: If the service suspects unusual
activity, it might flag the interaction, but otherwise it’ll
leave you alone.

This is meNobody likes passwords—not even the

services that ask for them. “The only people who love
usernames and passwords are hackers,” said Alex
Simons, corporate vice president at Microsoft’s
identity division.

Over the past few years, most big tech players have
collaborated to develop standards for managing
identity on the internet. Most recently, the World Wide
Web Consortium ratified a standard called WebAuthN,
which allows websites to authenticate users with
biometric information, or physical objects like security
keys, and skip the whole password thing altogether.
You could log into Facebook or Gmail or Amazon just
by scanning your fingerprint, or with a facial-
recognition scan. Imagine logging into everything the
way you currently log into your phone.

All that’s left is for every app, device and website to

integrate these new standards. Which is going to take
years. In the meantime, there are a couple of ways to
make your logging-in life easier.

Read moreGalaxy S10 Review: Samsung Finally Gets

Everything RightGoogle Is the Best—and the Worst—
Wireless CarrierA $10 Accessory Proves Smartphones
Are Too BigIt’s the Real World—With Google Maps
Layered on Top

Free, Easy and Legal: How to Stream Great TV and

Movies Without Spending a Dime

If you use a password manager such as Dashlane or

1Password, it can automatically log you in to most sites
on desktop and mobile. In a delightful bit of irony,
you’ll still have to enter your password manager’s
password periodically, and even these apps don’t
always work with in-app browsers. Still, in general they
turn the drawn-out login process into a click or two.
You can also take advantage of your browser’s ability to
autofill data and passwords, at least on devices you
trust.

If you constantly clear your browser history, your cache

and your cookies, you’re also making your login life
harder. Sometimes you have to, so that a misbehaving
website will load properly, for instance. But whenever
you do, you also clear your login data—the so-called
“tokens” that keeps your sessions open.

Pretty soon, even if you do nothing, you should start to

see these things improve, including at the Journal. Mr.
Beheshti said he plans to change the session time from
15 days to as many as 90. There’s more work to be
done, he said, especially getting all those browsers and
apps to communicate with one another. But his goal—
and everyone else’s working on this problem in the tech
industry—is to keep you around longer. Make it long
enough and I might even start forgetting my passwords
again.

For more WSJ Technology analysis, reviews, advice and

headlines, sign up for our weekly newsletter. And don’t