Despite data thefts, the password endures
The traditional but vulnerable login process is so entrenched and familiar, it seems neither havoc nor hackers can end its 50-year reign.
By Danny Yadron and Katherine Rosman, The Wall Street Journal
Fernando Corbató didn't intend to unleash havoc when he helped create the first computer password at the Massachusetts Institute of Technology in the early 1960s.
"It's become kind of a nightmare," says the 87-year-old retired researcher. "I don't think anybody can possibly remember all the passwords."
Passwords are a bane to computer and smartphone users and a security threat to companies. On Wednesday, eBay (EBAY) urged its 145 million users to change their passwords because of a data breach. But if the past is a guide, few people will heed the warning.
Last month, some experts called a flaw in Internet encryption known as Heartbleed one of the worst holes ever discovered in the Web's defenses. The bug might have exposed billions of passwords to hackers, yet just 39 percent of adult Internet users surveyed by Pew Research Center canceled accounts or changed their passwords after Heartbleed.
"Passwords are awful and need to be shot," says Jeremy Grant, head of the National Strategy for Trusted Identities in Cyberspace, a task force created by President Barack Obama in 2011 to bolster online security.
Despite all their flaws, passwords are so ubiquitous, cheap to use and entrenched in the architecture of websites and the rhythm of human behavior that efforts to supplant them have barely budged.
"It's the only piece of technology from 50 years ago we're still using today," says Brett McDowell, a senior Internet security adviser at eBay's PayPal unit.
Some people are hoping to kill passwords with fingerprint readers, iris scanners and USB keys. But a string of disappointments makes executives, scientists, engineers and government officials skeptical. McDowell and counterparts at Bank of America (BAC), Google (GOOG) and other companies are toiling away on a password-replacement project called the Fido Alliance.
It recently released an early version of standards that could be used for other forms of online identification. PayPal is using them, and Google has been happy with an internal test, company officials say.
Apple's (AAPL) newest iPhone has a fingerprint-unlocking feature, but some users have found that typing a password is just as easy as trying to place a thumb in perfect alignment.
No one knows how many passwords there are, partly because they are proliferating so quickly that it is impossible to keep track. Surging use of smartphones, tablets and other mobile devices has worsened the sprawl. Social-networking and e-commerce websites often require users to log in so the sites can offer personalized content and advertising pitches.
Despite data breaches and warnings from security experts, people cling to easy-to-remember passwords and often use the same ones for many accounts.
"You can compare the top baby names of the year to passwords lists," said Morgan Slain, chief executive of SplashData, a password-management company that publishes an annual list of "worst passwords." The ranking is based on the most common passwords found in files containing stolen passwords posted online in the previous year. The worst of the worst vary little from year to year, including "123456," "password" and "qwerty."
Jeff Myers, 49, came up with his own strategy. A former cardiac surgeon who now works on drug trials for Gilead Sciences (GILD), Dr. Myers increases the number at the end of his password by one each month.
"Anybody with any hacking skill would figure it out immediately," he says.
Google and Twitter (TWTR) are among the companies that now offer a two-step authentication process to thwart hackers. After users enter a password, a one-time code is sent to their smartphone via text message. The code must be entered into the company's website.
The process is more secure than just a password but can get snarled if a phone is lost. It also slows people down.
"All of these create additional friction," says Uri Rivner, a former executive at RSA, a data-security division of EMC (EMC). He recently helped launch BioCatch, of Boston, which lets websites verify identity by measuring how someone holds a smartphone or drags a mouse across a screen. Major U.S. banks are using the technology, he adds, declining to identify them.
Even the smartest passwords are only as secure as the companies that store them. Heartbleed let hackers scoop protected data out of corporate servers. At Target (TGT), the company said hackers used a stolen password from a refrigeration contractor last year to invade a credit- and debit-card system, where they stole 40 million card numbers.
It isn't clear how many people may have been victims of those two frauds. Since the heist, Target has taken steps to wall off high-value data from the rest of its network. After Heartbleed was disclosed in April, dozens of websites urged users to change all their passwords.
PayPal lets customers buy things with the fingerprint sensor of Samsung (SSNLF) newest smartphone, the Galaxy S5. Apple Chief Executive Tim Cook has said company officials had mobile payments in mind when Apple added such a sensor to its latest iPhone.
Apple's system now works only with the company's own products, like iTunes. PayPal customers could use the same fingerprint at any site that adopts the Fido standards. Of course, when fingerprint readers on the Galaxy and iPhone don't work, users must fall back on entering a password.
Stuart Geiger, a doctoral student at the University of California, Berkeley's School of Information who studies how people interact with technology, says putting the password out of its misery would require collaboration from a gaggle of Silicon Valley companies that compete against each other in everything from online shopping to chats to television.
Even if that happens, would hundreds of millions of Internet users in the U.S. who are accustomed to relying on ham-handed passwords be willing to change their ways or switch to gadgets that use more sophisticated security? "One big factor is inertia," he says diplomatically.
The mess is much more than Corbató, a professor emeritus at MIT who lives in Newton, Mass., ever imagined when he and his colleagues came up with the password to control access to files on a huge, shared computer.
"We didn't foresee the Internet, either," he says. Corbató keeps track of his passwords by typing them on paper. He is moving them to an online file.
More from The Wall Street Journal
and the password is........... "period"
Things that make your wife nag.
Things at the end of a sentence.
Things said by POtuS right after a lie.
You might be a Democrat if you believe its OK to financially hog-tie 50 hardworking people to support one slackazz.
You might be a Democrat if you believe a person should make $15/hr for flipping burgers.
You might be a Democrat if you believe in freedom of speech so long as what people say is in line with your ideology.
You might be a Democrat if you believe that 5+5=7 regardless of how many mathematicians try to explain to you that it equals 10.
You might be a Democrat if you hear the phrase "common sense" and take it for "common cents" as in everyone's money belongs in a common pool for everyone to take.
You might be a Democrat if you are beating up the oil companies with one fist while pumping gas into your gas guzzling SUV with the other. (FYI: Liberal California is the second largest contributor to CO2 emissions in the USA, go figure)
When possible I use at least 12-character passwords and I use obscure terms specific to my chemistry, industrial, or teaching career and use a set of several rules that determine how the term is modified for each website I visit. All are easy enough to remember. A partial example would be something like "Ring Around The Rosy" where the "s" is changed to a "$", the "o" becomes a "0," and the spaces become the first three letters of the site. The password can be modified by rotating through a few such titles or phrases or modifying the space rules.
Copyright © 2014 Microsoft. All rights reserved.
Fundamental company data and historical chart data provided by Morningstar Inc. Real-time index quotes and delayed quotes supplied by Morningstar Inc. Quotes delayed by up to 15 minutes, except where indicated otherwise. Fund summary, fund performance and dividend data provided by Morningstar Inc. Analyst recommendations provided by Zacks Investment Research. StockScouter data provided by Verus Analytics. IPO data provided by Hoover's Inc. Index membership data provided by Morningstar Inc.
Start investing in technology companies with help from financial writers and experts who know the industry best. Learn what to look for in a technology company to make the right investment decisions.
Forget Facebook: DataCoup allows users to sell their private data directly to businesses. But will consumers feel comfortable taking them up on the offer?
VIDEO ON MSN MONEY
MUST-SEE ON MSN
- Video: Easy DIY smoked meats at home
A charcuterie master shares his process for cold-smoking meat at home.
- Jetpacks about to go mainstream
- Weird things covered by home insurance
- Bing: 70 percent of adults report 'digital eye strain'