Despite data thefts, the password endures

The traditional but vulnerable login process is so entrenched and familiar, it seems neither havoc nor hackers can end its 50-year reign.

By MSN Money Partner May 22, 2014 11:13AM

The Facebook login screen on an Apple iPhone 4 © Chris Ratcliffe/Bloomberg via Getty ImagesBy Danny Yadron and Katherine Rosman, The Wall Street Journal

Fernando Corbató didn't intend to unleash havoc when he helped create the first computer password at the Massachusetts Institute of Technology in the early 1960s.

The Wall St. Journal on MSN Money"It's become kind of a nightmare," says the 87-year-old retired researcher. "I don't think anybody can possibly remember all the passwords."

Passwords are a bane to computer and smartphone users and a security threat to companies. On Wednesday, eBay (EBAY) urged its 145 million users to change their passwords because of a data breach. But if the past is a guide, few people will heed the warning.

Last month, some experts called a flaw in Internet encryption known as Heartbleed one of the worst holes ever discovered in the Web's defenses. The bug might have exposed billions of passwords to hackers, yet just 39 percent of adult Internet users surveyed by Pew Research Center canceled accounts or changed their passwords after Heartbleed.

"Passwords are awful and need to be shot," says Jeremy Grant, head of the National Strategy for Trusted Identities in Cyberspace, a task force created by President Barack Obama in 2011 to bolster online security.

Despite all their flaws, passwords are so ubiquitous, cheap to use and entrenched in the architecture of websites and the rhythm of human behavior that efforts to supplant them have barely budged.

"It's the only piece of technology from 50 years ago we're still using today," says Brett McDowell, a senior Internet security adviser at eBay's PayPal unit.

Some people are hoping to kill passwords with fingerprint readers, iris scanners and USB keys. But a string of disappointments makes executives, scientists, engineers and government officials skeptical. McDowell and counterparts at Bank of America (BAC), Google (GOOG) and other companies are toiling away on a password-replacement project called the Fido Alliance.

It recently released an early version of standards that could be used for other forms of online identification. PayPal is using them, and Google has been happy with an internal test, company officials say.

Apple's (AAPL) newest iPhone has a fingerprint-unlocking feature, but some users have found that typing a password is just as easy as trying to place a thumb in perfect alignment.

No one knows how many passwords there are, partly because they are proliferating so quickly that it is impossible to keep track. Surging use of smartphones, tablets and other mobile devices has worsened the sprawl. Social-networking and e-commerce websites often require users to log in so the sites can offer personalized content and advertising pitches.

Despite data breaches and warnings from security experts, people cling to easy-to-remember passwords and often use the same ones for many accounts.

"You can compare the top baby names of the year to passwords lists," said Morgan Slain, chief executive of SplashData, a password-management company that publishes an annual list of "worst passwords." The ranking is based on the most common passwords found in files containing stolen passwords posted online in the previous year. The worst of the worst vary little from year to year, including "123456," "password" and "qwerty."

Jeff Myers, 49, came up with his own strategy. A former cardiac surgeon who now works on drug trials for Gilead Sciences (GILD), Dr. Myers increases the number at the end of his password by one each month.

"Anybody with any hacking skill would figure it out immediately," he says.

Google and Twitter (TWTR) are among the companies that now offer a two-step authentication process to thwart hackers. After users enter a password, a one-time code is sent to their smartphone via text message. The code must be entered into the company's website.

The process is more secure than just a password but can get snarled if a phone is lost. It also slows people down.

"All of these create additional friction," says Uri Rivner, a former executive at RSA, a data-security division of EMC (EMC). He recently helped launch BioCatch, of Boston, which lets websites verify identity by measuring how someone holds a smartphone or drags a mouse across a screen. Major U.S. banks are using the technology, he adds, declining to identify them.

Even the smartest passwords are only as secure as the companies that store them. Heartbleed let hackers scoop protected data out of corporate servers. At Target (TGT), the company said hackers used a stolen password from a refrigeration contractor last year to invade a credit- and debit-card system, where they stole 40 million card numbers.

It isn't clear how many people may have been victims of those two frauds. Since the heist, Target has taken steps to wall off high-value data from the rest of its network. After Heartbleed was disclosed in April, dozens of websites urged users to change all their passwords.

PayPal lets customers buy things with the fingerprint sensor of Samsung (SSNLF) newest smartphone, the Galaxy S5. Apple Chief Executive Tim Cook has said company officials had mobile payments in mind when Apple added such a sensor to its latest iPhone.

Apple's system now works only with the company's own products, like iTunes. PayPal customers could use the same fingerprint at any site that adopts the Fido standards. Of course, when fingerprint readers on the Galaxy and iPhone don't work, users must fall back on entering a password.

Stuart Geiger, a doctoral student at the University of California, Berkeley's School of Information who studies how people interact with technology, says putting the password out of its misery would require collaboration from a gaggle of Silicon Valley companies that compete against each other in everything from online shopping to chats to television.

Even if that happens, would hundreds of millions of Internet users in the U.S. who are accustomed to relying on ham-handed passwords be willing to change their ways or switch to gadgets that use more sophisticated security? "One big factor is inertia," he says diplomatically.

The mess is much more than Corbató, a professor emeritus at MIT who lives in Newton, Mass., ever imagined when he and his colleagues came up with the password to control access to files on a huge, shared computer.

"We didn't foresee the Internet, either," he says. Corbató keeps track of his passwords by typing them on paper. He is moving them to an online file.

More from The Wall Street Journal

May 22, 2014 12:39PM
Remember that length is far more important then complexity. The password ihaveaverylongpassword takes far longer to crack then U7p#.
May 22, 2014 12:43PM
Companies that have restrictions on password length or characters are ridiculous. Why can my password only be 8 character long? Why cant I use a $ in it? I understand forcing people to use both a lowercase and uppercase or a number and a special character but why take choice away from customers so we are forced to remember different variations of the same root password.
May 22, 2014 1:31PM
They keep touting websites and apps that "keep" your password secure. What happens when those get hacked? Then they have all your passwords. We need to move toward biometrics but they need to work reliably first.
May 22, 2014 2:07PM
Passwords are on borrowed time.  The technology exists, right now, to make all passwords unnecessary, as well as the keys to you house, your car, etc.  There is, however, one big problem, and that is such systems could easily keep track of everyone on the planet.  Privacy, as we know it today, would be toast.  Of course, so would just about all in-person crime.  There would be a large reduction in terrorism, and we could probably eliminate those scanners at the airport.  Sounds great right?  Then tell me how to get funding for the project, without giving up the key points and having it stolen.  If we don't do it, someone else will, sooner or later.  Enjoy the simplicity of passwords, keys, and anonymity while you still can.
May 24, 2014 1:37PM
If curtain people didn't build back doors in computers for other curtain people like NSA this wouldn't be much of a problem.
May 22, 2014 2:33PM
We have cameras integrated into our smartphones and laptops. Is is possible to use the cameras to take a retinal scan for ID verification? Or maybe a headshot for facial recognition?
May 22, 2014 1:13PM

and the password is........... "period"


Things that make your wife nag.

Things at the end of a sentence.

Things said by POtuS right after a lie.


You might be a Democrat if you believe its OK to financially hog-tie 50 hardworking people to support one slackazz.


You might be a Democrat if you believe a person should make $15/hr for flipping burgers.


You might be a Democrat if you believe in freedom of speech so long as what people say is in line with your ideology.


You might be a Democrat if you believe that 5+5=7 regardless of how many mathematicians try to explain to you that it equals 10. 


You might be a Democrat if you hear the phrase "common sense" and take it for "common cents" as in everyone's money belongs in a common pool for everyone to take.


You might be a Democrat if you are beating up the oil companies with one fist while pumping gas into your gas guzzling SUV with the other. (FYI: Liberal California is the second largest contributor to CO2 emissions in the USA, go figure)

May 26, 2014 11:02AM
Good point. And sometimes it's hard to put into practice. Some online accounts still only allow 12 digit passwords and don't allow anything but numbers and letters.  One financial account of mine from a major firm requires an 8-digit pin and a social security number to log-in.

When possible I use at least 12-character passwords and I use obscure terms specific to my chemistry, industrial, or teaching career and use a set of several rules that determine how the term is modified for each website I visit.  All are easy enough to remember.  A partial example would be something like "Ring Around The Rosy" where the "s" is changed to a "$", the "o" becomes a "0," and the spaces become the first three letters of the site.  The password can be modified by rotating through a few such titles or phrases or modifying the space rules.

May 22, 2014 7:33PM
passwords can be changed biometrics cant. hackers can crack anything given enough time.
May 22, 2014 3:31PM
Having a code come to my phone is a pain in the **** when whatever I am trying to log into is also on my phone. Back in the day, to log into my work PC remotely, I had to enter my password and a code off a FOB which I kept in my briefcase. Convenient back then, but not so much now. Maybe a smart phone maker will incorporate a small 1-line LCD panel to only deliver these codes. That way, you wouldn't have to switch back and forth between apps just to fricken log in to a site.
Please help us to maintain a healthy and vibrant community by reporting any illegal or inappropriate behavior. If you believe a message violates theCode of Conductplease use this form to notify the moderators. They will investigate your report and take appropriate action. If necessary, they report all illegal activity to the proper authorities.
100 character limit
Are you sure you want to delete this comment?


Copyright © 2014 Microsoft. All rights reserved.

Fundamental company data and historical chart data provided by Morningstar Inc. Real-time index quotes and delayed quotes supplied by Morningstar Inc. Quotes delayed by up to 15 minutes, except where indicated otherwise. Fund summary, fund performance and dividend data provided by Morningstar Inc. Analyst recommendations provided by Zacks Investment Research. StockScouter data provided by Verus Analytics. IPO data provided by Hoover's Inc. Index membership data provided by Morningstar Inc.


Start investing in technology companies with help from financial writers and experts who know the industry best. Learn what to look for in a technology company to make the right investment decisions.





Quotes delayed at least 15 min