We turn our nose up at when we read that the most common, hackable passwords are “password” or “123456.” Who would possibly think that using “password” as your password is a good idea? You feel good and secure knowing that your 7-20 character passwords have plenty of numbers, symbols, and uppercase letters. Plus, you always get a “very strong” password strength rating when you create a new one. You’re online identity is locked down, Fort Knox style. Then you read about Mat Honan. He’s a senior writer at Wired who, despite having “robust” alphanumeric passwords of seven, 10, and 19 characters long for his Apple, Twitter, and Gmail accounts, had them all hacked and lost years of stored documents and photos because they were linked together. Since being hacked, Honan has been looking into online security and what he discovered about our password-centric web is terrifying, to say the least. No matter how complex, no matter how unique, your passwords can no longer protect you.
Look around the leaks and dumps—hackers breaking into computer systems and releasing lists of usernames and passwords on the open web—are now regular occurrences. The way we daisy-chain accounts, with our email address doubling as a universal username, creates a single point of failure that can be exploited with devastating results. Thanks to an explosion of personal information being stored in the cloud, tricking customer service agents into resetting passwords has never been easier. All a hacker has to do is use personal information that’s publicly available on one service to gain entry into another.
Of course, it’s easy to make online security more secure but nobody can remember an insanely long, random password and nobody wants to encounter difficulties recovering your password when you forget it. That’s one of the many problems with password-based online security: these systems need to be convenient enough so that people keep using them. You might not be addicted to Facebook, for example, if logging into the site were onerous and recovering your password was a chore.
Biometric approaches to security like fingerprint readers and iris scanners does well, but it shows how those could easily be compromised. Google is moving in the right direction with its two-factor authentication system where a password is sent to your phone if someone tries to log into your Google account from another computer. But, again, that can be compromised by hacking into your cell phone account. The only way forward is real identity verification: to allow our movements and metrics to be tracked in all sorts of ways and to have those movements and metrics tied to our actual identity. We are not going to retreat from the cloud—to bring our photos and email back onto our hard drives. We live there now. So we need a system that makes use of what the cloud already knows: who we are and who we talk to, where we go and what we do there, what we own and what we look like, what we say and how we sound, and maybe even what we think.
That shift will involve significant investment and inconvenience, and it will likely make privacy advocates deeply wary. It sounds creepy. But the alternative is chaos and theft and yet more pleas from “friends” in London who have just been mugged. Times have changed. We’ve entrusted everything we have to a fundamentally broken system. The first step is to acknowledge that fact. The second is to fix it.
With so much of our lives protected by easily hackable passwords, I’d say yes, it’s time we figure out a better way; even if that means navigating the Internet of the future is a little more complicated.