Our password system is broken, and it's about time we change it.
For the few that haven't yet spotted technology journalist Mat Honan's story about his unfortunate hacking, here's the capsule version: What started as an attempt at his Twitter feed via an Amazon account security hole quickly escalated into several wiped devices, a gutted Gmail account, and devastating data loss, both personally and professionally. The terrifying tale ended on a cry for users to embrace Google's two-step verification, which requires a second level of authentication when accessing your Gmail. When James Fallows wrote about his wife's ordeal with a compromised account last year, he came to the same conclusion.
Sure, adding an extra lock would have spared both a fair amount of trouble, but there's a much bigger problem at hand. We're required to take downright ridiculous precautions to maintain our online security, and it's not sustainable. In fact, it never was. Our password system is broken, and it's about time we change it.
Let's take a little tally of where we've found ourselves, shall we? Studies show that we log into some 10 sites a day. Places that hold our most important data, like Gmail, Dropbox, and our bank, might ask us to jump through two tiers of password hoops in order for them to ensure our online security. Overall we're asked to hold keys to 30-40 sites in order to read the news, access our email, or book a haircut. For each of these sites, security analysts recommend using a unique string of 14-characters made up of letters, numbers, and special symbols. But remember: Computers are quick to guess dictionary words, your birth year, and numbers substituted for letters. No repeats allowed. Oh, and whatever you do, don't write anything down.
Who can possibly remember all those characters?
It's a nutty system, so we ignore it, spreading the five or six passwords that we can remember across every online interaction. But that's not a good solution. Connect our sites with shared login information, and we're risking enormous chunks of our online lives. As Steve Ragan, a journalist at The Tech Herald demonstrated in January, a free program and a $300 computer can crack more than 25,000 passwords in seven minutes. Perhaps XKCD said it best: "Through 20 years of effort, we've successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess."
The craziest thing is: We've known all along that our brains are not cut out for this. Researchers observed password fatigue in the earliest days of computing. In a 1979 study conducted by Bell Labs cryptologist Robert Morris and computer scientist Ken Thompson, the challenge was clear: "Human beings being what they are, there is a strong tendency for people to choose relatively short and simple passwords that they can remember. Given free choice, most people will choose their passwords from a restricted character set (e.g. all lower-case letters), and will often choose words or names."
The researchers found that 60 percent of user passwords were less than 5 characters long, and overall, 86 percent relied on dictionaries or name lists to create them. Morris and Thompson concluded, "the results were disappointing, except to the bad guy."
People have been crying, "the password is dead," for years (that one was courtesy of Bill Gates in 2004), but we're finally in a position where change is possible. When a keyboard was our only input, text passwords made sense, but now we have so many other entry points -- touch screens, cameras, microphones -- that are harder to replicate from afar. It might just be possible to create a login that doesn't sacrifice security for usability. So let's get on with it already.
The good news is, we've already started. Researchers are aiming for a new system that's not only human-compatible, but maybe even enjoyable, too. Take, for instance, the satisfying swipe. Touch-screen keyboards are annoying, but sliding your finger across a reactive surface at least initially caused a bit of a thrill. Android phones have taken this motion and applied it to a 3 x 3 grid login screen made of dots. Set up the phone with a pattern you fancy, repeat, and you're logged in.
Windows 8 has strengthened the idea by swapping the dots with a user's photo. By linking parts of the image that stand out (think: a mountain top, a sloth's nose) with lines, circles, and taps, you're actually telling the computer to remember a pattern dragged over a 10 x 10 grid. Work the same magic when you return, and you're in.