We snicker when we read that the most common, hackable passwords are "password" or "123456." Who would possibly think that using "password" as your password is a good idea? You feel good and secure knowing that your 7-20 character passwords have plenty of numbers, symbols, and uppercase letters. Plus, you always get a "very strong" password strength rating when you create a new one. You're online identity is locked down, Fort Knox style.
And then you read about Mat Honan. He's a senior writer at Wired who, despite having "robust" alphanumeric passwords of seven, 10, and 19 characters long for his Apple, Twitter, and Gmail accounts, had them all hacked and lost years of stored documents and photos because they were linked together. Ever since being hacked, Honan has been looking into online security and what he discovered about our password-centric web is terrifying, to say the least.
No matter how complex, no matter how unique, your passwords can no longer protect you.
Look around. Leaks and dumps—hackers breaking into computer systems and releasing lists of usernames and passwords on the open web—are now regular occurrences. The way we daisy-chain accounts, with our email address doubling as a universal username, creates a single point of failure that can be exploited with devastating results. Thanks to an explosion of personal information being stored in the cloud, tricking customer service agents into resetting passwords has never been easier. All a hacker has to do is use personal information that’s publicly available on one service to gain entry into another.
Of course, it's easy to make online security more secure but nobody can remember an insanely long, random password and nobody wants to encounter difficulties recovering your password when you forget it. That's one of the (many) problems with password-based online security: these systems need to be convenient enough so that people keep using them. You might not be addicted to Facebook, for example, if logging into the site were onerous and recovering your password were a chore. Honan goes into great detail in his piece about how the password-based system is failing us (you can read it here).
He points to biometric approaches to security (like fingerprint readers and iris scanners) but shows how those could easily be compromised. He praises Google for moving in the right direction with its two-factor authentication system where a password is sent to your phone if someone tries to log into your Google account from another computer. But, again, that can be compromised by hacking into your cell phone account. So how does he suggest we move forward?
The only way forward is real identity verification: to allow our movements and metrics to be tracked in all sorts of ways and to have those movements and metrics tied to our actual identity. We are not going to retreat from the cloud—to bring our photos and email back onto our hard drives. We live there now. So we need a system that makes use of what the cloud already knows: who we are and who we talk to, where we go and what we do there, what we own and what we look like, what we say and how we sound, and maybe even what we think.
That shift will involve significant investment and inconvenience, and it will likely make privacy advocates deeply wary. It sounds creepy. But the alternative is chaos and theft and yet more pleas from “friends” in London who have just been mugged. Times have changed. We’ve entrusted everything we have to a fundamentally broken system. The first step is to acknowledge that fact. The second is to fix it.
With so much of our lives protected by easily hackable passwords, I'd say yes, it's time we figure out a better way, even if that means navigating the Internet of the future is a little more complicated.