Critical Issue After Anthem Hack: Alternatives to Passwords
Most people have dozens of online accounts, all protected by passwords. Yet passwords are low tech, can easily be hacked and are a nuisance for most people to remember. Isn’t there a better alternative? Surprisingly, the answer appears to be “not yet.”
“Passwords are the cockroaches of the Internet,” said Don Thibeau, executive director of the OpenID Foundation. “You kill one and others hop up; it is an ecosystem problem. Or as one person described it, you have to convince everyone to stop peeing in the pool.”
The continued dominance of passwords takes on renewed importance after a stolen password was used to hack into Anthem (ANTM), the second-largest U.S. health insurer, with 80 million customers. The hackers stole millions of Social Security numbers and other personal information — a far more serious threat than just credit card information.
Why Passwords Are Still the Default
Still, despite all their faults, passwords remain the easiest and most reliable way to control access to our computers, mobile phones, Internet sites and apps. The reasons are numerous:
- Passwords are free. You don’t have to pay to register them, and at most sites you can choose any password you want.
- Using passwords is cheap. Companies don’t have to equip their staff and clients with password generators.
- Passwords are simple for Web sites. They store your user name and password and can see when you log in. E-commerce sites can link your purchase to a shipping address and stored credit card information.
- Passwords are always with you. They don’t require that you carry any accessories, just that you remember them. You can use them on any computer: at home, at work, at computer kiosks during trade shows or at Internet cafes from Europe to Asia.
- Using passwords can be simple. Some computers will remember individual passwords for you. So if you work from home or keep your computer close, you can let it remember the passwords for news and social media sites but perhaps insist on keying in the password for your bank account each time you gain access it.
- Passwords are flexible. If your information has been compromised, or if you think a co-worker has been watching over your shoulder as you enter a password, you can easily change it.
- Passwords do require a little work. To secure a device, you have to create a password and store it. Many people leave the default password in place or don’t implement one at all so they can access their phone more quickly. That’s simply not smart.
The drawbacks, however, are equally numerous. Passwords are not super secure. Since most people use common words or names for passwords, hackers can run programs with 500 to 1,000 potential passwords and succeed in getting into many accounts.
Simplicity and Complexity
Powerful programs that run millions of potential variations of words can do much more harm. Many times they don’t need to bother with complexity.CNET’s list of the most popular passwords of 2013 included 123456 and password, and ran to trustno1 and 000000.
But complex passwords are no help when a retail site, such as Target’s (TGT) or Home Depot’s (HD), doesn’t protect your information and someone gets into its systems and steals all those credentials. Things are slowly changing, however. Several leading corporations — Microsoft (MSFT) , Google (GOOG), Yahoo (YHOO), eBay’s (EBAY) PayPal unit, Orange — are moving into more sophisticated protection. Chances are good you have used this protection without realizing it.
Popular and sophisticated Web sites may ask for your user name and password, but that’s largely a formality. What they are relying on for authenticating you is your location, your IP address and your behavior. Visa (V) says it runs about 600 checks in a fraction of a second before approving a transaction. Financial sites and online stores can do the same, and their accuracy and interest increase as mobile access to the Internet grows; projections are that a large and growing percentage of Internet access is moving to mobile in 2015 and beyond.
The Future Is Still the Same, for Now
The new ways of knowing who you are online opens up new personalized services and some enticing profit opportunities. Mobile network operators can see where you are, what you have shown interest in the past and how much you have to spend. With a change in regulations, they could monetize that information by selling it to restaurants, car companies, retailers or bars much in the same way unregulated online players do today.
Even so, we seem to be stuck with passwords for the foreseeable future. “Passwords do have their problems,” admitted Kevin Haley, director of Symantec(SYMC) Security Response. “But we have a huge infrastructure in place that is dependent on the password and no clear agreement on what should replace it. While passwords have a lot of problems, I am not sure we are going to see a replacement for them anytime soon.”