Each year, we trust more sensitive data to the Internet, and each year cybercriminals become more sophisticated. Yet the one thing supposedly protecting us all hasn't changed a bit: the lowly password.
Web users trust passwords with more than their online identity, relying on the user-generated string of characters to protect sensitive banking information, business communication and, as a number of celebrities found out this week, naked pictures of themselves. But the password remains the dominant mode of web security in part because safer options add complexity and because Internet companies are reluctant to disturb users' false sense of security.
"In my mind we’ve gone password crazy,” said Pete Lindstrom, an information security analyst at the International Data Corporation. “When it comes to some sort of need for a rational approach to things people get confused about what’s rational and what are actually risks. We don’t want to think there’s not an easy answer.”
Multiple studies have shown that Web users either use simple passwords like “password” and “123456” or use a single complicated word for most of if not all their log-in credentials. That weakness is made even worse with security questions that make it easier for unauthorized users to simply do a little bit of research about a target and gain access to their account.
“Most humans are lazy,” said Emmanuel Schalit, CEO of Dashlane, a password management firm that automatically encrypts customers’ passwords. “The true nature of the problem isn’t necessarily that passwords are the problem, the problem comes in when human beings are asked to manage passwords.”
But there is hope. The banking and e-commerce industries have invested heavily in software that monitors customers’ activities, aiming to protect them by flagging any anomalous behavior. Banks freezing a customer’s account when they try to log-in to their account with an unusual device is an example of this.
All signs point to high-value businesses doing even more with biometrics, which identify individuals based on their physiological characteristics. Apple Inc. (NASDAQ: AAPL) has taken flak after reports speculated that a security flaw in its Find My iPhone software made a vast infiltration of celebrity accounts possible, but Lindstrom said that Apple also deserves credit for being one of the major players that’s helped spread the word about biometrics and two-factor authentication.
“The thing that’s really going to revolutionize authentication for customers is the smartphone,” he said. “To the extent that you’ll have a smartphone in the future, this is going to be less and less of a problem because you’re going to be carrying your authentication around… as much as we gripe about it it’s more of a deployment and hardware problem and cost associated with implementing hardware.”
It will take years for that to happen, though, and even then many Web users will hold out in favor of passwords simply because it’s what always has been done. In the interim, analysts explained, it’s essential to convince other influential technology companies to abandon passwords in favor of a path that actually protects users.
“Certainly the option exists today it’s just a matter of seeing if it’s worth it for the major players involved,” Lindstrom said. “Consensus forces you to the least common denominator, not necessarily security.”