The Day of the Password Is Done

When the popular Website Gawker was hacked into recently, more than a million user IDs and passwords were released. If you were one of the people compromised, that's annoying -- very annoying. Not that it's a big deal that someone could log into a gossip site under your name. But many of those people used those same IDs and passwords on other sites that are a wee bit more important, such as LinkedIn. Now, that's a problem.

What should you do about it? Well, I could tell you that you need to use different passwords for different sites; that you need to pick passwords other than that all-time favorite, 123456; and that you should change your passwords every month for every site. I'm not going to, though. It's all good advice, mind you, but it's also all pretty darn useless.

People never have, and never will, use good security practices. After more than 30 years of working with networks and security, I'm ready to give up on trying to get the general public to do the right things to keep themselves safe. In a company, it's a different matter. It's a pain, but if you keep at it and enforce the rules, eventually you'll get most of the people to do the right things most of the time. But people at home? It's not going to happen.

Besides, there's another issue here. At work, people need to recall, at most, two or three IDs and passwords. If you do single sign-on right, all they'll need is one. On the public Internet, though, people have to remember their IDs and passwords for their bank, Facebook, Twitter, school, Gmail, phone, electric, 401(k), LinkedIn, Computerworld and countless other accounts.

Who can manage to remember dozens of IDs and passwords for dozens of sites? I'll tell you who: no one.

I can't do it, and I'm blessed with a good memory for random alphanumeric strings -- you really don't want me to get a good look at your credit card number. If I can't do it, no one who isn't blessed with a photographic memory can do it.

What I do is keep a long list of user IDs and passwords in my head. Some of them I use only on trivial sites such as Gawker (though I don't have an account there). Others, I keep only for important sites, such as LinkedIn. And a few I save only for vital sites like my bank. Those last are tied in my memory with a specific site. So, for example, I have one ID and password for my health insurance site that I don't use for any other sites.

You can do a similar trick -- and this is security heresy -- by making a list of your account numbers, IDs and passwords. I don't mean a physical list, though. Make the list on your computer, encrypt it with a program like TrueCrypt , which can handle Linux, Mac OS X, and Windows; AxCrypt, which is Windows only; or Folder Lock, another Windows-only program.

You should also use "real" passwords. No "123456" or "abcdef;" no "password" or "your_user_name" or "my hometown" or "favorite sports team." Those kinds of passwords are so easy to break, they barely count as passwords.

If that option doesn't appeal to you, I've got another one: LastPass. This program runs on all the desktop operating systems that matter, and on the major smartphone operating systems -- Android, iOS, Symbian, and Windows Phone -- as well. It will automatically capture your log-in credentials and then enter them into the site for you the next time you visit. So, go ahead and use JK1127MarvelFan4TossSaladed! as a password. You won't have to remember it, LastPass, the password manager, will do it for you.

While I'd rather it didn't store all these passwords in an encrypted form on the Web, LastPass's advantages more than outweigh its disadvantages to my mind. It certainly beats having your one real password to every system on earth available to anyone who hacks into any site that you visit.

The real solution, though, is to find something else to replace user IDs and passwords. I don't know what that will be. I do know that as we spend more and more of our computing time online at dozens of different sites, we have to come up with a better answer that will really work for people. User IDs and passwords simply don't cut it anymore.

By Steven J. Vaughan-Nichols, Computerworld

2 comments

Click here for comments
Andrew
admin
Wednesday, January 05, 2011 ×

I agree; saving separate passwords for different sites in the browser (with a master password) is better than using just one that is never recorded. I use a random character generator - easier than trying to think of short unique words, as many sites have a limit of less than 20 characters.

Reply
avatar
kansas8000
admin
Wednesday, January 05, 2011 ×

I use my credit card number followed by "exp" and the expiration date. Easy to track down if I forget the password.
Kidding, of course, but where I worked in the past I had to occasionally do password lookups for a certain web database, and I've seen "password" and other obvious choices quite often.
That, and I suspect people often use the same password in account registrations as the one for their e-mail account, and their e-mail address is often part of the registration process.
Think of all the people working inside companies (or former employees still having functioning passwords to Web-accessible databases) who have access to site registration data. That is probably the bigger threat than outside hackers.
I NEVER use my primary e-mail account password for ANY other account. And while I may not change other passwords as frequently as I should, I do diligently change my e-mail password regularly.
If someone can access your e-mail address and password, they can then often do a little looking around your e-mail account to discover where you bank, if you've ordered from Amazon, etc. Using the lost password recovery function at these various sites, suddenly they can access a lot!

Reply
avatar