If you factor in the growth in the number of usernames and passwords that existing Internet users have with the huge projected growth in new Internet users, the likely damage caused by lost and stolen passwords may very well follow “Moore’s Law” of doubling every few years. We need to step up and admit that we have a password problem.
With the explosion of social media websites and with more and more businesses letting you do online transactions on the Internet, it seems that each and every one of us has a growing number of online usernames and passwords that we must remember. This means that every time we sign up at a new website we are confronted with a challenge of what should we enter as our password for that site. No doubt some of the thoughts that flash through each of our minds when we create a new password include:
- How often will I access this website?
- How valuable and sensitive is the information about me that will be stored in this website?
- Do I really want to remember yet another password (“YAP”) so should I use an existing one? and
- How quickly do I want to do this particular transaction on this website, so do I even care what my password is right now?
One could easily argue that there is a pre-disposition for the website operator to let users create a password that is easily entered and remembered so that the user can come back to the site and login quickly. Minimal friction to get on the site means more transactions and revenue for the website. The downside of course is that passwords that are easily entered and remembered can be inherently weak in terms of being easily guessed and comprised by a hacker.
At least with websites we are always required to create a username and a password. With the mobile devices that we are purchasing in greater numbers, the default is not to have an unlock code to access the device or a passcode to access your voicemail. If you lose your phone and don’t have an unlock code, and don' t have a way to remotely wipe it, the finder has free reign to go through your emails and contacts and other personal information you store on your phone. Or, as shown in the case of the News of the World Hacking Scandal, someone could easily hack into your carrier’s voicemail system and listen to your voicemails.
At the same time that existing Internet users are required to remember more and more passwords for all these great new sites we want to access (and are forgetting to set passcodes on our new phones and tablets), new Internet users are joining in increasing numbers. For example, a recent study says that China’s Internet population has now hit 485 million, so the cumulative number of usernames and passwords on the Internet is growing exponentially. That same Chinese study reported that 25% of Internet users have reported their account or password stolen, which if you were to believe that report means that 100 million users in China alone have been or will be hacked this year.
So back to picking a password for that new website you want to sign up for. You could enter a common password that is easily remembered by you (“password”, “gogiants”, etc.) but is also easily guessed by a bad guy. You could enter a complex password that you use across multiple websites, thereby making it “strong” vis a vis a bad guy guessing it and easily remembered by you, but you run the risk that if one of those sites gets hacked and the website doesn’t store passwords in encrypted format, the bad guys will use automated programs to scan 1000s of websites trying to see if your username and password works on one of them.
You could also write your passwords down on a piece of paper, but it’s a piece of paper that you may lose, or it may not be with you when you need to login to a website. Or someone may just take that piece of paper. You may try to create a mental algorithm for each website’s password, where something unique about that website triggers you to enter in a unique password, but your algorithm may be too easy and your passwords easily guessed, or too difficult and you forgot what the algorithm is. Or you could look to buy a third party password manager product that stores your passwords in encrypted form but of course costs money and it may not work on your mobile device or on the computer at Grandma’s house when you need to access your bank account.
And to make matters worse, even if you have a strong password (e.g. alphanumeric, more than 6 characters, etc.), computing power has increased so much that a simple graphics card can crack a strong password via bruteforce in seconds. Which means if a website can’t quickly spot a bruteforce attack on your password and lock your account, even your strong password is not good.
So what to do? I am not entirely sure. Certainly one proposal is to supplement or replace passwords with biometrics (e.g. a device that reads your fingerprint) or a smart card so you have a “multi-factor” sign-on process, but I am not sure if that approach can work anytime soon given that most existing computers and mobile devices are not equipped for that.
But I do know there is too much burden on consumers to figure this password problem out. One idea that comes to mind (and that maybe is in the wishful thinking category) is have the large websites form a consortium to set minimum standards for password security, much like when the credit card industry formed the Payment Card Industry Data Security Standard (PCI DSS) to improve security over the processing of credit cards by merchants. Microsoft's Hotmail just recently banned guessable passwords (like “password”), so that’s a belated start, but Hotmail is not yet currently telling its users with existing weak passwords to change them.
This consortium could define increasing uniform standards of password policies based on the level or nature of data being stored at a site. So if major websites started implementing a “good housekeeping seal” for passwords (e.g. deny letting you use a password that is susceptible to dictionary attacks, has a minimum length, is alphanumeric, etc., and on the backend store passwords in encrypted format and do a lock out of an account after a certain number of bad attempts, etc.), that sites that don’t have this “seal” will be looked at less favorably by consumers. It certainly wouldn’t solve the problem but at least should improve the situation. Similarly there could be an opportunity for the makers of web browsers to get agreement on a common master password system, like Mozilla’s recently proposed BrowserID.
Maybe we as consumers should be more demanding of the websites we visit and complain loudly when they let us enter “password” as our password. Hackers like the LulzSec group are raising awareness of poor website security through their attacks, but users whose personal information is leaked by the hack are the collateral damage. So until large website operators do more, the burden of the password problem is on each of us.
- smart card
- bank account
- Payment Card Industry Data
- credit card industry