Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

The everyday agony of the password

Rich Mogull | Feb. 13, 2013
It's hard to imagine an idea more inane than passwords. That we protect many of the most important aspects of our lives with little more than a short string of text is an extreme absurdity.

Of course, we could always provide physical tokens (as some banks and PayPal now do) that either plug into a device--whoops, wrong device drivers!--or display a small, changing code on an LCD screen. Good luck, then, handling the support calls that ensue after gnomes steal the tokens from the junk drawer where the user confidently tossed the dongles.

The idea of being able to forgo keys for my car, and yet having to carry around a retractable key chain full of tokens, just so I can make an online bank deposit or upload my extensive Amazon review of a $30 cast iron Dutch oven, drives me to the brink of despair.

No, when you consider consumer services at the scale we're talking about, tokens are out. The planet doesn't have enough digital locksmiths driving around in panel vans to meet the demands for help by people who'll want to get back into BillPay at the end of every month.

What about biometrics? Fingerprint readers are cheap, Android phones include facial recognition for unlocking, and the resolution of FaceTime HD cameras on Macs is high enough to support iris scans. Those are great options--until the fingerprint reader gets dirty, or someone makes a high-resolution digital mask from a photo of you (yes, that actually works). Heck, even a photocopy of a fingerprint can fool all but the most expensive scanners.

And no matter how good your first layer of authentication is, an attacker can probably circumvent them and reset the relevant accounts simply by guessing the name of your middle-school mascot.

Here today, here tomorrow

Passwords are here to stay, headlines and technical advances notwithstanding. We might come up with viable alternatives on a smaller scale; but especially for the consumer world we live in, there are no broad, viable alternatives. And sometimes it doesn't even seem to matter:

My friend who has used variations of "wordpass" for every online account over the past 15 years has never once had a one hacked. Meanwhile, I have a credit card with such obscure password rules that I don't even try to keep track of it anymore--on the rare occasions when I need to log in, I simply type in random junk and use the password reset tool.

Which gets to the heart of why I hate passwords: Not only do we not have any other options, I can't foresee the situation improving within my lifetime. Even the self-destruct system of the U.S.S. Enterprise is protected by a password (spoken, not typed).

In the end, passwords are like that second cousin who insists on sharing his political conspiracy theories every Thanksgiving. Dumb as they are, we hate them even more because we know we can never get rid of them.

 

Previous Page  1  2  3 

Sign up for CIO Asia eNewsletters.