Escape From Password Hell
By Samuel Greengard
You know a system is broken when almost nobody can use it. This is currently the case with online passwords. The situation has deteriorated to the point of absurdity. Every day, there's an article somewhere warning individuals to avoid stupid passwords like "password" or "123456."
No question, these are really dumb passwords. But it's not as stupid as the system we currently have in place. Consider: We all log into dozens or hundreds of sites every week and, theoretically, we're supposed to have a different password for each site. Worse, we're supposed to memorize all these passwords and change them periodically.
Right. And we're supposed to walk 10,000 steps a day and save a couple of million dollars for retirement.
Fortunately, there are password management programs and they work pretty well. For example, iPassword and Roboform can securely store passwords and automatically enter them at the right website. But this is a Band-Aid that only hides the problem. In reality, most consumers don't use these programs and, in an enterprise environment, a lot of people are extremely complacent about passwords.
Fact is, we need to address the problem from an entirely different direction. Several companies already provide two-factor authentication tools that work across platforms and browsers. Although some organizations have already adopted these systems for internal use, the technology is essentially useless for consumers visiting websites and logging into online accounts.
But there are some rumblings of change. Google is reportedly working with Yubico to combine a multiple-factor identification device--a tiny USB key--with a new security protocol that would authenticate a person's identity at participating websites. Others have discussed the idea of having a small chip embedded in a ring or a wearable item.
One can only hope that Google or another company succeeds in ending the password madness. In the meantime, CIOs and other executives must do a much better job of protecting their customer databases. Web hosting service 1&1 Internet recently found that 54 percent of consumers worry about entering their details every time they visit a website. A spate of high-profile breaches, including Linked and Zappos, haven't done anything to bolster confidence.
In the end, CIOs and other senior executives must understand that the path to better security ultimately takes two distinct routes: better protecting enterprise databases and working to eliminate passwords altogether. It's time to stop using the digital age equivalent of skeleton keys for protection.