Escape From Password Hell


By Samuel Greengard

You know a system is broken when almost nobody can use it. This is currently the case with online passwords. The situation has deteriorated to the point of absurdity. Every day, there's an article somewhere warning individuals to avoid stupid passwords like "password" or "123456."

No question, these are really dumb passwords. But it's not as stupid as the system we currently have in place. Consider: We all log into dozens or hundreds of sites every week and, theoretically, we're supposed to have a different password for each site. Worse, we're supposed to memorize all these passwords and change them periodically.

Right. And we're supposed to walk 10,000 steps a day and save a couple of million dollars for retirement.

Fortunately, there are password management programs and they work pretty well. For example, iPassword and Roboform can securely store passwords and automatically enter them at the right website. But this is a Band-Aid that only hides the problem. In reality, most consumers don't use these programs and, in an enterprise environment, a lot of people are extremely complacent about passwords.

Fact is, we need to address the problem from an entirely different direction. Several companies already provide two-factor authentication tools that work across platforms and browsers. Although some organizations have already adopted these systems for internal use, the technology is essentially useless for consumers visiting websites and logging into online accounts.

But there are some rumblings of change. Google is reportedly working with Yubico to combine a multiple-factor identification device--a tiny USB key--with a new security protocol that would authenticate a person's identity at participating websites. Others have discussed the idea of having a small chip embedded in a ring or a wearable item.

One can only hope that Google or another company succeeds in ending the password madness. In the meantime, CIOs and other executives must do a much better job of protecting their customer databases. Web hosting service 1&1 Internet recently found that 54 percent of consumers worry about entering their details every time they visit a website. A spate of high-profile breaches, including Linked and Zappos, haven't done anything to bolster confidence.

In the end, CIOs and other senior executives must understand that the path to better security ultimately takes two distinct routes: better protecting enterprise databases and working to eliminate passwords altogether. It's time to stop using the digital age equivalent of skeleton keys for protection.


4 Comments for "Escape From Password Hell"

  • Graeme February 08, 2014 2:35 pm

    Excellent Article. Sorry for the late comment, but 1 year later, your article remains pertinent and prophetic. I have escaped from password hell by using PassIT.Net from sescoa.com. I understand your Band-Aid comment though, but PassIT has turned out to be a fantastic band-aid. What bewilders me is that in order to achieve transportability and flexibility many security providers are utilising the Web and Cloud services for storing security information. So instead of storing this information in a secret and non-accessible place, we store it in an environment which is accessible to millions of people, millions of bots and machines. Just doesn't make sense. The Yubico key is very interesting. Thanks again Samuel.

  • Biplab August 26, 2013 3:47 pm

    Thanks for another wonderful article.

  • Steve Kirsch January 30, 2013 11:09 pm

    Passwords are pretty convenient as an authentication factor. The big problem with passwords is that they are always implemented as shared secrets. OneID fixes that mistake... the passwords are never shared with the relying party. They cannot be phished or keylogged. OneID password logins are two-factor but look to the user like they are using just one-factor. That means you can get 100% compliance. That's a huge improvement over the 1% of Google users use 2-factor....

  • Douglas Weich January 30, 2013 1:48 pm

    OneID has figured out how to make two-form authentication work - smartphones. This solves the problems for enterprise security and B2C sites. Smartphone might be a step shy of universal but they're getting there and will certainly always beat out requiring another piece of hardware like Yubico. OneID has also implemented an industry-leading security infrastructure. Learn more at http://www.sophelle.com/OneID/....

Leave a Comment