AUTHOR: DANIEL J. SOLOVE AND WOODROW HARTZOG
TO ACCESS TO most accounts online and on computer systems, users authenticate their identity by logging in with a password. People are asked to do the Herculean task of coming up with unique long and complex passwords for each account, committing them all to memory, and then changing them frequently. The task is nearly impossible, and when most people fail, they’re the ones who are blamed. But people are not to blame. The problem is with passwords. Passwords are a terrible way to protect the security of data, and they are at the center of far too many data breaches.
It’s time for a change. Passwords alone can’t hack it. There is widespread consensus among data security experts that using only passwords is poor security, and there are readily available alternatives. Yet the lone password has been used for authentication for so long and so widely that it is difficult to change the status quo, even if many wished to. It’s time for the Federal Trade Commission (FTC) to step in and give the lowly password some backup in high risk contexts by requiring a second factor for authentication.
WIREDProblems with Passwords
We’ve all heard the advice: Select a long and complex password. Use upper and lower case, letters and numerals, and special characters. Commit it to memory. Change it frequently. And do this for every account you have. . . .
Most people don’t do this. How could they? The most popular passwords are still words like “password” or other simple things that even a bad hacker can crack in less than a second. People reuse their passwords, write them down on sticky notes next to their computers, or carry them in scraps of paper in their wallets. And people don’t change their passwords very often.
When people fail, our first reaction might be to scoff at them. “This idiot used the password ‘12345.’” But the system has set us all up to fail. Our memories can handle at most a few long and complex passwords, but not a lot of them and not if they must be changed frequently. According to one study, consumers have an average of 24 online accounts. For those who use the Internet more robustly, the number of accounts is much higher. It’s just too much to handle, so it’s no surprise that people fail to follow good password protocol.
Writing down passwords is often mocked, but it might be one of the most reasonable strategies dealing with modern authentication burdens. Password managers are also very useful and recommended by many security experts. But these strategies only fix some of the problems with passwords.
Strong passwords protect against hackers guessing passwords or from brute force attacks, but they don’t protect against many of the most common and effective hacker social engineering techniques. Through phishing, pretext calling, fake websites, and other tactics, fraudsters readily trick people into divulging their passwords.
The Answer Is to Add a Factor
There are other methods of authentication that can be used that avoid the problems with passwords—and many are relatively cheap and easy to deploy. One such example is two-factor authentication. The essence of two-factor authentication is simple. In order to login, you must have something you know (usually a password), as well as one additional factor, usually something you have (usually your cellphone). Additional factors could be mixed and matched to avoid relying on the sole password. For example, under a “two-channel” authentication scheme, companies would not authenticate users until they actually hear back from them on the second channel (such as a cellphone) dedicated to authentication. Other factors can include having a friend vouch for you, signing your name, or biometric identifiers like your face, fingerprints, or iris. None of these are foolproof, and some are certainly better than others, but generally, two factors are much better than one.
The FTC could, with just a few enforcement actions, put pressure on some companies to require more than just passwords for authentication. We don’t recommend that the FTC kill the password. Passwords still work well in many low-risk contexts because they are free to create and easy to replace. In situations where the danger resulting from a breach would be minimal, passwords are probably good enough.
Instead, the FTC should focus on a few cases with highly-sensitive personal data. The FTC can hold that the use of mere passwords is unreasonable data security when the stakes are extremely high. By targeting the high-stakes situations, the FTC can spark a change in thinking about passwords. Instead of just passively accepting the use of passwords, companies would engage in a risk assessment to determine whether they should continue to merely use passwords or move to an improved method of authentication. All the FTC needs to do is signal in a few cases that the status quo is unacceptable.
If you’re like many people, you’ll probably groan the next time the message pops up on the computer to change your password. It’s time for that message to shift to a higher level – it’s time to change the use of passwords itself.