Death to Passwords

Passwords are like the keys to your house: you use them every day, but almost never really think of them until you lose them. Or someone else finds them.

The recent hack of Gawker, which operates sites such as Lifehacker, Gizmodo, and Deadspin, revealed some troubling news about the way many of us use passwords.

To put it simply, we don't use them well. In fact, if our passwords were deadbolts, many of us would be leaving the front door unlocked on a regular basis.

An analysis of almost 200,000 hacked Gawker passwords, as conducted by the Wall Street Journal, revealed that the most popular password by far was '123456.' Coming in second and third were 'password' and '12345678', respectively.

What does that tell us? For one thing, many of us still have not heeded the years of warnings and tips about password security. However, it's also clear that the password concept itself is out of date and poses a major security risk.

If the Gawker hack has taught us anything, it's that the time has come for the tech community to turn its attention to finding a better, more secure way to allow users to log on to Web sites and accounts. It's time to replace passwords with something that even our own lack of attention and thoughtfulness can't put at risk.

The Gawker password hack highlighted two significant problems with passwords. One, the fact that so many users employ simple, easy-to-crack passwords; and two, far too many users employ the same passwords for multiple sites. Crack one and, in many cases, you've cracked them all.

Such was the case with Gawker, as many of the stolen passwords gave the hackers access to Twitter accounts, as well as potentially to other sites, such as LinkedIn.

While both of these issues are simple fixes -- using stronger passwords and different ones for every login -- it should be clear by now that most users will never follow even those easy solutions. Rockyou.com was hacked just over a year ago, and the results of that hack showed the same alarming trends -- an analysis by Imperva (.pdf) revealed that '123456' was again at the top of the list.

Even more alarming was the simple fact that Rockyou itself did little to secure user information, and didn't even allow many of the special characters needed to make more secure passwords.

The call to change the password system is not new. Bill Gates, speaking in 2004, declared that the password would eventually fall by the wayside because it simply couldn't "meet the challenge" of keeping hackers out and our data in. Gates and Microsoft recognized this problem six years ago.

Yet here we are six years later, and little has changed.

Providing a list of tips for increasing the effectiveness of passwords and for choosing better ones might save one or two users from being victimized by a Gawker style hack. But when hackers are able to compromise the passwords of over 180,000 users, clearly a few tips just aren't enough.

Better and strong security measures, such as biometric controls and fingerprint scanners, have become more common in recent years, but the time has come for them to become the standard, not the exception. Can even these measures be hacked? Certainly. But the odds against a hacker finding a way around a fingerprint scanner as opposed to cracking 'password' are far, far better.

As a community, technology developers, programmers, and consumers must work together to make the transition from the antiquated and insecure password system to a more secure and less 'voluntary' method of protecting our data. The Rockyou and Gawker incidents have made this abundantly clear.

It's time to face facts. When it comes to keeping our information safe, we simply can't trust our own choices.

David A. Milman, Founder and CEO of Rescuecom.

Subscribe to the Security Watch Newsletter

Comments