Building a Better Password

Hackers can break 90 percent of passwords, and new methods -- like eyeprints -- are needed to protect our data.

  • Share
  • Read Later
Laurence Dutton / Getty Images

Corrections Appended: July 15, 2013

I hate passwords. I hate it when I’m asked for eight to 12 characters. I hate when I need to use a capital letter, a number and, especially, a symbol. I hate when I have to set stupid security questions. I know we need passwords in our modern, tech-dependent lives — but I still hate them.

I have a confession: I use the same password, in various combinations of capital letters, numbers and a special character, depending on the requirements. And that comes out to about seven variations. I know it’s stupid and everyone tells me not to do it, but give me a break — I have more than 20 other passwords to remember.

My hatred of passwords reached new heights recently, when I tried to log in to my student loan provider’s site. First, I tried the most common variation of my password. No dice. Then the next. No dice again. Just in case, I have all my passwords written in a binder, but I thought I’d give it one more try before digging it up. I typed it in, gearing myself for another bright red “Incorrect password, please try again,” But I got a different reply: “You have exceeded three attempts to log in. Please call 1-800-SCREW-YOU to reset your password.”

Irritated, I called the number and explained the situation. They asked me a few security questions. No big deal, I knew the answers. “Okay, sounds good,” the operator said. “The final step is… what is your password?”

Are you kidding me?

I wanted to hurl my phone at the wall, cursing the illusion of “convenience” in modern life. For a moment, I contemplated defaulting on my payments just so I never had to log in to the site again. But once I regained my composure, I ask myself: has Internet security really come to this?

Isn’t there something easier? Some innovation on the horizon to make capital letters and special characters a thing of the past? Something, anything, to take me into this so-called “Brave New World.”

Welcome to Password Hell

It’s easy to romanticize the good ol’ days, when valuables were kept in safety deposit boxes at banks. To get them, you’d give a bank employee your ID. And after he verified you — with a thorough look up and down — you’d get access to your lockbox. But these days, our most valuable assets are often data, accessed through the Web. The difference? There’s no ID card for the Internet, so you’re stuck with old-school, cloak and dagger passwords.

If you’re like me, you’re terrible at passwords, but that’s not our fault. The human brain, in fact, isn’t wired for it. We have a hard time remembering new passwords, because our brains are distracted by all the old ones — past and present — that are rattling around in our heads. To remember, you have to first “forget” and suppress non-essential details, according to a landmark Stanford study. So when you “remember” new logins, your brain needs to block out the distractions, or essentially forget the unnecessary digits or words of the old, to remember the new.

“From a neural standpoint, forgetting the old password makes the brain more efficient,” Anthony Wagner, a professor in Stanford’s psychology department, told the University’s news service for an article back in 2007.

Easier said than done. We have too many passwords: almost three-in-five adults have five or more unique passwords, and nearly one-in-three have more than 10, according to a study by Janrain, a user management company. But I’m part of a smaller, more significant, demographic: the eight percent that have to remember a whopping 20 or more passwords.

The result is serious fatigue, to the point where one-in-three think solving world peace is easier than trying to remember all their passwords. With stats like these, is it any surprise that we collectively hate passwords?

As a result, people like me do dumb things, creating a few password variations to help an increasingly untenable situation. Or we do even dumber things, like use passwords such as “password” or “123456.” Or we create a “base” password and add a variation for each site. Need a password for eBay, for example? “asdf” and “ebay”… “asdfebay” — voila! We know it’s stupid, but we’re driven to these solutions because our memories just can’t remember all those passwords.

Whatever we’re doing, it’s not working: nearly two-in-five people have to ask for assistance on their username or password for at least one website a month, according to Janrain. So if you can’t remember your password, don’t feel stupid — you definitely aren’t alone.

But that difficulty in remembering creates dangerous security backdoors. According to Deloitte, more than 90 percent of passwords — even those with capitals and symbols, considered strong by IT departments — will be vulnerable to hacking. As hardware gets faster and software grows more advanced, programs to crack codes have never been more powerful. They can brute-force thousands of times faster, processing billions of combinations a second. Not an hour, not a minute — a second. And chances are, your password will be among them.

[youtube http://www.youtube.com/watch?v=yVeu48cZEAc?version=3&rel=1&fs=1&showsearch=0&showinfo=1&iv_load_policy=1&wmode=transparent%5D

It’s a vicious loop: sites need increasingly intricate passwords, but that very intricacy makes them difficult to remember — so we devise ways to remember them, but those very methods create even more security holes. Passwords — and our inability to remember and manage them — are simply ineffective in securing and protecting valuable information. There needs to be a fix.

Beyond Letters, Numbers and Special Characters

You can manage the deluge with a few solutions. Password manager apps, for example, can store and help us access our login right at our fingertips, either storing passwords on your device or in the cloud. Some go above and beyond: security company Passban has a free Android app, called Passboard, that lets you use your voice, face or location to secure apps on your smartphone.

Passban also created a wearable wristband to let you use gestures as passwords, so you can unlock laptops and smartphones, among other devices, with a swipe of the hand — the band works in tandem with Bluetooth to unlock when that movement is repeated. You can also combine gesture-passwords with other authentication methods like facial or voice recognition, and location check-in to create more security layers.

[youtube http://www.youtube.com/watch?v=clncXXM5qVg?version=3&rel=1&fs=1&showsearch=0&showinfo=1&iv_load_policy=1&wmode=transparent%5D

Kickstarter-funded myIDkey, meanwhile, uses a USB drive to sync with a desktop app to store all your logins and passwords, including sensitive data such as bank account numbers. It connects to a computer, or tablet and smartphone via Wi-Fi, and fills passwords as needed. But, of course, you still have to remember where the myIDkey is, but it beats remembering 20 or so passwords.

[youtube http://www.youtube.com/watch?v=wlOKash7BEU?version=3&rel=1&fs=1&showsearch=0&showinfo=1&iv_load_policy=1&wmode=transparent%5D

The next frontier goes beyond USB drives or even voice and facial recognition — into the wild world of biometrics. After all, what’s more unique than your fingerprints and your retina? Some banks require you to enter a PIN code along with voice authentication, for example. Sounds right out of a sci-fi novel? It is.

“Over the next five years, your unique biological identity and biometric data — facial definitions, iris scans, voice files, even your DNA,” David Nahamoo, an IBM research fellow, wrote in a 2011 blog post. “It’ll become the key to safeguarding your personal identity and information and replace the current user ID and password system.”

[youtube http://www.youtube.com/watch?v=px2Nq-0X_oY?version=3&rel=1&fs=1&showsearch=0&showinfo=1&iv_load_policy=1&wmode=transparent%5D

EyeVerify, for example, is working on software to identify you by your “eyeprints,” patterns of veins in the whites of your eyes. Installed on devices like smartphones, you look into a camera and move your eyes around, and it maps the veins in your eye to match them against an eyeprint record. It can tell between the real person and an imposter with 99.97 percent accuracy. The company is still testing the software, but it says it’s talking to phone makers about adding it into future devices.

[youtube http://www.youtube.com/watch?v=S-qfmtSJ4h4?version=3&rel=1&fs=1&showsearch=0&showinfo=1&iv_load_policy=1&wmode=transparent%5D

There are still problems, though. Wearing a wristband all the time is clunky, and a USB device is easy to lose. Leaning on biometrics also create complications in sharing accounts with trusted partners, especially in emergency situations. And if, by chance, biohackers “cracked” your body — it’s already happening with advances in “writing” DNA code — how do you change your password? What would my loan company tell me if I can’t get into my account — get some new eyes?

Still, the time is coming when companies, software makers and people recognize that passwords — and online security in general — must evolve to keep pace with fast changes in technology. Sure, an eyeprint sounds a bit weird, but if it means never having to remember another password again, I’m all for it.

The original version of this article included quotes or statements that were not clearly attributed to the original sources.

This article was written by Kat Ascharya and originally appeared on Mobiledia
More from Mobiledia: