Online passwords: soon you’ll need even more – and you still won’t be safe from hackers
- We’ll need passwords to obtain public services, interact with health care services and education websites, and deal with retailers
- But using the same ones over and over again will only make it easier for hackers
Got too many passwords to remember? Just wait. It’s going to get a lot worse.
Five years from now the average consumer may face double the demands for passwords, says Emmanuel Schalit, chief executive of Dashlane, a consumer password security company. Schalit and other experts predict that the use of passwords will explode – but that it will eventually fade as new technology takes over.
We have ever more digital devices in our homes, but Schalit says that’s not the biggest issue; rather, it is the steady increase in the accounts we need to open, and the passwords we need to create, in order to access public services, interact with health care providers and education websites, and deal with retailers.
“The problem is not passwords. The problem is to ask humans to memorise and manage hundreds of them,” Schalit says.
Dashlane estimates that the average American has about 200 accounts that require some sort of password identification, and that this number will rise to 400 within five years or so. One expert believes Dashlane’s forecast is low.
“I think they are being conservative. I think we will have more,” says Tom Galvin, executive director of the Digital Citizens Alliance, a non-profit focused on internet consumer safety.
Faced with the constant demand for passwords, some people simply give up, and reuse the same password over and over, a practice that makes cybersecurity experts cringe. If hackers compromise any single account, they can access a victim’s other accounts.
That’s why some financial institutions, big stores and other businesses are moving towards biometric identifiers such as fingerprints, iris and voice scans, and facial recognition tools.
But those identifiers aren’t foolproof either.
“Your fingerprints are exposed. Your voice is exposed. The iris of your eye is exposed. … If your biometric information is stolen, you can’t replace it. … It is compromised forever,” Schalit said.
Those dangers were underscored when foreign hackers in 2015 stole the personal records of about 21.5 million people from the Office of Personnel Management, which is essentially the human resources office of the United States federal government.
Among the records stolen were usernames, passwords, Social Security numbers, and home addresses, but also the detailed, deeply personal information that is included in applications for security clearances, including the contact information for all the applicants’ friends and family.
Hackers also got away with at least 5.6 million fingerprints. Chinese hackers were later charged in the breach.
The pace of hacks is only quickening. Marriott International recently acknowledged that personal data of up to 500 million hotel guests had been lost during a four-year period in which hackers lurked in the Starwood guest reservation system. US Secretary of State Mike Pompeo last week confirmed that China was also behind that breach.
Schalit says that since roughly two-thirds of consumers reuse variations of the same password on multiple sites, in all likelihood hundreds of millions of Marriott guests are likely to have other accounts that are potentially easily vulnerable to hackers.
For many consumers, password fatigue set in long ago. Some simply click on “forgot password” on less-used websites and start the process over again. Then there are those, such as music impresario Kanye West, who opt for the simplest passwords imaginable.
During a meeting with US President Donald Trump in the Oval Office on October 11, West typed his passcode into his iPhone as television cameras zoomed in. It was “000000.” Dashlane dubbed that the worst password blunder of 2018.
Only some 20 million consumers worldwide use password managers offered by companies like LastPass, 1Password, Dashlane, EnPass, LogmeOnce and True Key. In most cases, those services create a unique password for each site a consumer visits and store them in an encrypted repository with a master password. The consumer only has to remember one password.
Andrea Limbago, chief social scientist at Virtru, a data protection company in Washington, says passwords are likely to be phased out within a decade. Passwords today are limited to letters, numbers and symbols, she says, but data scientists are already working on other identifiers.
She witnessed a recent demonstration of the use of colours, emojis, videos and images, sometimes in combination, as passwords. “It worked well. It’s not something that’s commercially available. But it works,” Limbago says.
Future login sites may show consumers things like a large palette of colours, she says, and allow them to combine those with other, nearly limitless identifiers.
“That’s much easier for us as humans to remember versus the super long passwords that are more rigorous and secure but are really, really super hard to use,” Limbago says.
In the meantime, though, Galvin says one of the best thing consumers can do is to change passwords routinely. If hackers obtain older, obsolete passwords, they will prove useless. “It’s like having an old key to my house. It really doesn’t matter,” he says.