A world beyond passwords
They’re a necessary evil of the computer age, those passwords so many of us just can’t seem to remember. So might they soon become a thing of the past? Susan Spencer is hoping the answer is “yes”:
New York Times reporter Ian Urbina gets paid to ask questions, but there is one question he never really expected anyone to answer. He would go up to total strangers and ask them, “What’s your password?”
“I would just ask, ‘Do you have any passwords that are special to you? Can you tell me the story behind them?’” he said.
He snuck up on strangers on airplanes, on parents at the playground. For four years, wherever he was, he would plead and cajole, and usually get their secret password.
“What’s funny is, these people were really open and willing, sometimes even eager, to tell me their full story and their password,” he told Spencer.
One theory: people are so fed up with creating and remembering the things, that revealing them feels a lot like revenge.
“I call them digital nudists,” Urbina said. “People just disrobe and say, ‘Okay, I’m so sick of this. Here’s my password!’”
A former chief technology officer at the Federal Trade Commission, Lorrie Cranor has written more than 15 scientific papers on passwords. She said dealing with passwords is frequently a frustrating experience.
“We have so many rules about how they have to be complicated, and hard to guess,” Cranor said. “And then we’re supposed to have a different one for every account we have, and we’re not supposed to write them down. And that’s just really difficult for people to deal with.”
And clearly we can’t cope: A CBS News poll found that roughly one in four people has to reset a computer password at least once a month.
And so the password process often goes — reset it, and then forget it. And yet we are likely to tell ourselves THIS is one I will remember; after all, it’s so very clever. But chances are that you won’t, and it isn’t.
Cranor said, “The attackers, you know, first they guess your name. And then they guess your name with a one. And then they guess your name with an exclamation point, right? Because those are the most common things that so many people do.”
To generate unguessable passwords, Cranor recommends using a computer program that creates passwords for you.
She says most people are clueless about security. Just how clueless was clear to Spencer when she took Cranor’s password test: just pick the safest password, choosing between “pAsswOrd” and “p@ssw0rd.”
“Definitely the second one,” Spencer said.
“That’s actually wrong,” Cranor laughed.
- Test yourself with The Password Game (from Carnegie Mellon University)
The most unhackable password, said professor Chris Collins, consists of random characters.
“Long and random!” added fellow professor Julie Thorpe.
“Nobody wants to do that,” he laughed.
Collins and Thorpe study passwords at the University of Ontario, Institute of Technology in Canada. “Because we’re writing them every day, people want to have something that means something to them,” Collins said.
Which is exactly what they found when they combed through a database of 32 million stolen passwords: most used real words, with “love” topping the list:
“iloveyou2 … iloveyou1 … love 123 … ilovehim … truelove … love12 … onelove … iloveu2 … inlove…”
Encouragingly, perhaps, the word love appeared 23 times more often than the word hate. Other popular choices: Baby, hot, girl, dog, and a few vulgar suggestions of something you could go do to yourself.
“We as humans don’t sit well with randomized codes,” said Urbina.
“I don’t want to be known as JQ4$!” Spencer laughed.
“Right, yeah, that just doesn’t feel right.”
Spencer added, “That’s not my password!”
In fact, research for his 2014 New York Times article, “The Secret Life of Passwords,” convinced Ian Urbina that they often are keys to an intensely personal story.
“This topic is almost like a portal into a very deep place,” he said.
Take the mother Urbina met at a playground: “She told me that her son had committed suicide. And she had discovered his password written somewhere, and the password was ‘Lamda1969.’ And she quickly figured out that ‘Lambda’ and ‘1969’ were both specific things in gay history. And it got her realizing that her son had been gay.”
But even meaningful passwords are hard to keep track of. In 2004 Bill Gates even predicted that password-based security would become obsolete.
“I mean, we have driverless cars. Why is this so hard?” Spencer asked.
“Yeah, it seems to be a very hard problem,” said Cranor
In our CBS News poll, an optimistic 80 percent said they expect passwords WILL be replaced. But with what?
“A lot of people will use a fingerprint on their phone,” Cranor said, adding, “it’s not actually that secure.”
According to Karl Martin, who founded NYMI, a technology start-up in Toronto, “Your fingerprint is actually something you leave everywhere. So they’re not actually secrets.”
In fact, his fingerprints are all over an idea that might make passwords obsolete.
“What we’ve discovered is that the electrocardiogram, the heart rhythm, is a great way to identify people,” he said. “The pattern of the rhythm is different for every person.”
Martin’s wristband uses your heart rhythm to identify you to your computer. No passwords.
No remembering your second grade teacher’s middle name. “No complex secrets,” Martin laughed. “It’s just you and your wristband.”