The solution to internet security doesn’t have to be hard. Just ban passwords on a vast majority of services.
My password manager stores 853 passwords for my accounts. That may sound extreme, but the average person juggles between 50 and 200 passwords, according to experts. Most of us have dozens of dusty old accounts lurking around the internet that require passwords to log in. At a time when data breaches are on the rise, and when any one service can be hacked to put your email and password–your digital identity–up for sale on the dark web, I have a simple question to ask the tech industry: Why do we have passwords at all?
I’m not talking about your Gmail or Facebook accounts. Those need passwords. You can’t have someone reading your private messages or sending notes on your behalf. But what about all the random apps in your life, like MyFitnessPal, which recently had the accounts of 150 million people compromised? Or Spotify, which forces you to have a password, then encourages you to broadcast what you’re playing to the world, anyway?
We’ve been fooled into thinking that more passwords equal more security. By protecting all those accounts that really don’t matter to us, companies are only putting us at a greater risk when one of them is inevitably hacked. Companies should ban passwords. They’re an illusion of security, built for the interest of data-mining corporations, not individuals.
The origin of the password
We didn’t always have passwords. MIT professor Fernando Corbató helped develop the first password in the 1960s, with the intent of protecting the school’s mainframe computer. His concern was that this single system contained information on everyone at MIT, and that shouldn’t be the sort of information just anybody could access.
It was a good solution then. A secret word could be used by just a few administrators to access this information, like a speakeasy. But 50 years later, that once-elegantly simple solution has scaled poorly. “Unfortunately it’s become kind of a nightmare with the World Wide Web,” Corbató told the Wall Street Journal in 2014. He had found himself juggling more than 150 passwords on a crib sheet to keep his own life straight.
Corbató isn’t the only computer scientist who regrets his involvement with modern password culture. In 2003, William Burr was the manager at the U.S. National Institute of Standards and Technology (NIST). He created the password guidelines you’ve heard echoed again and again, even today: Change your passwords every 90 days, use a combination of capital letters, numbers, and symbols.
“In the end, it was probably too complicated for a lot of folks to understand very well, and the truth is, it was barking up the wrong tree,” Burr told the WSJ in 2017. “It just drives people bananas and they don’t pick good passwords no matter what you do.”
Again, it wasn’t that Burr’s guidelines were wrong; they were just practically untenable. It’s what happens when solid engineering encounters real human factors. Even using a password manager–a service like LastPass or 1Password that stores and autofills your logins across the web–it would be a part-time job to keep so many accounts updated. So we don’t. As the service LastPass found through its own research, while 91% of people realize using the same password across accounts is risky, 59% of people use the same, or mostly the same, password across services. And 53% of people surveyed reported not changing their passwords in the last 12 months, despite widespread news about security breaches.
A simple solution
For now, most of the technology industry is blaming the user–the dumb, lazy masses that use 12345678 as a password anyway. Google is building a special password-protecting chip into its Pixel 3 phones, and creating open standards to double-check software passwords with hardware–namely, that phone in your pocket.
This approach, of making existing passwords even more secure, makes sense for Gmail, Slack, Facebook, Twitter, Instagram, and your bank. These are services that serve both as our public face, and store all sorts of private information, from messages to mortgage payments, that we need to be able to access. But if other companies care about your security, they’ll just drop passwords altogether.
Think about it: Most companies aren’t protecting you with a password. They’re protecting themselves. It’s perfectly feasible to have an account without a password. It would work fine. But Hulu doesn’t want someone streaming your paid subscription for free, so they put a password on it. And that’s not unique to Hulu–you could say the same for just about every subscription app or site out there.
“But what of my precious account details?” you ask. What about my credit card that’s on file, or my address? Yeah, there’s a solution for that stuff, too–DONT. MAKE. THAT. INFORMATION. ACCESSIBLE. EVEN. TO. THE. USER. Just because I give a service my credit card information or social security once, doesn’t mean it needs to be visible in some accounts page ever again. Most companies shouldn’t even be storing this information long-term, anyway. How many side tables do you think I’m going to buy, Wayfair?
As for that other information–how many sit-ups I did this week, or how many times my dog pooped–you know what? You can have it! Enjoy, world! Because, for one, if companies cared about my privacy, they wouldn’t have “share” buttons all over their apps. And two, I would vastly prefer to give up the mundane information about my life to protect the important things.
When I pose to the idea to Lillian Ablon, information scientist at the RAND Corporation and a DEFCON black badge holder, she says, “interesting premise.” Ablon doesn’t seem sold on the concept of giving up passwords, but she does believe they could be automated beyond our concern.
“For the types of accounts that you are describing, a solution that takes the user out of the equation–while still allowing for some authentication and access control–would be ideal,” Ablon writes. “That might be some device-driven authentication, a solution involving connecting up with a password manager that can randomly assign a new password for every service, or something else.”
Security analyst Mark Burnett, who has penned several books on security, like Perfect Passwords, and is an admin for the r/passwords subreddit, is surprised by the idea of ditching passwords altogether. “I never really asked the question, ‘do you really need a password for that?” he says. “What we’ve been teaching people over the years is to just accept the fact that you need to identify yourself, and that you need privacy on the smallest accounts.”
Ultimately, though, Burnett points out that even something like an unprotected Spotify playlist might say something about users, to profile them, and even the websites they’re likely to visit next. Something so small can really be a big security issue. He points out that hackers use “watering hole” and “spearfishing attacks.” A watering hole attack will hack a place that, say, members of the Pentagon frequent after work, while a spearfish could target a high-ranking CEO by posing as their assistant. In the most extreme cases, we all have to be secure, all the time.
“We need to have passwords,” says Burnett. “We need to treat everything like it’s some risk, even minimal, if not to us, then to someone.” It would be a sound argument if I had family in public office, if Facebook users weren’t profiled by Cambridge Analytica, if every smartphone, yes, even your precious security-focused iPhone, didn’t have a unique “Advertiser Identifier” inside of it, which is broadcast to be heavily exploited by the marketing industry to send us all better targeted ads.
“Instead of [banning passwords] we should make them easier to use, and authenticate,” Burnett concludes. I can’t agree more. But until they’re easier to use? Ban superfluous passwords. They, too, are a huge security risk to the accounts we really care about.