Critical.
Authoritative.
Strategic.
Subscribe to CIO Magazine »

The day of the password is done

With so many Web sites demanding passwords, no one, but no one, can really be expected to remember all the ones they need

When the popular Web site Gawker was hacked into recently, more than a million user IDs and passwords were released. If you were one of the people compromised that's annoying -- very annoying. Not that it's a big deal that someone could log into a gossip site under your name. But many of those people used those same IDs and passwords on other sites that are a wee bit more important, such as LinkedIn. Now, that's a problem.

What should you do about it? Well, I could tell you that you need to use different passwords for different sites; that you need to pick passwords other than that all-time favorite, 123456; and that you should change your passwords every month for every site. I'm not going to, though. It's all good advice, mind you, but it's also all pretty darn useless.

People never have, and never will, use good security practices. After more than 30 years of working with networks and security, I'm ready to give up on trying to get the general public to do the right things to keep themselves safe. In a company, it's a different matter. It's a pain, but if you keep at it and enforce the rules, eventually you'll get most of the people to do the right things most of the time. But people at home? It's not going to happen.

Besides, there's another issue here. At work, people need to recall, at most, two or three IDs and passwords. If you do single sign-on right, all they'll need is one. On the public Internet, though, people have to remember their IDs and passwords for their bank, Facebook, Twitter, school, Gmail, phone, electric, 401(k), LinkedIn, Computerworld and countless other accounts.

Who can manage to remember dozens of IDs and passwords for dozens of sites? I'll tell you who: no one.

I can't do it, and I'm blessed with a good memory for random alphanumeric strings -- you really don't want me to get a good look at your credit card number. If I can't do it, no one who isn't blessed with a photographic memory can do it.

What I do is keep a long list of user IDs and passwords in my head. Some of them I use only on trivial sites such as Gawker (though I don't have an account there). Others, I keep only for important sites, such as LinkedIn. And a few I save only for vital sites like my bank. Those last are tied in my memory with a specific site. So, for example, I have one ID and password for my health insurance site that I don't use for any other sites.

You can do a similar trick -- and this is security heresy -- by making a list of your account numbers, IDs and passwords. I don't mean a physical list, though. Make the list on your computer, encrypt it with a program like TrueCrypt , which can handle Linux , Mac OS X and Windows; AxCrypt , which is Windows only; or FolderLock , another Windows-only program.

You also really should use "real" passwords. No "123456" or "abcdef;" no "password" or "your_user_name" or "my hometown" or "favorite sports team." Those kinds of passwords are so easy to break, they barely count as passwords.

If that option doesn't appeal to you, I've got another one: LastPass . This program runs on all the desktop operating systems that matter and the major smartphone operating systems -- Android , iOS, Symbian and Windows Phone -- as well. It will automatically capture your log-in credentials and then enter them into the site for you the next time you visit. So, go ahead and use JK1127MarvelFan4TossSaladed! as a password. You won't have to remember it, LastPass, the password manager, will do it for you.

While I'd rather it didn't store all these passwords in an encrypted form on the Web, LastPass's advantages more than outweigh its disadvantages to my mind. It certainly beats having your one real password to every system on earth available to anyone who hacks into any site that you visit.

The real solution, though, is to find something else to replace user IDs and passwords. I don't know what that will be. I do know that as we spend more and more of our computing time online at dozens of different sites, we have to come up with a better answer that will really work for people. User IDs and passwords simply don't cut it anymore.

Steven J. Vaughan-Nichols has been writing about technology and the business of technology since CP/M-80 was cutting-edge and 300bit/sec. was a fast Internet connection -- and we liked it! He can be reached at sjvn@vna1.com .

Read more about security in Computerworld's Security Topic Center.

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

More about: AB, Facebook, Linux, Symbian
References show all

Comments

1

Garry V

Wed 05/01/2011 - 11:58

Try 1Password - no web storage to worry about

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the CIO comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Coverage
Related Whitepapers
Latest Stories
Community Comments
Tags: LinkedIn, security
Latest Blog Posts
Whitepapers
  • How will CIOs meet growing Security Threats?
    The growing complexity and prevalence of security threats, enabled by consumer IT and mobility, sets the stage for ever more sophisticated attacks. Security must be proactively front and center in all IT deliverables, but CIOs and CSOs must work in concert to succeed in these efforts. In this interactive white paper from CIO Magazine and EMC, learn how tightening the relationship between CIOs and CSOs will help create trust, the foundation of business relationships today. Embedded videos feature Art Coviello, Sanjay Mirchandani, and Dave Martin, and a quick survey provides benchmarking between CIO peers.
    Learn more »
  • Transforming Your Business by Transforming Your Processes
    In this white paper, we build on the “Intelligent Guide to Enterprise BPM: V olume One” in which we described the three entry points where you can begin to build true Enterprise BPM. In this white paper we explain the value of Process T ransformation, the entry point to strategy and design. Successful implementation of Process T ransformation will mean you have successfully documented, standardized, harmonized, managed—as well as analyzed and improved—your business processes. T he next two white papers will detail the other two entry points: Process Automation and Process Intelligence.
    Learn more »
  • So Long, Silos: Why Multi-Domain MDM Is Better For Your Business
    Say “so long” to silos. This white paper explains why a multi-domain MDM solution is far better than single-domain, single-focused point solutions. You’ll learn what to look for in a multi-domain solution so you don’t outgrow it or are forced to purchase multiple products down the road. You’ll also get tips on how to select a multi-domain solution that can lead to multiple benefits over many years. The age of multi-domain MDM is here. See why you should say “hello” to it!
    Learn more »
All whitepapers
rhs_login_lockGet exclusive access to Invitation only events CIO, reports & analysis.
Recent comments