Blue Cross, Anthem, Sony, Home Depot, JP Morgan, eBay, Target.. these are just the recent major hacking incidents resulting in stolen names, social security numbers, financial information and passwords. How can we, as individuals, protect sensitive information? Passwords may not be the best way.
A plethora of passwords
My business is matching organizations with environment, health & safety (EHS) software and technology platforms, and I use lots of business and creative software. I write an IT column for a professional magazine and a two blogs, so I use various Web sites for research. When not working, I catch up with friends and family via social media sites and play games to relax. The result: hundreds of different software applications and Websites with user IDs and passwords.
Passwords are longer and more complex than they used to be. One of my airline frequent flyer sites switched from a four-digit numeric password to an eight-character “strong” password–one with upper and lower case letters, at least one number, and at least one symbol (e.g., #@%!). While Microsoft suggests strong passwords of eight characters, I started using 10 to 15 characters (see How to Create a Strong Password for tips on creating and remembering passwords).
Best practices largely ignored
Best practices include using a unique password for each site, and changing it frequently. Most of us do not follow this practice, because it is too hard to remember and manage all the passwords.
Cloud-based password managers like Roboform or LastPass, and integrated password managers like iCloud Keychain can help minimize the madness. These free and low-cost tools let you synchronize passwords across devices and platforms, like Windows and OSX computers; Windows, iOS and Android tablets and smartphones. All you need to remember is a master password.
I suspect that the majority of people use old-fashioned methods… they create a few passwords that are easy to remember, and use them over and over. They write their passwords on a Post-it note and keep them in a “safe” place where other can find them.
Some sites, like this blog and my Google page, use two-factor authentication, i.e.,
- something you know (a password) and
- something you have (a verification code sent to smartphone).
Three-factor authentication requires in addition,
- something you are (a fingerprint or iris scan).
Multi-factor logins can be a problem, especially with three-factor authentication… most of us lack fingerprint and iris scanners on our computers (although my iPhone has a fingerprint scanner).
I believe the password has outlived its usefulness, and many experts agree. However, some say not to expect the demise of the password any time soon (see Are passwords a thing of the past). I look forward to the expiration of passwords, as the current state is unmanageable.