'Password fatigue' haunts Internet masses

Jun 25, 2013 by Robert Macpherson
People group around laptop computers at a cafe in Beijing on May 29, 2013. Passwords have proliferated so much that it's a daily struggle for users to cope with dozens of them—often across several devices.

Looking for a safe password? You can give HQbgbiZVu9AWcqoSZ mChwgtMYTrM7HE3ObVWGepMe OsJf4iHMyNXMT1BrySA4d7 a try. Good luck memorizing it.

Sixty-three random alpha-numeric characters—in this case, generated by an online password generator—are as good as it gets when it comes to securing your .

But as millions of have learned the hard way, no password is safe when hackers can, and do, pilfer them en masse from banks, email services, retailers or social media websites that fail to fully protect their servers.

And besides, with technology growing by leaps and bounds, why does the username-and-password formula—a relic of computing's Jurassic era—remain the norm?

"The incredibly short answer is, it's cheap," said Per Thorsheim, a Norwegian online and organizer of PasswordsCon, the world's only conference dedicated to passwords, taking place in Las Vegas in July.

"If you want anything else—if you want some kind of two-factor authentication that involves using a software-based token, a hardware-based token or —you need something extra," he told AFP.

"And that will cost you extra money."

Back in the beginning, it was all so easy.

The very first computers were not only room-sized mainframes, but also stand-alone devices. They didn't connect to each other, so passwords were needed only by a handful of operators who likely knew each other anyway.

Then along came the Internet, binding a burgeoning number of computers, smartphones and tablets into a globe-girdling web that required some virtual means for strangers to identify each other.

Passwords have thus proliferated so much that it's a daily struggle for users to cope with dozens of them—and not just on one , but across several devices.

There's even a name for the syndrome: password fatigue.

Graphic showing the percentage of national populations connected to the Internet.

"People never took passwords very seriously, and then we had a number of really big password breaches," said Marian Merritt, Internet security advocate for software provider Norton.

"As people are increasingly accessing websites from smartphones and tablets, typing passwords is becoming an ever bigger pain," added Sarah Needham of Confident Technologies, developers of a picture-based password alternative.

In a 24-nation survey last year, Norton found that 40 percent of users don't bother with complex passwords or fail to change their passwords on a regular basis.

Rival security app firm McAfee says its research indicates that more than 60 percent of users regularly visit five to 20 websites that require passwords, and that a like-sized proportion preferred easy-to-use passwords.

The most popular passwords, infamously, are "password" and "123456," according to Mark Burnett, whose 2005 book "Perfect Password: Selection, Protection, Authentication" was among the first on the topic.

People use their laptop computers at a Starbucks in Washington, DC, on May 9, 2012. Norton found that 40 percent of users don't bother with complex passwords or fail to change their passwords on a regular basis.

Biometrics are coming

Carl Windsor, director of product management at California-based network security firm Fortinet, said he once ran John the Ripper, a free program to crack passwords, through an employer's Unix system with its consent.

Within seconds, Windsor had one-third of its passwords. Within minutes, he had another third. "I also won a bet by finding the 'super secure' password of a colleague in less than five minutes," he told AFP by email.

Password alternatives are in the pipeline.

Google is toying with the idea of users tapping their devices with personalized coded finger rings or inserting unique ID cards called Yubikeys into the USB ports of their computers.

The FIDO Alliance, a consortium that includes PayPal, is pushing an open-source system in which, for instance, websites would ask users to identify themselves by placing their fingertips on their touchscreens.

"These (biometric) technologies are coming to a place where they are highly mature, cost effective and in a position to roll out into the consumer market today," FIDO's vice president Ramesh Kesanupalli told AFP.

Kesanupalli said FIDO technology could be available as early as this year, bettering IBM fellow David Nahamoo's prediction in 2011 that biometrics would replace passwords within five years.

In Washington, the US Patent and Trademark Office has recently published several patent applications from Apple that envision facial recognition and fingerprint scanning.

Motorola's head of research Regina Dugan has gone further, proposing a "password pill" with a microchip and a battery that would be activated by stomach acid. The resulting signal would emit an unique ID radio signal.

"I take a vitamin every morning. What if I take vitamin authentication?" said Dugan at the D11 tech conference in California last month, quoted by TechWeekEurope.co.uk.

For now, many Internet services are embracing two-factor authentication, that challenges users with a bonus security question—like "What is your dog's name?"—or emits a one-use-only numeric code via SMS messaging.

Online password managers with names like Lastpass, KeePass, 1Password, Dashlane and Apple's just-announced iCloud Keychain have also been popping up like mushrooms.

They pledge to securely stash an individual's entire password collection, accessible via one master password. Some experts, however, consider the idea a Band-Aid solution pending the definitive password replacement.

Until then, security experts widely agree on two core principles: make your as long as possible, mixing up words with some numbers and symbols, and never ever use the same password for more than one website.

Beyond that, just cross your fingers and pray that the website you're using is doing all it can at its end to protect the mental keys to your virtual world.

Explore further: Passwords: How to choose one and why we need them

add to favorites email to friend print save as pdf

Related Stories

Google vision of password rings heard at security event

Mar 13, 2013

(Phys.org) —Google finds much appeal in gaining the distinction of leading the way toward a future where USB sticks and rings can replace traditional passwords. The idea of killing off passwords has been ...

Hackers sock smartphone earpiece star Jawbone

Feb 13, 2013

Jawbone on Wednesday warned users of its earpieces and Jambox speakers that hackers stole names, email addresses and encrypted passwords from accounts used to make the wireless devices smarter.

Recommended for you

LinkedIn membership hits 300 million

Apr 18, 2014

The career-focused social network LinkedIn announced Friday it has 300 million members, with more than half the total outside the United States.

Researchers uncover likely creator of Bitcoin

Apr 18, 2014

The primary author of the celebrated Bitcoin paper, and therefore probable creator of Bitcoin, is most likely Nick Szabo, a blogger and former George Washington University law professor, according to students ...

White House updating online privacy policy

Apr 18, 2014

A new Obama administration privacy policy out Friday explains how the government will gather the user data of online visitors to WhiteHouse.gov, mobile apps and social media sites. It also clarifies that ...

User comments : 5

Adjust slider to filter visible comments by rank

Display comments: newest first

MikeBowler
2.3 / 5 (4) Jun 25, 2013
i don't know how effective it would be but only last week i came up with the idea of encrypting the password with itself, then when it is entered the password decrypts itself and if the decrypted result matches the entered result then you have a correct password, easy as pie yet potentially very hard to beat as a hacker can no longer pull the plaintext password from the server as it is only stored in encrypted form
alfie_null
5 / 5 (1) Jun 25, 2013
i don't know how effective it would be but only last week i came up with the idea of encrypting the password with itself, then when it is entered the password decrypts itself and if the decrypted result matches the entered result then you have a correct password, easy as pie yet potentially very hard to beat as a hacker can no longer pull the plaintext password from the server as it is only stored in encrypted form

Google "hashing algorithm". For many years a best practice employed by most sites that have to store passwords securely. Anyways, that's not by a long shot the only way passwords can be stolen.
antialias_physorg
3 / 5 (2) Jun 25, 2013
as a hacker can no longer pull the plaintext password from the server as it is only stored in encrypted form

As alfie points out: Passwords are NEVER stored on a system in plain text.
What happens is this:
- you enter a password
- the hash of the password is computed
- then the hash is compared with the stored hashes in the password file
- if a match exists you're in.

This is sort of secure (at least more secure than plaintext password files because not even your sysadmin can walk off with the passwords), but if your hashing function is bad it can lead to hash collisions (i.e. many different words producing the same hash - which opens up the possibility of rainbow-table attacks. Because now you don't need to guess the password but just ANY word that produces the same hash)

Finding good hashing functions is a science in itself. They must be conflict free and hard to reverse.
MikeBowler
1 / 5 (1) Jun 25, 2013
right fair enough, now which genius down voted me for trying to be creative?
Chromodynamix
1 / 5 (1) Jun 26, 2013
Old car licence plates are easy to remember and are alphanumeric.
Use unusual words/acronyms from your chosen type of employment.
A chemist would use chemical compounds for instance, or something like the chemical name for "sugar"! Not C12H22O11 but..
(2R,3R,4S,5S,6R)-2-[(2S,3S,4S,5R)-3,4-dihydroxy-2,5-bis(hydroxymethyl)oxolan-2-yl]oxy-6-(hydroxymethyl)oxane-3,4,5-triol

More news stories

Students take clot-buster for a spin

(Phys.org) —In the hands of some Rice University senior engineering students, a fishing rod is more than what it seems. For them, it's a way to help destroy blood clots that threaten lives.

Finnish inventor rethinks design of the axe

(Phys.org) —Finnish inventor Heikki Kärnä is the man behind the Vipukirves Leveraxe, which is a precision tool for splitting firewood. He designed the tool to make the job easier and more efficient, with ...

First steps towards "Experimental Literature 2.0"

As part of a student's thesis, the Laboratory of Digital Humanities at EPFL has developed an application that aims at rearranging literary works by changing their chapter order. "The human simulation" a saga ...