Living in Password Hell

By Eileen Feretic  |  Posted Tuesday, June 12, 2012 17:06 PM

By Samuel Greengard

Last week's theft of 6.5 million passwords from LinkedIn put consumers back in the security crosshairs. Apparently, many people using LinkedIn rely on passwords with the word "link" or "work" in it. They toss in a few digits, but these strings of letters and numbers make the accounts much easier to hack.

Tsk. Tsk. Tsk.

Predictably, security experts and the media seized on the situation to remind us that smart people can make incredibly dumb choices for passwords. Many offered sage advice about mnemonic systems and other ingenious methods for creating better passwords.

There's just one problem. The blame doesn't lie with Internet users. It falls squarely on the shoulders of companies and the entire IT industry. Let's skip the discussion about the lame security practices that led to the LinkedIn breakdown. The rampant use of weak passwords proves one thing: The current system is totally broken.

Seriously, can anyone possibly remember every password? According to so-called experts, we're supposed to use a different password for every site. So, I guess this means I should cram my mind full of 129 different passwords for banks, merchants and others?

Although password management applications like RoboForm and 1Password help by storing and recalling passwords as needed, they don't put a dent in the fundamental problem. It's like positioning a traffic cop at an intersection in Mumbai, India: The nerve-jangling traffic doesn't go away.

Here's an idea: Get rid of passwords altogether. It's flabbergasting that we're still using the digital equivalent of skeleton keys to gain access to accounts and spaces online. By now, you would think we'd all be using some type of token that authenticates us through biometrics or uses a combination of unique machine IDs and other digital codes to verify our identity.

Alas, the technology exists, but we just don't use it. Likewise, credit cards lack PINs, e-mail accounts are easily spoofed, and companies like LinkedIn and Zappos fail to protect their customer databases.

It ultimately comes down to a simple but basic truth: Society does not view security as an important issue, and we're certainly not willing to pay for it directly. Despite all the blather about security, we accept fraud and theft as a legitimate cost of doing business. Otherwise, we would demand more secure systems.

Blaming consumers for weak passwords distracts from the real problem: irresponsible companies and incompetent political leaders who still view digital technology through a keyhole.