If you think people have too many passwords, you're right. The 2012 Online Registration and Password study, conducted by Harris Interactive, found that 58% of online adults have five or more unique passwords for varied logins - and 30% have more than 10 unique passwords they need to remember. How annoying is that? The survey also found that 38% of people would rather fold laundry and scrub toilets than come up with new passwords.
"The security value of a password is limited, if not negligible, because many people are interested in convenience. You will reuse the same password in many places......we need to transition away from the way we've been doing things since the 1960s," says Al Pascual, a security, risk and fraud analyst for Javelin Strategy & Research.
Analysts say web crooks have ample malware that can intercept passwords for identity theft, and that's before the consideration that most people use the same password for different logins, which expands the security risk.
"The problem with passwords is they are easy to steal. If you have a strong password, or have 100 characters, it's still easy to steal these days," says George Tubin, a senior security strategist at Trusteer.
Tubin suggests one way to combat the threat is to use the smartphone as an authentication device, in combination with other devices such as the PC. "There's not one single silver bullet. If you are coming in via the PC, you can authenticate to the site via the phone, and perhaps link biometrics into the mobile device. You can link voice biometrics or face biometrics...it's in the baby stages right now."
Even though many password programs include "grading" that tells the user how "strong" the password is, consumers tend toward unintended vulnerability. "The user wishes to have an easily used and remembered credential; they would use 1234 as a password if they had the option to do so. The user's incentive is the opposite of the security incentive. The security team would rather have a 16-digit random password," says Andy Rolfe, chief technology officer at Authentify.
Rolfe says the way to move beyond passwords, which are pretty well established in our culture, is through a step-up approach. "What I mean is we take the username and password as it is today and move to a second factor, or a step-up authentication for certain high risks and high-value transactions," he says, adding these "step ups" - which can include mobile apps accessed by biometrics - gradually become the primary method of authentication. Biometrics, or as some call it, bring your own ID, is a key component to strong authentication.
The technology does pose challenges. Biometrics can't be used by everyone. "You have certain segments of the population that may not be able to use biometrics. They may not be able to speak or may not take a proper photo [the right resolution for facial recognition] or may have a minimal fingerprint. There may also be restrictions by policy or regulations as to what you can use in terms of biometrics. That's where multi-factor is quite important."
ING FIGHTS PASSWORD CREEP
In 1999, around the time that everyone was chasing Y2K - a problem that really wasn't a problem - ING Direct Canada was working on a real issue: password creep.
"When we launched our transaction site, we said there has to be a better way than passwords," says Charaka Kithulegoda, senior vice president and chief information officer of ING Direct Canada.
I think the best solution is a smart phone application that generates keys that are authenticated by a third party will be the solution for internet authentication. So I go to my banks web site, my smart phone provides the site with a key via blue tooth, and the bank asks a company like Verisign to validate my identity.