You have a problem. Your online passwords — the barrier that protects your most private correspondence, financial data and nearly every element of your identity and life — are a mess.
Feel (a little) better: It's not totally your fault.
Though this past week's enormous Heartbleed security flaw has brought the dismal state of password security back into the spotlight, passwords have long been a problem as the internet continues to embed itself into our lives. We, the users, are partly at fault — when it comes to passwords, we're prone to dangerous laziness. Every year SplashData releases a list of the most used passwords, a record of half-attempts at security. For years "password" was the world's most popular password, only to be replaced in 2013 by the equally pathetic "123456."
As bad as these are, though, the crucial flaw is systemic. The fundamental structure of usernames and passwords grow more obsolete each day. It's a technology built for an internet that no longer exists — one that didn't fully realize and anticipate now-habitual activities like online banking and commerce. And as our digital lives continue to merge and become indistinguishable from our physical ones, passwords have never been more common, important, or vulnerable. The infrastructure has never been more outdated and the stakes have never been higher.
"People need to have strong unique passwords for every site and service, but that is an impossible thing to ask of people," says Jeffrey Goldberg, an engineer for the password management software, 1Password, whose official title is Defender Against the Dark Arts. Anyone with an active online presence will agree that the number of passwords an average user must keep track of is untenable. According to a 2012 survey by Experian, 25- to 34-year olds have an average of 40 active online accounts.
Another problem, according to numerous security experts, is that, despite recent high-profile leaks and breaches, most casual internet users are conditioned by old password behaviors and lulled into a false sense of security. And most simply don't care until it's too late.
"It's kind of like car insurance," Goldberg's 1Password colleague, Dave Chartier tells BuzzFeed. "Most of the time you don't think about it and then something goes wrong and you immediately realize how bad you need it. Our biggest obstacle is probably human behavior — the sheer desire to do a things we're not interested in in the shortest time possible."
As a result, roughly $250 billion is lost to fraud each year, along with $110 billion to cybercrime, Jonathan Klein, president of Virginia-based enterprise software company MicroStrategy, tells BuzzFeed. "The password is the root of all evil, here," he says. "It's a broken system and our view is that all these examples — from Heartbleed to the NSA leaks — are a sign that there's a giant meteor hurtling toward us. Similar to the one that wiped out the dinosaurs, except in this case it's going to be usernames and passwords."
Yet for all the current system's flaws, experts can't seem to agree on the best solution to the password problem. Klein's Microstrategy is developing Usher, a mobile app that combines biometrics, traditional encryption, and your smartphone to authenticate your identity. Usher's ambitious goal is to completely eliminate both physical forms of ID as well as digital access credentials.
Microstrategy is currently working with multiple states to supplement physical driver's licenses with digital copies and believes that biometric and mobile technology will allow for rapid adoption. "We think this is the year," Klein says. "You'll see states deploying this kind of thing to millions of citizens and corporations deploying to millions of customers in 2014."
Similarly, companies like Motorola — the research team of which is owned by Google — have been experimenting with biometric password solutions. Last summer, the company made news by unveiling demos of a skin patch and password pill, which creates electricity from chemical processes in the body and authors a digital signal that allows users to authenticate devices like smartphones simply through touch.
Others, like Jeffrey Goldberg at 1Password, aren't sold. "Biometrics are emphatically not a solution," he notes. "Imagine a password that you could never change, and that anyone within listening, photographing, or fingerprint lifting distance could copy. Your voice may be your passport, but it is a lousy secret. Even Hollywood scriptwriters have known what is wrong with biometrics." Goldberg did, however, concede that there are limited use cases for biometrics, "Apple's TouchID is great for what how it is used, but it shouldn't be used far beyond that."
There's also scale to consider. Username and password architecture are deeply embedded into the internet's framework. "Getting just one industry to shift a core foundational element like this is a herculean task and would be extremely difficult," Chartier notes.
Until a tenable alternative like biometrics or apps like Usher become a mainstream solution, password managers like 1Password, Passpack, and LastPass are a good measure along side two-factor authentication. That said, there's no silver bullet. The nature of the web is that it continues to grow more dangerous and malicious, turning online security into a cat-and-mouse game that extends far beyond the reaches of flaws like Heartbleed. It's enough to leave professionals like Goldberg, who've devoted themselves to password security, with a bad taste in their mouths.
"I hate passwords more than anyone," Goldberg says. "Probably because I know so much about them and what people and systems do with them. But I don't think they are going to go away any time soon."
Charlie Warzel is a senior writer for BuzzFeed News and is based in New York. Warzel reports on and writes about the intersection of tech and culture.
Contact Charlie Warzel at email@example.com.
Got a confidential tip? Submit it here.