The problem with passwords

This broken system affects millions of Americans each year

Published: August 25, 2014 10:30 AM
Photo: Keith Negley

Find Ratings

Let’s be honest: You probably don’t have more than three unique passwords; you probably use one e-mail address to sign up for multiple services such as Facebook, Amazon, and online banking; and you have probably provided the name of your first pet as an answer to a password reset question more than once.

You’re not doing this because you're lazy. Remembering complex passwords and different usernames on multiple services is difficult, especially when you have somewhere between five and 15 different accounts that make up the bulk of your online activity.  A report on managing passwords portfolios from Microsoft Research notes, "While significant attention has been devoted to motivating and helping users choose strong individual passwords, there is little guidance on how to choose and manage large numbers of them."

Cybercriminals know this, and they are exploiting these password vulnerabilities to no end.

McAfee, the company behind the eponymous computer security software, estimates that information theft worldwide may cost as much as $160 billion annually. In the United States more than 40 million consumers had their information stolen last year, and that number is likely to keep rising as cybercriminals continue to outsmart password-based security systems.

“The system of using just a username and password is inherently broken,” Roel Schouwenberg, the principal security researcher at Kapersky Lab, an Internet security firm, said. According to Schouwenberg, users can store their credentials insecurely, have weak passwords, and may even inadvertently leak them. “The only thing that passwords have going for them is that they’re easily changed,” he said.

To protect yourself from online threats, check our guide to Internet security.

But the ease with which passwords can be changed is a double-edged sword. Password resets often rely on the user’s personal information, which can easily be "socially engineered" (or conned) from the victim. For instance, a hacker may call you pretending to be from a financial institution and ask you questions to verify your identity—the very same questions that you, ages ago, provided answers for when setting up your security questions.

Security questions themselves are also fairly weak, as generic questions such as “name of high school” and “name of first pet” could be revealed by the users through messaging boards and online profiles.

The other danger of weak password-reset policies is that when hackers get access to your e-mail account, they may also get access to your other accounts if you used the same e-mail address to sign up for them. This single-point-of-failure vulnerability puts you at an even bigger risk and further highlights the importance of having a strong password and choosing nongeneric security questions or weird answers. (Q. What’s your favorite food? A. The Andromeda galaxy.)

But even having robust passwords and security questions isn’t always enough. “The Internet is sort of a battle ground,” said Adnan Baykal, vice-president of security services at the Center for Internet Security, “where hackers are trying to infect users with malware by exploiting outdated software and patches.” This includes operating systems such as Microsoft Windows 8 and Apple OS X as well as third-party software from Adobe or Oracle.

According to Baykal, a common way for cybercriminals to compromise computers is to rent out banner ads on popular websites. When clicked, they expose your computer to malware such as keyloggers, which collect and send your log-in information back to hackers as you conduct your online activities.

Consider using a password manager to keep track of your online accounts.

As entrenched as the username-password paradigm is on the Internet, there is some hope. Internet service companies are increasingly implementing a two-factor authentication method that, in addition to username and password, requires the user input a one-time code that is sent to the user's verified device—say, through an SMS to a mobile phone.

While better than a simple username-password combination, though, the two-factor authentication method is far from infallible. According to Schouwenberg, attackers are still able to compromise two-step authentication controls by intercepting text messages through malware on Apple and Android devices.

For Baykan, passwords represent just a layer of security on the Internet, which is embedded with other security protocols that may also be compromised, as was the case with the Heartbleed bug. Alternate methods of authentication—such as using biometrics including fingerprint or retinal scanning—are available, but implementing them on a large scale would require a serious commitment by companies.

Baykan says that the widespread adoption of next-generation authentication is still years away, but he emphasizes the importance of consumer participation in this change. “If enough consumers are aware of the challenges and issues in Internet security”, Baykan said, “the easier it will be to get companies to implement better security solutions.”

—Karim Lahlou

Find Ratings

Antivirus Software Ratings

View and compare all Antivirus Software ratings.

E-mail Newsletters

FREE e-mail Newsletters! Choose from cars, safety, health, and more!
Already signed-up?
Manage your newsletters here too.

Electronics News


Cars Build & Buy Car Buying Service
Save thousands off MSRP with upfront dealer pricing information and a transparent car buying experience.

See your savings


Mobile Get Ratings on the go and compare
while you shop

Learn more