Singing the Password Blues

If you’re interested in securing your online accounts today, you basically have two choices: Implement dual-factor authentication when offered and be secure but constantly aggravated, or don’t—and be insecure. But even if dual-factor authentication could be fixed (spoiler alert: It can’t), it doesn’t matter. This is just some mid-point in a security evolution that can only result in one ending: the complete elimination of passwords.

In the old, mostly disconnected days of yore, things were easy. Individuals would typically not secure their PCs at all while those in the know would add a reasonably tough password to a local user account. Users with managed PCs would of course need a password to sign in to both the PC and their company’s corporate resources, and those companies with reasonable policies in place would demand password complexity and password changes at set intervals.

Then the Internet and pervasive connectivity happened. And as we created more and more accounts at shopping sites, social networking sites, and other websites and services, password proliferation became a problem. Everyone understands the basic insecurity of using the same password at multiple sites, just as everyone understands that abc123 and password are not exactly ideal passwords. And everyone knows, too, that while maintaining different passwords for each account is necessary, maintaining different complex passwords for each account is even better.

The problem is, virtually no one does this.

The technically proficient minority maintain password managers like LastPass, of course. Which works OK on the web, assuming you don’t mind trusting all of your passwords behind a single, presumably difficult central password.

And then Microsoft evolved its Passport account into the Microsoft account and made it the way that you sign in to everything it makes, including Windows 8 and RT, and Windows Phone. This integration might sound like a great idea, and certainly it opens up some very useful functionality. But it also comes with the same problem as a password manager, since there’s just a single gate that hackers need to enter to gain entry to all of your personal information.

(And not to complicate matters, but the side issue of what happens when someone uses a corporate email address as their Microsoft account and then loses their job for whatever reason is, of course, a hilarious exercise in self-flagellation. So let’s stay on track here.)

The solution, sort of, is dual-factor authentication. And a lot of these public cloud providers are starting to offer this functionality. Google does it. Twitter does it. And even Microsoft does it. Well, sometimes.

Microsoft currently offers dual-authentication through its consumer-oriented Microsoft account—which impacts things like Outlook.com and SkyDrive on the web—but not, oddly, through Office 365. (With Office 365, you occasionally see silly messages on the web or in Office where it prompts you again for your single password and apologies for being “overly-careful.” They’re apparently treading water until they implement true dual-factor authentication.)

With this feature, which Microsoft calls two-step authentication because “dual-factor” was the complicated part of that phrase, you use a second means of authenticating yourself when you sign in. For individuals, this is typically a code sent to your cell or smartphone, which you then enter after the normal sign-in prompt, though Microsoft and Google are both offering authenticator apps for their mobile devices that generate these kinds of codes as well. (In corporate environments, smart cards and other methods have been in place for years.)

As I wrote in "Enable and Use Two-Step Authentication with Your Microsoft Account," this type of functionality is a double-edged sword. It dramatically increases the complexity of signing in, which is the point. But if you use dual-factor authentication on multiple accounts, as I do, you might feel like you’re typing in codes all day long. Because you are. And it’s a huge pain in the butt. But you have to do it. Because passwords are just insecure.

I am so freaking tired of passwords.

When I used my first laptop-based thumb scanner years ago, I figured we’d have moved passed alphanumeric passwords by now. Lenovo, which pioneered the mainstream use of this technology, has also started building facial scanning capabilities into its consumer laptops. I’ve not tried such a thing—which is common in movies, for some reason—but surely there’s a future there somewhere.

But despite years of steady progress with biometric and related security functionality, we’re still typing away. The attempts at progress never stop: Windows 8.1 will include support for a new kind of fingerprint reader, basically, and in tests I’ve seen it’s very fast and accurate. Forgive me my decades of experience, but I’m sort of beyond hoping that this stuff will just work anytime soon. We’re reaching a breaking point: Passwords do not work. And we keep using them.

Asking normal people to remember multiple, unique, and complex passwords is untenable. Asking them to configure and then use any dual-factor authentication system available now—and to do so separately across all of the services that offer this functionality—is futile. That’s why almost no one uses this stuff. It’s why people lose valuable data all the time, and have their identities stolen. It’s just too hard to be truly secure.

Then there’s the fear of failure. I had a scary episode recently on vacation where Microsoft shut down access to the SkyDrive storage associated with my primary Microsoft account. This is a Hotmail account I created back in 2001 so I could sign up for Xbox Live on the original Xbox. I’ve been using it regularly ever since. But one day, I signed in, and—bam—it was gone.

I went through the normal Microsoft customer service process, but I contacted someone I know there separately to expedite it. The problem was fixed but never explained, and while they apologized because the closure was in fact an error—that is, I wasn’t doing anything wrong as the message I originally saw suggested—it was a startling reminder of the perils of putting all your eggs in one basket.

I guess I could sign up for Dropbox or whatever. But that would be just another password to manage. I wonder if Dropbox supports dual-factor authentication.

I am so freaking tired of passwords.