Change all your passwords yet? Me neither. I’ve hit the really critical ones, those protecting my bank accounts and such. But weeks after the Heartbleed scare first broke, I’ve still got some cleaning up to do. Most of my readers are probably worse off, not that I blame you. Passwords are lousy Internet security tools; the Heartbleed scare reminds us just how lousy. The problem is, they’re still the best option we’ve got.
Nearly a month ago, Internet security analysts stumbled onto Heartbleed, a two-year-old security flaw in software used on millions of Internet servers to protect the secrecy of sensitive data like passwords and credit card numbers. The companies running such servers have mostly fixed the problem, but we users must change our passwords, just in case some criminals have already intercepted them.
But it is tedious work for those of us with dozens of passwords to change. To ensure you remember them all, you probably pick lousy passwords, the kind any child could guess. Or you come up with something a little tougher, but then use the same password for each account. If a bad guy cracks just one of your sites, he has cracked them all.
Proper passwords are long strings of random characters that are nearly impossible to type, much less memorize. They’re changed regularly, and never duplicated. Instead, you create a fresh one for each account.
Indeed, it is a good idea to have two passwords per account, a method called “two-factor authentication” that is available from some companies as a high-security option. In this method, you enter a traditional password, along with a unique code that’s generated whenever you log in. Google Inc. offers a two-factor service that uses a code-creating app called Google Authenticate. Other companies, like Bank of America Inc., will text message a custom code to your phone. Lots of companies offer two-factor passwords as an option; you can find a list at twofactorauth.org. But for millions who can barely be bothered with single passwords, two-factor systems are a nonstarter.
The simpler alternative would be biometric systems, in which your computer would recognize your face, voice, or fingerprint. But these systems still aren’t good enough. For instance, the facial recognition programs I’ve tested, such as the Android app FastAccess, can’t consistently identify my face. Even slight variations in lighting or camera angle can deceive these programs.
Voice authentication is farther along. Several banks, including Wells Fargo and US Bank, are testing software from Nuance Corp. in Burlington. A prototype smartphone app grants account access after the user says a few well-chosen words. U.S. Bank says it is pleased with the early results, but it will be years until spoken passwords become commonplace.
Our best short-term bet is probably fingerprint scanning, which is already available on millions of devices like Apple Inc.’s iPhone 5S or Samsung Corp.’s Galaxy S5. To be sure, we need better scanners; the one on the Galaxy S5 is far too unreliable. But my iPhone’s scanner almost always works. At the moment, it is only good for unlocking the phone and buying stuff from Apple’s own online store. Apple has refused to let other app developers make use of it — for now. But I’m betting that in a year or two, my fingerprint will unlock my bank account or let me shop at Amazon.com.
A two-factor combination of biometrics and traditional passwords would be hard to beat. But it leaves us with the same old password problem. We still need better tools for generating them and remembering them.
For me, it’s LastPass, an Internet-based “password vault” that logs me onto my favorite sites. It also generates ultracomplex passwords that are extremely tough to crack, saving them all so I can use a different password for every site. LastPass also stores my home address and credit card data, so it can fill in these details automatically when I shop online. The basic LastPass service is free; the premium version, at $12 a year, lets me use the LastPass app on smartphones or tablets.
Password services like LastPass and competitors Roboform and DashLane pose their own risks. If they’re ever successfully hacked, all your passwords could be exposed. And each service requires a master password; forget it, and you may be locked out of the service forever.
Still, simplicity and Internet security rarely go together. For now, these password vaults are as close as you can get.Hiawatha Bray can be reached at firstname.lastname@example.org. Follow him on Twitter @GlobeTechLab.