It's Time to Abandon Passwords

For months, there's been a steady trickle of sites getting hacked, followed by their usernames and passwords being passed around publicly on the Web. It's a real and growing problem that's just going to get worse.

Fact: People use the same password on more than one site. So let's say a list contains the username hello@gmail.com with the password abcd1234. You know that username and password isn't just used on the site that's been hacked; it's incredibly common for people to have one password that they use pretty much everywhere. Because people are stupid.

Or maybe it's just that coming up with good passwords is too tough. In a relatively short time, we've gone from needing a handfull of passwords to needing them by the dozens. Think of all the logins you have. Creating unique, hard to crack passwords for all those sites is harder than a congressman from New York. So of course people re-use passwords.

In fact, research done on two of the largest password exposures (Sony's and our own here at Gawker Media) found that two thirds of people with accounts at both Sony and Gawker used the same password on both systems. Obviously, people are probably using those passwords for many other sites and services as well.

Following the Gawker password dump, a lot of places took measures to try and protect exposed users. For example, LinkedIn queried the exposed email addresses against its own account database and disabled any matches. But of course, responsible websites trying to protect users aren't the only ones running cross checks. All sorts of other people are doing the same thing with less savory purposes.

Currently, when you see a big password dump, there's not much that your average schmoe can do with it. Sure, he can manually try a few of the logins on various sites like Gmail or Facebook. But that's like finding a key in the street downtown and then going door to door in the suburbs trying it out. Without an automated tool to run the entire list against very many websites, it's an inefficient technique. And thankfully, those automated tools aren't so common that any idiot (like me!) can casually find and use one. That will change.

Today, LulzSec is just handing out gasoline. Pretty soon, somebody's going to come along with a match. Here's what hasn't happened yet, but will:

It's Time to Abandon Passwords

In the not so distant future, someone will release a simple tool that will automatically run usernames and passwords against all the most popular sites on the Web, or any specified site with a login system. So when a list of credentials hits the Web, any idiot (again, like me!) will be able to simply run it against whichever website he wants, gaining entry to email and bank accounts, social networks, corporate intranets, you name it. Instantly. Those tools aren't simple and widely available enough that an unmotivated person would know where to find and how to use one. But they will be. Make it open source, and it's unstoppable.

That this hasn't already happened is kind of staggering, given how easy and obvious it is.

Firesheep was also low hanging fruit. It's a simple tool that intercepts unencrypted cookies on open networks and lets you use those cookies to gain entry to certain websites. It opened account hijacking to the unwashed masses, allowing people who otherwise would not otherwise do so break into others' Facebook and Twitter and Dropbox accounts on a lark.

Imagine a similar system that will let people gain total access by actually logging in rather than just grabbing a session cookie. A tool that automatically runs a list of logins against a list of websites would make Firesheep look harmless.

The most common idea you see today in terms of protecting yourself is to use unique passwords on every site. The only way to really do this, of course, is to either create a password scheme, or to use a password generating and tracking program like 1Password. But these should be stopgaps.

What we really need is an entirely new way to prove our identities on the Web. Google's two factor authentication is a step in the right direction, but it's a pain in the ass and most people probably won't take the trouble to set it up unless they're forced to do so. Ideas like biometric logins, or proving identity within the browser itself are out there, but they're still pie in the sky and nobody is moving towards widespread implementation yet.

We're entering a touch-screen, sensor-filled world, with cameras embedded into seemingly everything. We want to see big companies with tens or hundreds of millions of users, like Google and Facebook and Microsoft and Apple start taking on this challenge in earnest. It's time to abandon the password, before we're all forced to change them, yet again.