Kill the Password: Why a String of Characters Can’t Protect Us Anymore

Wired, By Mat Honan, November 15

You have a secret that can ruin your life.

It’s not a well-kept secret, either. Just a simple string of characters—maybe six of them if you’re careless, 16 if you’re cautious—that can reveal everything about you.

Your email. Your bank account. Your address and credit card number. Photos of your kids or, worse, of yourself, naked. The precise location where you’re sitting right now as you read these words. Since the dawn of the information age, we’ve bought into the idea that a password, so long as it’s elaborate enough, is an adequate means of protecting all this precious data. But in 2012 that’s a fallacy, a fantasy, an outdated sales pitch. And anyone who still mouths it is a sucker—or someone who takes you for one.

No matter how complex, no matter how unique, your passwords can no longer protect you.


The age of the password has come to an end; we just haven’t realized it yet. And no one has figured out what will take its place. What we can say for sure is this: Access to our data can no longer hinge on secrets—a string of characters, 10 strings of characters, the answers to 50 questions—that only we’re supposed to know. The Internet doesn’t do secrets. Everyone is a few clicks away from knowing everything.

Instead, our new system will need to hinge on who we are and what we do: where we go and when, what we have with us, how we act when we’re there. And each vital account will need to cue off many such pieces of information—not just two, and definitely not just one.

More: How Not to Become Mat Honan: A Short Primer on Online Security
and: Here’s Everywhere You Should Enable Two-Factor Authentication Right Now

This post was read 77 times.

About author View all posts


5 CommentsLeave a comment

  • Scary stuff. I’ve had my own battles with the giant personal data vultures. Facebook keeps pestering me for my “real” email address. Each time they ask I just click them back into cyberspace. Likewise with my email account provider who wants a second email address in the event I need to ‘recover’ my lost data or something like that. These people never give up but neither do I.

    I had to laugh when Google suggested I “liberate my data”. Like hell I will.

    I’m going to investigate if I can “uninternet” my bank account.

  • In an age of FBI, CIA, NSA, DHS, NDAA, FISA, local corporate and police surveillance cameras, and corporate-owned politicians (and that’s only the officially-legal-but-unconstitutional stuff), privacy no longer exists.

    The problem is not passwords per se. Even with today’s computer power, a brute force attach on a passphrase of a long sentence or two won’t hack. The problem is that your data is spread all over hell and everywhere it sits, the security is not really controlled by you. You are only given access to it – and you don’t know who else may have access, from criminals to corporations to the government.

    If you keep all your info on your own PC and it is strongly encrypted, it’s pretty safe – but not much use. A house with no doors or windows may be burglar-proof but it’s useless to live in. Simply restrict what type of data you digitize. Kind of like never loaning money you can’t afford to lose if the borrower doesn’t pay you back – never digitize information that could let others affect your life adversely. Or at least recognize the risk and decide accordingly.

  • I have been using double click verification since Mat Honans day of terror. It’s a pain coz I jump around 8 devices. But it’s so important.

    I witlessly let a white hat hacker into my system several weeks back. I thought I knew what I was doing in his system, and had watched 6 other people log into it. So felt I was safe. All it took was him to open a chat window, and say, Hi how are you? And I fell for it. He had control of my computer. Anyway, I changed my bank account password. But he probably knows enough about me to social engineer access to it if he wanted to.

    I’m deleting my phone number off facebook, after thinking about this for a while. But it’s probably too late, it’s been noted by friends, and thus lives on in cyberspace.

    Our data is, as steeleweed noted, everywhere : in data-centres, buffered and cached by ISP’s and on multiple individuals computers around the globe.

    Such is modern life.

  • Keeping e-mail private

    Washington Post Editorial, November 28

    IF YOU LEFT a letter on your desk for 180 days, you wouldn’t imagine that the police could then swoop in and read it without your permission, or a judge’s. But that’s just what law enforcement officers can do with your e-mail. Using only a subpoena, government agents can demand that service providers turn over electronic communications they have stored, as long as those communications are more than six months old. Protections are even weaker for opened e-mail or documents stored in the “cloud.” The advertisements that the Postal Service piles into your mailbox every day are legally sacrosanct; the medical notifications your health-insurance company sends to your Gmail account are not.

    This bizarre reality is thanks to the 1986 Electronic Privacy Communications Act, a law written before anyone dreamed that Americans would send, receive and store so much private information over third-party services such as Gmail or would draft documents using cloud computing that they intend to keep confidential. Now Sen. Patrick J. Leahy (D-Vt.), chairman of the Judiciary Committee and the 1986 law’s original author, wants to amend it into the 21st century.

    • I am considering VPN services to proxy my Innertube traffic generally. While very little of my email is personal, there are some areas of vulnerability. I am seriously thinking of setting up my my own mail server and defining new email address(es) thereon. I could then forward all my current email to that server and delete from the old servers and discontinue them. While my data might be archived on the ex-servers, I suspect that ‘out of sight, out of mind’ would go a long way toward making that email effectively ‘vanish’ from government awareness – what they don’t know about, they can’t request. And would Google tell them, “He used to have a Gmail account but closed it a year ago but we still have it archived for you” or would Google just say “He doesn’t have a Gmail account”?

      And I’d really like to see the government serve me with a subpoena for my data on my server. Seems to me the 5th Amendment might come into play here…

Leave a Reply