Have you changed your passwords since the security flaw known as Heartbleed emerged? Have you made sure they’re all long, alphanumeric and randomized? Did you use a unique one for every site-every bank account, every e-mail address, every music-streaming service, every social media profile and so on?
Congratulations! Your information still isn’t safe. That’s because passwords, by themselves, can’t make it safe.
Every company is vulnerable to digital intrusions. By one estimate, 97 percent of Fortune500 companies have been hacked. And stolen passwords, according to a report last year from Verizon Communications Inc., are usually the way in.
True, people tend to use dopey passwords (the most popular password of 2013 was “123456”). But hackers can now overcome even “strong” passwords: They can use powerful algorithms to break down probable combinations, install malware on your computer to log keystrokes, lure the unsophisticated to fake login sites, exploit account-reset mechanisms, and on and on. Even the strongest password in the world would have been vulnerable to Heartbleed, which enabled hackers to siphon data-including user names and passwords-from sites that used a common security protocol.
Is there a better approach? The short and sad answer is no. The slightly less short and sad answer is not yet.
Although security technology is growing more sophisticated, it’s still flawed. Two-step verification-in which a site sends, say, a text message with a code to enter before allowing users to access their account-is an improvement. But it’s also vulnerable to hacking.
Then there’s a growing assortment of biometric devices: iris scanners, fingerprint detectors, palm-print readers, heartwave sensors and more. Motorola has even toyed with the idea of an ingestible pill that would send out electrical signals to identify you.
These would seem like more plausible hindrances to hackers than pairing your email address and your cat’s name for authentication. But all these approaches will require some familiar trade-offs: the more secure, the less convenient; the better the protection, the more privacy you relinquish.
So there is no one solution to online security, in other words, and there may never be. Where does that leave us?
A combination of many solutions-while cumbersome, irritating and intrusive-is probably the best the world can hope for anytime soon. Internet companies can help by making wider use of algorithms that parse behavioral characteristics-where users are, what kind of device they’re using, what time of day they’re attempting to log on-to make a (very) educated guess whether someone’s been hacked. Used in combination with other security measures, such as biometrics and passwords, such techniques could make it a lot harder to impersonate someone online. Companies and users alike also need to focus more on recovery plans and damage control, for when even the best security fails. As it inevitably will.
Editorial, Pages 14 on 04/18/2014