"You have a secret that can ruin your life," cautions Mat Honan in the newest issue of Wired: Your password. That little six- to 16-character alphanumeric string controls your email, your bank account, and grants access to your address, credit card number, and perhaps even naked pictures of yourself. And no matter how complex or unique it is, your password simply isn't good enough. Over the summer, hackers destroyed the entirety of Honan's online life in a mere hour, cracking his Apple ID, Twitter account, Gmail password, and more. They wiped out years and years worth of files on his iPhone, iPad, and MacBook, and deleted every single picture he'd ever taken of his 18-month-old daughter. The problem with modern passwords, Honan says, is they're simply too easy to crack. Hackers can use sophisticated new programs to simply guess en masse, breaking into your accounts using sheer force. (The new cracking tools even have number substitutions built in, meaning "p4ssw0rd" is just as bad as "password.") Honan's suggestion? Something entirely new. Here, an excerpt:
The age of the password has come to an end; we just haven’t realized it yet. And no one has figured out what will take its place. What we can say for sure is this: Access to our data can no longer hinge on secrets — a string of characters, 10 strings of characters, the answers to 50 questions — that only we’re supposed to know. The Internet doesn’t do secrets. Everyone is a few clicks away from knowing everything.
Instead, our new system will need to hinge on who we are and what we do: Where we go and when, what we have with us, how we act when we’re there. And each vital account will need to cue off many such pieces of information — not just two, and definitely not just one.
This last point is crucial. It’s what’s so brilliant about Google’s two-factor authentication, but the company simply hasn’t pushed the insight far enough. Two factors should be a bare minimum. Think about it: When you see a man on the street and think it might be your friend, you don’t ask for his ID. Instead, you look at a combination of signals. He has a new haircut, but does that look like his jacket? Does his voice sound the same? Is he in a place he’s likely to be? If many points don’t match, you wouldn’t believe his ID; even if the photo seemed right, you’d just assume it had been faked.
And that, in essence, will be the future of online identity verification.
THE WEEK'S AUDIOPHILE PODCASTS: LISTEN SMARTER
- Watch out, China — America is working on dogfighting drones
- How liberals are unwittingly paving the way for the legalization of adult incest
- How to be the most productive person in your office — and still get home by 5:30 p.m.
- 43 TV shows to watch in 2014
- How the Simpsons/Family Guy crossover revealed the worst of both shows
- Why the Chinese military is only a paper dragon
- The troubling persistence of eugenicist thought in modern America
- Why America won't have enough money to battle ISIS
- 6 things the happiest families all have in common
- Libertarianism's terrible, horrible, no good, very bad idea
Subscribe to the Week