Why it's time to kill the online password

"You have a secret that can ruin your life," cautions Mat Honan in the newest issue of Wired: Your password. That little six- to 16-character alphanumeric string controls your email, your bank account, and grants access to your address, credit card number, and perhaps even naked pictures of yourself. And no matter how complex or unique it is, your password simply isn't good enough. Over the summer, hackers destroyed the entirety of Honan's online life in a mere hour, cracking his Apple ID, Twitter account, Gmail password, and more. They wiped out years and years worth of files on his iPhone, iPad, and MacBook, and deleted every single picture he'd ever taken of his 18-month-old daughter. The problem with modern passwords, Honan says, is they're simply too easy to crack. Hackers can use sophisticated new programs to simply guess en masse, breaking into your accounts using sheer force. (The new cracking tools even have number substitutions built in, meaning "p4ssw0rd" is just as bad as "password.") Honan's suggestion? Something entirely new. Here, an excerpt:

The age of the password has come to an end; we just haven’t realized it yet. And no one has figured out what will take its place. What we can say for sure is this: Access to our data can no longer hinge on secrets — a string of characters, 10 strings of characters, the answers to 50 questions — that only we’re supposed to know. The Internet doesn’t do secrets. Everyone is a few clicks away from knowing everything.

Instead, our new system will need to hinge on who we are and what we do: Where we go and when, what we have with us, how we act when we’re there. And each vital account will need to cue off many such pieces of information — not just two, and definitely not just one.

Subscribe to The Week

Escape your echo chamber. Get the facts behind the news, plus analysis from multiple perspectives.

SUBSCRIBE & SAVE

Sign up for The Week's Free Newsletters

From our morning news briefing to a weekly Good News Newsletter, get the best of The Week delivered directly to your inbox.

From our morning news briefing to a weekly Good News Newsletter, get the best of The Week delivered directly to your inbox.

Sign up

This last point is crucial. It’s what’s so brilliant about Google’s two-factor authentication, but the company simply hasn’t pushed the insight far enough. Two factors should be a bare minimum. Think about it: When you see a man on the street and think it might be your friend, you don’t ask for his ID. Instead, you look at a combination of signals. He has a new haircut, but does that look like his jacket? Does his voice sound the same? Is he in a place he’s likely to be? If many points don’t match, you wouldn’t believe his ID; even if the photo seemed right, you’d just assume it had been faked.

And that, in essence, will be the future of online identity verification.

Read the Wired cover story in its entirety here.