By Danny Yadron and Katherine Rosman
Fernando Corbató didn't intend to unleash havoc when he helped
create the first computer password at the Massachusetts Institute
of Technology in the early 1960s.
"It's become kind of a nightmare," says the 87-year-old retired
researcher. "I don't think anybody can possibly remember all the
passwords."
Passwords are a bane to computer and smartphone users and a
security threat to companies. On Wednesday, eBay Inc. urged its 145
million users to change their passwords because of a data breach.
But if the past is a guide, few people will heed the warning.
Last month, some experts called a flaw in Internet encryption
known as Heartbleed one of the worst holes ever discovered in the
Web's defenses. The bug might have exposed billions of passwords to
hackers, yet just 39% of adult Internet users surveyed by Pew
Research Center canceled accounts or changed their passwords after
Heartbleed.
"Passwords are awful and need to be shot," says Jeremy Grant,
head of the National Strategy for Trusted Identities in Cyberspace,
a task force created by President Barack Obama in 2011 to bolster
online security.
Despite all their flaws, passwords are so ubiquitous, cheap to
use and entrenched in the architecture of websites and the rhythm
of human behavior that efforts to supplant them have barely
budged.
"It's the only piece of technology from 50 years ago we're still
using today," says Brett McDowell, a senior Internet security
adviser at eBay's PayPal unit.
Some people are hoping to kill passwords with fingerprint
readers, iris scanners and USB keys. But a string of
disappointments makes executives, scientists, engineers, and
government officials skeptical. Mr. McDowell and counterparts at
Bank of America Corp., Google Inc. and other companies are toiling
away on a password-replacement project called the Fido
Alliance.
It recently released an early version of standards that could be
used for other forms of online identification. PayPal is using
them, and Google has been happy with an internal test, company
officials say.
Apple Inc.'s newest iPhone has a fingerprint-unlocking feature,
but some users have found that typing a password is just as easy as
trying to place a thumb in perfect alignment.
No one knows how many passwords there are, partly because they
are proliferating so quickly that it is impossible to keep track.
Surging use of smartphones, tablets and other mobile devices has
worsened the sprawl. Social-networking and e-commerce websites
often require users to log in so the sites can offer personalized
content and advertising pitches.
Despite data breaches and warnings from security experts, people
cling to easy-to-remember passwords and often use the same ones for
many accounts.
"You can compare the top baby names of the year to passwords
lists," said Morgan Slain, chief executive of SplashData Inc., a
password-management company that publishes an annual list of "worst
passwords." The ranking is based on the most common passwords found
in files containing stolen passwords posted online in the previous
year. The worst of the worst vary little from year to year,
including "123456," "password" and "qwerty."
Jeff Myers, 49, came up with his own strategy. A former cardiac
surgeon who now works on drug trials for Gilead Sciences Inc., Dr.
Myers increases the number at the end of his password by one each
month.
"Anybody with any hacking skill would figure it out
immediately," he says.
Google and Twitter Inc. are among the companies that now offer a
two-step authentication process to thwart hackers. After users
enter a password, a one-time code is sent to their smartphone via
text message. The code must be entered into the company's
website.
The process is more secure than just a password but can get
snarled if a phone is lost. It also slows people down.
"All of these create additional friction," says Uri Rivner, a
former executive at RSA, a data-security division of EMC Corp. He
recently helped launch BioCatch Inc., of Boston, which lets
websites verify identity by measuring how someone holds a
smartphone or drags a mouse across a screen. Major U.S. banks are
using the technology, he adds, declining to identify them.
Even the smartest passwords are only as secure as the companies
that store them. Heartbleed let hackers scoop protected data out of
corporate servers. At Target Corp., the company said hackers used a
stolen password from a refrigeration contractor last year to invade
a credit- and debit-card system, where they stole 40 million card
numbers.
It isn't clear how many people may have been victims of those
two frauds. Since the heist, Target has taken steps to wall off
high-value data from the rest of its network. After Heartbleed was
disclosed in April, dozens of websites urged users to change all
their passwords.
PayPal lets customers buy things with the fingerprint sensor of
Samsung Electronics Co.'s newest smartphone, the Galaxy S5. Apple
Chief Executive Tim Cook has said company officials had mobile
payments in mind when Apple added such a sensor to its latest
iPhone.
Apple's system now works only with the company's own products,
like iTunes. PayPal customers could use the same fingerprint at any
site that adopts the Fido standards. Of course, when fingerprint
readers on the Galaxy and iPhone don't work, users must fall back
on entering a password.
Stuart Geiger, a doctoral student at the University of
California, Berkeley's School of Information who studies how people
interact with technology, says putting the password out of its
misery would require collaboration from a gaggle of Silicon Valley
companies that compete against each other in everything from online
shopping to chats to television.
Even if that happens, would hundreds of millions of Internet
users in the U.S. who are accustomed to relying on ham-handed
passwords be willing to change their ways or switch to gadgets that
use more sophisticated security? "One big factor is inertia," he
says diplomatically.
The mess is much more than Mr. Corbató, a professor emeritus at
MIT who lives in Newton, Mass., ever imagined when he and his
colleagues came up the password to control access to files on a
huge, shared computer.
"We didn't foresee the Internet, either," he says. Mr. Corbató
keeps track of his passwords by typing them on paper. He is moving
them to an online file.
Write to Danny Yadron at danny.yadron@wsj.com and Katherine
Rosman at katherine.rosman@wsj.com
Subscribe to WSJ: http://online.wsj.com?mod=djnwires