TIME technology

Why We Might Be Stuck With Passwords for a While

Savushkin—Getty Images

They certainly don't keep us safe from hackers—but none of the alternatives out there are free from their own host of problems yet either.

Why do we still have passwords? Everyone hates them. They’re hard to keep track of and hard to type in, especially on your mobile device. And they just don’t work, judging by the all-too-frequent news of bad guys busting into this site or that app.

Two reasons they haven’t gone away: First, it’s easy for programmers to deploy a standard username/password setup. They more or less just push a button in their app-building toolkit. Second, the alternatives…well, they’re not quite ready for prime time. Let’s look at a few.

Biometric sign-in This is the term for signing in with your fingerprints or iris scan or another piece of yourself. For example, the iPhone 5s puts it to good use with a fingerprint reader. But there’s a big problem: If your password or your credit card is compromised by the bad guys, you can revoke it and get a new one. Your fingerprint? Not so much.

Federated sign-in These are those “Sign in with Facebook” (or with Google or Twitter) buttons we’re starting to see all over the place. This is actually a pretty good idea; big Internet operators are very good at security stuff, and every app that does it is one less password to remember.

On the other hand, Facebook and Google are already very powerful, and you have to be a little nervous about putting still more of the ‘net in their hands. Work is under way on the problem: Other companies like Amazon and Paypal want a piece of the action, and maybe your alma mater or bank or the AARP could be your “identity provider,” reducing the Google/Facebook over-centralization worries. There’s real promise in Federation.

Two-factor sign-in A 4-digit PIN and a piece of plastic are enough to get you cash from almost any bank in the world. Security experts call this “Something you know and something you have” and they like it a lot.

Similarly, most people who work for big companies carry around a physical doohickey that they have to use along with a password or PIN to access their corporate mail. Some of these display a number that you type in, others come as a USB, and so on. Another two-factor variation is sites that, when you log in, SMS you a numeric verification code.

The problem, and it’s a big one, is that you can’t really carry a different doohickey around for each of your passwords. The solution to that is obvious: just have one that works for lots of different apps. That will require some cooperation and infrastructure. There are smart people working on this idea, but we’re not there yet.

The whole notion of hardware assist is interesting. In Kenya, you can buy a lot of things with your mobile without being “online.” And in Japan, people use their phones to pay for small-ticket items like subway fares and items at vending machines. Why shouldn’t you be able to use your phone to prove who you are?

Email sign-in Since you give most apps your address anyhow, why not just give up passwords and have the app email you a sign-in URL or magic code when you need to prove who you are? This can work pretty well, but then there’s the fact that not all email addresses are created equal. An app might be happy to rely on a Gmail address, but not one from your high school.

This whole do-away-with-passwords thing is a gold rush and there are a bunch of startups working away at it. A few of them out there are claiming to have simple solutions you can start using today and kiss passwords goodbye forever. Well, maybe. But I still sure see a lot of passwords.

If we can’t do away with passwords, at least we can make them less painful. Password managers like 1Password or KeePass or LastPass are gaining popularity (I recommend them), but mostly among engineers and other geeks.

Another good practice is just to ask for passwords less often. If you’re signing in every day from the same computer in your basement, you’ll notice that Google hardly ever asks you to prove who you are.

Yes, passwords are awful and don’t work. Yes, the experts know this. Yes, we’re working on the problem and making progress. No, we’re not there yet. Stay tuned.

Tim Bray has founded two software companies, helped write Internet standards, worked for big operators, including most recently Google, and written over a million words on his blog.

TIME technology

The World’s Top 5 Cybercrime Hotspots

"More cyber criminals are entering into the game at a quicker pace than quite honestly we can keep up with."

A Russian crime ring is suspected of obtaining access to a record 1.2 billion username and password combinations, shedding renewed light on how vulnerable online personal information can be. Cybersecurity firm Hold Security said the gang of hackers was based in a city in south central Russia and comprised roughly ten men in their twenties who were all personally acquainted with each other, the New York Times reported.
Cybersecurity experts say this enormous data breach is just the latest evidence that cybercrime has become a global business—one that, including all types of cybercrime, costs the world economy an estimated $400 billion a year. Complex malicious software, or malware, is finding its way into the hands of hackers not just in known cybercrime hubs like Russia and China but also in Nigeria and Brazil, while expanding Internet access around the world means that there are more potential cybercriminals who can easily acquire online the skills and know-how to join the craft.
“It appears more cybercriminals are entering into the game at a quicker pace than quite honestly we can keep up with [in the US] to defend our networks from these malicious hackers,” says JD Sherry, the vice president of technology and solutions at Trend Micro, a Tokyo-based cyber-security firm.
Here’s a look at the global hotspots for these cyber criminals:

Crime syndicates in Russia use some of the most technologically advanced tools in the trade, according to Sherry. “The Russians are at the top of the food chain when it comes to elite cyberskill hacking capabilities,” he says. Even before the latest revelations of stolen online records, the United States charged a Russian man, Evgeniy Bogachev, of participating in a large-scale operation to infect hundreds of thousands of computers around the world. The massive data breach of the retailer Target last year has also been traced to Eastern Europe.
But why Russia, and its smaller neighbors? Trained computer engineers and skilled techies in Russia and countries like Ukraine and Romania may be opting for lucrative underground work instead of the often low-paying I.T. jobs available there. But the Russian government has in the past also been less than helpful in helping U.S. authorities track down wanted cybercriminals. “The key really is the lack of law enforcement environment, the feeling that you can do almost anything and get away with it,” says Dmitri Alperovitch, a Russia-born U.S. citizen and co-founder and CTO of security firm CrowdStrike. “They were able to grow and evolve into organized enterprises.”

China is considered to be another stalwart hotbed for hackers, though the spotlight has primarily fallen not on gangs of criminals, but on the Chinese government, which has been linked to economic and political espionage against the U.S. In May, the Justice Department moved to charge five Chinese government officials with orchestrating cyberattacks against six major U.S. companies. Unaffiliated Chinese hackers have also posed a problem inside and outside the country, but according to Alperovitch there’s a surprisingly low presence relative to the size of the country. “We can speculate as to why, but the most likely reason is that the people that are identified doing this activity by the Chinese government get recruited to do this full time for the government,” he says.


Sherry calls Brazil “an emerging cybercrime economy.” Cybercriminals there and across South America are increasingly learning from their counterparts in Eastern Europe via underground forums. They’ll also pay for Eastern European tools to use in their own attacks, using highly complex Russian-made software that Sherry says can include millions of lines of code. That black market has become so sophisticated that Eastern European hackers now provide I.T. support for customers buying their malware, according to Sherry. So far, most of the attacks that originate in Brazil target local individuals and firms, including the recently reported cybertheft of billions of dollars from an online payment system. “The question is, when will that change?” says Jim Lewis, a senior fellow at the Strategic Technologies Program at the Center for Strategic and International Studies.


The original home of low-tech scam emails remains a key player in underground cyber activity and has become a destination for international cybercrime syndicates, according to Sherry. Authorities in Nigeria and other African countries have been slow to crackdown on scammers and hackers, even as more people connect to the Internet. “It’s proving to be a very comfortable environment for cybercriminals to set up shop, operate, and carry out their illegal activities,” Sherry says. Recent efforts by President Jonathan Goodluck to legislate cybercrime in Nigeria have served to push some of the activity into other countries in the region, such as Ghana.


Tech firms in Southeast Asia have a long history of working with Western software firms and other tech companies, Sherry says, meaning there is a broad base of tech expertise there. “People who are really good software engineers, those people are going to be naturals when it comes to taking off the ‘white hat’ and putting on the ‘black hat,’ Sherry says. In Vietnam, where the I.T. industry has expanded at a rapid rate in the last decade, a hacker allegedly masterminded the theft of up to 200 million personal records in the U.S. and Europe that included Social Security numbers, credit card data and bank account information. The communist government there has also been recruiting local hackers to spy on journalists, dissidents, and activists, according to the Electronic Frontier Foundation.

TIME Internet security

Healthcare.gov Users Urged to Change Passwords Over Heartbleed Fears

No security breach has been detected but online healthcare enrollees are warned to change their passwords as a precaution against the programming flaw. The government is reportedly carrying out a review into the Heartbleed bug

People who used the Obama administration’s healthcare.gov website to enroll in insurance plans under the government’s healthcare reform law are being warned to change their passwords in defense against the notorious Heartbleed internet security flaw.

“While there’s no indication that any personal information has ever been at risk, we have taken steps to address Heartbleed issues and reset consumers’ passwords out of an abundance of caution,” said a post on the website. The government is reportedly carrying out a review into the Heartbleed bug, according to the Associated Press.

The Heartbleed programming flaw has affected widely used encryption technology, and major internet services have recommended users change their website passwords. Critics have said the healthcare online enrollment presents myriad opportunities for hackers to exploit security flaws. The IRS has already said it was not affected by Heartbleed.

Obama announced this week that about 8 million people have enrolled in the insurance plans, exceeding forecasts.

Your browser is out of date. Please update your browser at http://update.microsoft.com