The following editorial appeared in the Pittsburgh Post-Gazette on Monday:
According to Microsoft research, the average American has 25 accounts requiring passwords and accesses about eight of them every day. But for those two dozen or so accounts, most people use just six or seven passwords, increasing their vulnerability to hackers.
Enter the U.S. government, which proposes to improve cybersecurity and end the nation’s “password fatigue” by making the password extinct. The mantra of the Obama administration’s cybersecurity coordinator, Michael Daniel, is “kill the password dead,” but don’t write its obituary yet. Alternatives on the table carry their own risks. Another roadblock to freedom from passwords is the government itself, which wants technology it alone can hack.
Passwords could be gone tomorrow, replaced with thumbprints, facial recognition, eye scans and other sophisticated (and expensive) authentications. Mr. Daniel recently spoke of an identifying selfie: The user would snap a picture with his cell phone, unlocking his account. Many people, however, remain distrustful of biometric scans, and the theft of a thumbprint would be worse than that of a password.
Then there’s the government’s role. Mr. Daniel said its initiative – the ponderous National Strategy for Trusted Identities in Cyberspace – was, in part, an effort to “jump start the private sector into providing different kinds of authentication.” But both the Justice Department and the FBI have been hostile to truly secure technological advances, such as the hack-proof phones Google and Apple introduced last year. “We don’t want to have something that puts it utterly beyond the reach of law enforcement in the appropriate circumstances,” Mr. Daniel said.
This leaves hapless consumers left with passwords until America works out its privacy issues. It’s good the private sector stands ready to help there, too. A number of new products, such as IPassword and PasswordBox, promise to store and apply passwords for the forgetful or the generally irate. They’re a solution for now. Until, of course, those companies are hacked.