11 June 2012
This week I and many of my friends and colleagues will have been changing our LinkedIn passwords following the news that millions of passwords to the very popular business networking site had been hacked and then subsequently leaked online. This is of course worrying for most people because many of us against the best advice out there tend to use the same password for the vast majority of their online services. Troy Hunt carried out an analysis of the Sony network data breach last year and found that for a number of services 67% of passwords were the same.
This raises two really fundamental questions, one of which is endemic in human nature; people will, although they know that it’s not wise, carry out certain types of behaviour. Why do people use the repeated password for all their online services? I guess one answer is ease of use, we are bombarded now with passwords and pin numbers to remember, there is nothing more frustrating wanting to use something, book a ticket or buy a film online and realise you have no clue what your account password is and either have to go through the process of requesting your data again or setting up a new account. It’s also a calculated risk and people currently do not feel that the information on their online lives would leave them at too much risk even if they got hacked.
Secondly, what would stimulate people into taking the risk seriously enough to do something about it? Well, it will be when it costs them something, money, privacy or that of friends and family. I am as guilty as everyone else; I would be the first to admit in the past that I have been somewhat idle when securing my data, but I decided that I should remedy that. There are a number of ways of doing it with things such as password managers and of course many devices will store a password, which also has its own risk element. But in reality for most people it’s down to using nature’s password manager; good old fashioned grey matter.
I believe the current system of endless streams of passwords which need to be ever more varied and complex to be secure and which are at risk even if you are actively protecting yourself is not sustainable. Will there be some kind of online ID that we can establish? Maybe a kind of internet passport? I am reading with interest currently the European Commission’s proposal on a Regulation to enable cross-border electronic signatures, it is not exactly what I am talking about but there is a realisation that systems must adapt to deal with the our life online.
For those of you now pondering your own password portfolio here are some good tips.