The White House is funding efforts to wipe out the password as the primary security code used to access sensitive data online.
Officials and cybersecurity experts say the password is inherently weak and frequently misused, with easily hacked phrases like “password” and “123456” putting bank accounts, Social Security numbers and other sensitive information at risk.
“It’s probably the highest vulnerability there is,” said Keith Ward, CEO of the Transglobal Secure Collaboration Program (TSCP), a company chosen by the White House to work on securely transmitting sensitive data between defense companies.
{mosads}For many, the ultimate goal is to “kill the password,” which has become a favorite refrain for White House Cybersecurity Coordinator Michael Daniel.
Lisa Monaco, President Obama’s homeland security adviser, has said eradicating passwords is one of the administration’s four goals on cybersecurity.
Since 2012, a White House program, the National Strategy for Trusted Identities in Cyberspace, has backed a number of pilot projects aimed at finding new ways to identify people without a password.
The companies are testing password alternatives that would have people authenticate their identity online using mobile devices, digital rings and even bracelets. The White House has also bankrolled efforts to securely identify children online and streamline the login process across different financial accounts.
Working with a $16.5 million budget, the program has pushed password alternatives from niche markets toward the mainstream.
“The whole program has really helped speed two things: one, the commercial adoption of our platform; secondly, the adoption by government agencies of our technology,” said Matt Thompson, co-founder of ID.me, which verifies whether users are active-duty members of the military, veterans, first responders, teachers or students.
Daniel has estimated some of the White House-backed solutions could hit the mass market in 2015.
That would be a relief to observers who say companies and consumers are “willfully blind” to the problems with passwords.
“That is the reason why all these breaches are just going to keep happening,” said Joe Siegrist, CEO of LastPass, a password management company.
With studies showing individuals now juggle more than 20 total passwords at a time, typing out an average of eight per day, systems are more vulnerable than ever before.
“The complexity of the problem has grown,” said Emmanuel Schalit, CEO of Dashlane, another password management company.
A slew of recent hacks have shown just how damaging a password breach can be.
The highest-profile incident came last fall, when dozens of celebrities, including Jennifer Lawrence, Kate Upton and Kim Kardashian had nude photos stolen from their Apple cloud accounts. The hackers used software that simply guessed at their passwords.
While the digital thieves couldn’t crack Apple’s online storage unit, figuring out the login information for individual users was easy.
More recently, hackers broke into the system of the health insurer Anthem, likely after using fraudulent emails to infiltrate network administrator’s computers and steal login credentials. The infiltrators eventually made off with data from up to 80 million customers, including hard-to-replace Social Security numbers.
And following the massive hack on Sony, one of the more amusing — and troubling — discoveries in the data dump was a document titled “Password” that contained, well, passwords.
The hacking incidents show companies and individuals are paying little attention to login security, experts say.
Companies let employees share sign-in data, allow unfettered access to anyone with a login and implement policies that actually encourage bad habits. If forced to rotate their password each month, for instance, staffers will often choose passwords like “April2014” and “May2014.”
“Everyone is trying to use the same key for every lock in their entire life,” Siegrist said, adding that 60 to 80 percent of companies LastPass has worked with were reusing login credentials.
“It’s just a complete disaster,” he said.
Despite the push from the White House, experts say there’s a long way to go before passwords are a thing of the past.
“I don’t think anyone really sees username and password really leaving,” said TSCP’s Ward. “It’s a generational thing.”
Companies like LastPass and Dashlane have turned the password problem into a business opportunity, offering products that store all of a user’s passwords in an encrypted vault, with only one master password required to access them.
LastPass has grown to 6.3 million users, with the entire password manager market counting roughly 15 million users, Siegrist estimated.
Security experts like Siegrist stress the importance of two-factor authentication. In addition to the password, two-factor logins require a second type of verification, like a personal question or a code sent to a mobile phone.
“You do those two things, you’re so far ahead of the game,” he said, “almost untouchable compared to the rest of the world.”