Forgetting passwords is a frustrating fact of everyday life today. People have an average of about 90 online accounts to manage at any given time, which makes for a lot of forgettable passwords. People accept the daily disruptions of abandoning a failed logon attempt or going through the cycle of requesting a password reset and conjuring up some new sequence of symbols that need to be remembered for next time.
Passwords are discarded and replaced without much thought, but there’s still value in those old and new strings of symbols, which are likely to serve another purpose long after we’re done with them. One popular use is funding the networks where children are bought and sold.
Human traffickers are just one criminal enterprise who count on society staying mired in the mess of password authentication. In 2014, one Russian crime ring had amassed the largest known collection of stolen internet credentials, including 1.2 billion username and password combinations and more than 500 million email addresses.
Those cyber criminals, and the untold masses who have emerged since, can twist technologies into a dizzying array of tools that ensure our passwords and other personal information stays in perpetual motion along the darkest corridors of the internet. There’s old school phishing, where crooks in disguise ask for and receive a person’s online authentication. Malware is popular for the ease in which it allows hackers to quietly pass through a cyber security weak spot, such as attaching to a browser and recording every keystroke made on a computer, which is all sent back to the attacker.
Password-based cyber security has remained fundamentally the same since it was introduced in the mid-60’s. Technology from the last century doesn’t stand a chance against today’s internet, the sophisticated technologies that are introduced daily, and the criminally-inclined who will manipulate both for ill-gotten gains. Cyber criminals count on a mere password to be the only thing in between our online lives and their world of peddling stolen data to fund human trafficking, smuggling, drug sales, terrorism and weapons trading.
Technology leaders are working with law enforcement and welfare organizations to make sure technologies stay a step ahead of criminals in the war on cybercrime. I support the “#NoPasswords Revolution,” devoting my life to working alongside the best and brightest men and women whose life work is developing the solutions that enhance the lives of the unfortunate and protect the lives of others, such as the 1,000 American children who are arrested for prostitution each year. The tools that better identify victims are improved every day and the networks that connect victims with resources are expanding into the furthest reaches of the darkest corners of the internet. Our reliance on passwords is doing nothing to deter predatory behavior or disrupt the environments where abuse takes place.
This November, Google let us know that there are 1.9 billion stolen passwords and usernames available on the black market. Yet we still turn to the many sites that rely on individuals to choose strong passwords as the first line of defense for their online accounts.
Is there another technology still in use on a massive, worldwide scale that was invented the same year Alan Shepard made first U.S. space flight? A number of the organizations that are entrusted to safeguard our information have attempted to keep the overworked password alive by strapping on layers of “multi factor” authentications — those knowledge-based questions about favorite sports teams or family maiden names.
Is a question about the city where we were born clandestine enough to thwart the thousands of keyloggers with names like “HawkEye” or “Cyborg Logger” that stand ready to watch everything we do online?
Eradicating passwords, or any singular step towards cyber security will protect against the evolving threat landscape. But it is a step toward a hack-resilient internet. Collectively we can urge electronics manufacturers, service providers, legislators and the rest of the people who use the internet to do one simple thing to make it better.
It’s time to refuse to live in a world where our personal information can be protected and exploited children can be saved — but we still choose to not use the widely available tools that can do both. Instead, the choice is made to keep using forgotten passwords.