Passwords are not a means of securing information.  Bill Gates told us this in 2004, but it’s 2016 now and this time, we really mean it.

Gates’ reasoning was that passwords were just insufficient to protect the growing information field and the privacy of sensitive information.  The problem now is not that passwords are insecure – they are indeed insecure – but no one cares.  The problem is password complexity.

Password complexity eliminated dictionary attacks, minimized the efficiency of brute force attacks, and made it difficult for someone to look over your shoulder and realize that typing “iloveyou” grants access to all the company secrets.

Password complexity — the all-powerful resolution to the enigma of password insecurity, the information security engineer’s best friend, the answers to Landau’s Problems and that which provides no fewer than 98 resolutions for Jay-Z — also made passwords so confusing that users can’t access their own data and every organization needs a secret question and answer function to actually bypass the password altogether.

Yes, that feature, which asks you to identify your mother’s maiden name instead of your complex password.  Your super complex password, which must be secure, that hard thought-out and impossible to remember version of “e.:g8=7s/hZ:8$W,” can be bypassed by typing “Smith.”

Oh, and everyone knows you wrote “e.:g8=7s/hZ:8$W” on that Post-it note under your keyboard.

As an industry, we love making things seem super-duper secure.  Every time I want to order a new pair of shoes or a fresh case for my iPhone (and I go shopping online at a WIDE variety of stores), I have to walk through a registration process with the vendor, set a complex password, provide my personal contact information, all before handing over my credit card number.

Another complex password to remember.  Another vendor storing my credit card data and protecting access to my information with a complex password.  Another secret-question login-bypass setup.

Why control everything?  Why should a consumer trust every single online retailer (and I repeat, there are a LOT of choices) when one known trustworthy source such as my phone manufacturer or a private security firm could protect everyone’s data and only share the vital pieces?

When I walk through Macy’s, I don’t get stopped along the way and invited to register my address in a guestbook before I try on the next pair of way-too-small-why-did-I-eat-so-much? jeans.  Why does Nordstrom, eBay, or Marshall’s need to know more than what their website analytics tell them about someone being online, browsing for an outfit?

To the dismay of writers for the next Mission: Impossible sequel, the answer isn’t an intrusive DNA scan, complex physical keys or subdermal electronic implants.  We have already attached ourselves to the technology we need for secure authentication, and without intrusive scans or any need for a local anesthetic.

Just like Gates did with the first Microsoft Windows, enabling users to drive an operating system with a magic pointer device named after a cute, squeaky little animal  (okay, maybe not cute), Apple has simplified logins to pressing your finger on a little circle on your phone.  The easiest and most effective biometric authentication application yet is Apple’s Touch ID authentication.  It’s easy.

Authentication and encryption are handled behind the scenes somewhere in Apple-land, and the likelihood of anyone forgetting their finger is, well, low.  A short and easy to remember PIN can be configured as a complement to enable future quick and effective two-factor authentication.

The complexity can hide away from “normal” users – consumers – so they can just use the Internet as a tool.  No more password complexity and no more hundreds of passwords to remember.  The authentication system can do its job, watch for suspicious behavior, and it would know why I tried to buy Arepas at 7am in Caracas when 10 minutes earlier I had ordered the next-size-larger jeans from Macy’s online using a computer, on my desk, in the office, in Denver.

We just need to apply this simple, user-friendly and unforgettable tool to other online and secure environments, offer degrees of security for various use cases, and you’ll never again need to write “e.:g8=7s/hZ:8$W” on a Post-it note or worry about someone guessing “Smith.”

Leave a Reply