By Danny Yadron and Katherine Rosman
Fernando Corbató didn't intend to unleash havoc when he helped create the first computer password at the
Massachusetts Institute of Technology in the early 1960s.
"It's become kind of a nightmare," says the 87-year-old retired researcher. "I don't think anybody can possibly
remember all the passwords."
Passwords are a bane to computer and smartphone users and a security threat to companies. On Wednesday, eBay Inc.
urged its 145 million users to change their passwords because of a data breach. But if the past is a guide, few people
will heed the warning.
Last month, some experts called a flaw in Internet encryption known as Heartbleed one of the worst holes ever
discovered in the Web's defenses. The bug might have exposed billions of passwords to hackers, yet just 39% of adult
Internet users surveyed by Pew Research Center canceled accounts or changed their passwords after Heartbleed.
"Passwords are awful and need to be shot," says Jeremy Grant, head of the National Strategy for Trusted Identities
in Cyberspace, a task force created by President Barack Obama in 2011 to bolster online security.
Despite all their flaws, passwords are so ubiquitous, cheap to use and entrenched in the architecture of websites
and the rhythm of human behavior that efforts to supplant them have barely budged.
"It's the only piece of technology from 50 years ago we're still using today," says Brett McDowell, a senior
Internet security adviser at eBay's PayPal unit.
Some people are hoping to kill passwords with fingerprint readers, iris scanners and USB keys. But a string of
disappointments makes executives, scientists, engineers, and government officials skeptical. Mr. McDowell and
counterparts at Bank of America Corp., Google Inc. and other companies are toiling away on a password-replacement
project called the Fido Alliance.
It recently released an early version of standards that could be used for other forms of online identification.
PayPal is using them, and Google has been happy with an internal test, company officials say.
Apple Inc.'s newest iPhone has a fingerprint-unlocking feature, but some users have found that typing a password is
just as easy as trying to place a thumb in perfect alignment.
No one knows how many passwords there are, partly because they are proliferating so quickly that it is impossible
to keep track. Surging use of smartphones, tablets and other mobile devices has worsened the sprawl. Social-networking
and e-commerce websites often require users to log in so the sites can offer personalized content and advertising
Despite data breaches and warnings from security experts, people cling to easy-to-remember passwords and often use
the same ones for many accounts.
"You can compare the top baby names of the year to passwords lists," said Morgan Slain, chief executive of
SplashData Inc., a password-management company that publishes an annual list of "worst passwords." The ranking is based
on the most common passwords found in files containing stolen passwords posted online in the previous year. The worst of
the worst vary little from year to year, including "123456," "password" and "qwerty."
Jeff Myers, 49, came up with his own strategy. A former cardiac surgeon who now works on drug trials for Gilead
Sciences Inc., Dr. Myers increases the number at the end of his password by one each month.
"Anybody with any hacking skill would figure it out immediately," he says.
Google and Twitter Inc. are among the companies that now offer a two-step authentication process to thwart hackers.
After users enter a password, a one-time code is sent to their smartphone via text message. The code must be entered
into the company's website.
The process is more secure than just a password but can get snarled if a phone is lost. It also slows people down.
"All of these create additional friction," says Uri Rivner, a former executive at RSA, a data-security division of
EMC Corp. He recently helped launch BioCatch Inc., of Boston, which lets websites verify identity by measuring how
someone holds a smartphone or drags a mouse across a screen. Major U.S. banks are using the technology, he adds,
declining to identify them.
Even the smartest passwords are only as secure as the companies that store them. Heartbleed let hackers scoop
protected data out of corporate servers. At Target Corp., the company said hackers used a stolen password from a
refrigeration contractor last year to invade a credit- and debit-card system, where they stole 40 million card numbers.
It isn't clear how many people may have been victims of those two frauds. Since the heist, Target has taken steps
to wall off high-value data from the rest of its network. After Heartbleed was disclosed in April, dozens of websites
urged users to change all their passwords.
PayPal lets customers buy things with the fingerprint sensor of Samsung Electronics Co.'s newest smartphone, the
Galaxy S5. Apple Chief Executive Tim Cook has said company officials had mobile payments in mind when Apple added such a
sensor to its latest iPhone.
Apple's system now works only with the company's own products, like iTunes. PayPal customers could use the same
fingerprint at any site that adopts the Fido standards. Of course, when fingerprint readers on the Galaxy and iPhone
don't work, users must fall back on entering a password.
Stuart Geiger, a doctoral student at the University of California, Berkeley's School of Information who studies how
people interact with technology, says putting the password out of its misery would require collaboration from a gaggle
of Silicon Valley companies that compete against each other in everything from online shopping to chats to television.
Even if that happens, would hundreds of millions of Internet users in the U.S. who are accustomed to relying on
ham-handed passwords be willing to change their ways or switch to gadgets that use more sophisticated security? "One big
factor is inertia," he says diplomatically.
The mess is much more than Mr. Corbató, a professor emeritus at MIT who lives in Newton, Mass., ever imagined
when he and his colleagues came up the password to control access to files on a huge, shared computer.
"We didn't foresee the Internet, either," he says. Mr. Corbató keeps track of his passwords by typing them on
paper. He is moving them to an online file.
Write to Danny Yadron at email@example.com and Katherine Rosman at firstname.lastname@example.org
Subscribe to WSJ: http://online.wsj.com?mod=djnwires
(END) Dow Jones Newswires
Copyright (c) 2014 Dow Jones & Company, Inc.