The top White House cybersecurity official has long proclaimed his intention to “kill the password” and replace it with a more dynamic way of securing people’s online activities.
Unfortunately, in the view of private-sector security experts, the password, with all of its attendant flaws and weaknesses, probably isn’t going away anytime soon despite the cheerleading by White House cybersecurity coordinator Michael Daniel.
“We value convenience over security — and we’re less secure today than we were 10 years ago,” according to Richard Jay Johnson, an attorney at Jones Day in Dallas, Texas, and a former federal prosecutor.
It’s not getting any better, Johnson said last week at an industry conference in Dallas.
“If you want to know what privacy will look like in 2026, take a snapshot of now and fast-forward,” he said. “People won’t get more secure in their behavior.”
Johnson led conference participants through a humorous but unsettling exercise meant to demonstrate how easy it is for hackers to uncover passwords through the use of simple algorithms.
“We know your passwords,” he warned ominously.
For instance, men typically use hobbies or sports for their passwords, with a number tacked on almost always at the end. Women use proper names, dates, the name of pets.
It’s all terribly easy for hackers to run a program and churn out passwords for thousands of people with just the tiniest bit of information in hand.
Johnson acknowledged that digital citizens are trying to be more clever, but they are still landing on easy-to-figure formulas.
Examples: The ship number for the Starship Enterprise (NCC1701), the numbers 77777 and 8675309 (from the 1980’s pop song by Tommy Tutone) show up thousands of times, Johnson said.
The password “crazygolf” is a popular one, Johnson said. When asked to strengthen it, users may capitalize the “C.” Asked to make it a little stronger still, a person might add a “1,” – and always at the end.
“We’re not as creative as we think we are,” he noted.
All of this evidence — and there is much, much more — led Daniel at the White House to launch his “kill the password” campaign.
What is the government doing about this?
The National Institute of Standards and Technology, one of the most trusted federal agencies, is leading a “national strategy for trusted identities in cyberspace,” and just this month announced an online registry for companies to join in and expand the security “ecosystem.”
The Cybersecurity Act of 2015, signed into law last December, also took a crack at making the federal government a showplace for post-password security.
The law calls for a study of how to secure federal employees’ mobile devices, which could have some practical benefits, and it also calls on federal agencies to institute “trusted identity” programs and steps like “multi-factor authentication” for people signing onto their networks.
Later this summer, the inspectors general from each federal agency are required to report on efforts to implement a next generation of controls moving beyond the password.
That could offer a clue as to whether one very large organization with acute needs and vulnerabilities in this space — the U.S. government — can make headway where others have failed.
Despite this movement, it remains an uphill climb to move the American consumer — and employee, employer and government agency — beyond the perceived ease of a password-based system.
Charlie Mitchell is editor of InsideCybersecurity.com, an exclusive service covering cybersecurity policy from Inside Washington Publishers, and author of “Hacked: The Inside Story of America’s Struggle to Secure Cyberspace,” published by Rowman and Littlefield.
