Post Yahoo, Passwords are Passé

14% of Worldwide Internet Users Were Exposed

I’m sure if you are reading this, you are already aware of the historic Yahoo data breach that was announced last week.  500 million accounts affected – the largest number of accounts ever affected by a known breach.  Let’s put that into perspective – according to the US Census Population Clock, the current population of the US is 324 million.  That means this hack could have contained an account for single person in the United States and still had 126 million accounts to spare.  It just so happens that Japan has a population of 126 million people, so this hack is the size of the US plus Japan.

Put another way – Live Internet Stats shows that almost 3.5 billion people use the internet.  That means as many as 14.3% of worldwide internet users could be affected by this breach.

Oh yeah, and it happened in 2014; so for those of you caught up in this, you’ve been left flapping in the wind for two years.

NOTE FOR THOSE AFFECTED:  If any of you are still fretting because your Yahoo account was a part of the hack, here are the three first things you should do immediately:

1.  Change your Yahoo password (of course)
2. Create unique passwords on accounts using your Yahoo password
3.  Start using 2FA on sensitive accounts like your email and your bank

I also recommend starting to use Yahoo’s Account Key technology.  It eliminates the password entirely and lets you log-in using your phone as your key.  If you want even more tips on how to better protect your privacy, check out Consumer Reports’ article with 66 practical tips.

Many others will adequately rake Yahoo across the coals far better than I could hope to, so let’s assume the appropriate scorn has already been bestowed and move on to discussing what this means for users and companies storing account information.  The Yahoo breach should be a reminder that the notion of authentication with a username-password is overdue for an overhaul.  Passwords are susceptible to attack at an individual account level and are a major problem in a massive data breach like Yahoo’s.  The password itself has become the weak link in the security chain, and it’s time we changed tack.

Too Many & Not Enough – The Plague of Password Fatigue

By 2007, the term “Password Fatigue” had already entered the techie lexicon, but the rumors of its demise have been greatly exaggerated.  Business Insider’s 2013 article, The End of the Password, seems sadly optimistic 3 years later.  Users are struggling more than ever with password fatigue, but the solutions still aren’t being implemented.  There is a growing tension in passwords between having too many and not having enough.

A 2012 study indicated that users have an average minimum of 17 private passwords and 8 work related ones.  In 2016, most users would think having 22 passwords as positively quaint.  The proliferation of social sites and cloud services mean a username and password is required in almost every corner of the web.  In fact, American use eight passwords every day as they surf the web.  For those of us actively using the web, there is no doubt there are too many passwords.

At the same time, the common recommendation to deal with password vulnerability is to have users create unique passwords for every account they have.  Yet, users can’t really make this happen.  Looking at the numbers, more than half of users in EVERY age group admit to re-using passwords.

People who reuse passwords across sites:


So, for the expected level of security to actually exist on the web, we don’t have enough passwords.  This tension of too many and not enough is untenable and should be indicative of an unsustainable system.

Hard to Guess = Easy to Forget

We all know we are supposed to create strong passwords with plenty of characters, no real words, some numbers, some capitals, a few special characters, and just for good measure, perhaps throw in a randomizer to mix things up…  Then, we all woke up and realized this was the real world, and we’ve got better things to do.

If a user is going to use passwords to get into their accounts, they need to remember those passwords.  Which means creating strong passwords is not actually a reasonable tactic when recognizing users’ plight in the system.

When asked to identify the cause of authentication and identification failures, 63% of American’s chose “forgotten password” as the top choice.  If password fatigue is already a problem because of how many passwords we use, imagine how much worse it gets when using a string of characters difficult to memorize.  There is no way users should be expected to deal with this.

Users Shouldn’t Be Policy Performers

Another major problem with human generated passwords is we expect the users to follow good security hygiene, but this expectation isn’t really reasonable.  For instance, we would expect users to change their passwords at a regular interval.  Or at least, users will change their passwords after a major security scare… right?

A study by the Pew Research Center looked at American’s response to the Snowden revelation of the government’s surveillance of US citizens.  It found that of the people who were aware of the surveillance programs, 25% changed their behavior to protect themselves online and 25% started using complex passwords.  Let’s, for a moment, look at the inverse of those statistics – 75% of Americans who were aware of the surveillance DID NOT change their behavior or start using complex passwords.

Believing that users should carry the responsibility of creating strong passwords, using unique passwords for each account, and changing passwords on regular basis is actually not a rational expectation.  It just isn’t realistic to think that every user can invest that kind of energy or have that kind of awareness.  Leaving the responsibility for the primary mechanism of security authentication to the user is not fair to them.

Getting Worse – Let’s Make It Better

If Yahoo accidently exposing 500 million people’s account information doesn’t convince you that the password problem is getting worse, then look at the numbers.  In 2013, 11% of online adults reported having personal information stolen online.  In 2014, that went up to 18%This year, a stunning 26% of US adults received a breach notification.

There are better solutions than the password.  Google will be testing a “trust score” to replace passwords this year.  A study by VISA in Europe shows that three quarters 16-24 year olds would go for biometric authentication.  Affected Yahoo users can replace their password with an encrypted push notification to their phone.  Here at Tozny we recommend this method of password-free authentication, and Tozny Authenticator has secure push-notification login as its key feature.

It’s time to ditch the password.  Tozny offers a few different options for password-free authentication that you can easily embed in your apps or web site using our SDKs.  And right now, we are signing up developers for our free beta.

Let us know if you’d like to join!