Editorial: What’s the Password?

Cybersecurity expert Peter W. Singer, speaking at Dartmouth College last week, had some advice for everyone who uses computers: Practice effective hygiene. He wasn’t talking about hand washing. He was referring to the importance of having smart passwords and changing them often to guard against hackers eager to snatch personal data.

We don’t wish to quarrel with the author of Cybersecurity and Cyberwar: What Everyone Needs to Know. As the director of the Center for 21st Century Security and Intelligence at the Brookings Institution, a think tank in Washington, D.C., Singer obviously knows a thing or two about Internet safety and security. Devising complex passwords for every commonly used website is undoubtedly a good hedge against online thieves. But other than tech geeks and paranoiacs, who’s likely to follow the recommendation?

The problem with hack-proof passwords is that they’re hard to remember. Very few people possess the capacious memory palaces necessary to store lots of unique passwords associated with frequented websites for such activities as banking, shopping, gaming, social networking, scaling media pay walls, accessing medical records and so on. Who hasn’t been Web surfing only to crash against the words, “Please enter your password”?

This is one reason that so many Internet users, even when warned of the dangers, prefer to keep things simple. As Singer pointed out, the two most common passwords are “password” and a familiar series of numbers such as “123456.” Other frequently used passwords include “qwerty,” “monkey,” “trustno1” and “ashley.” Ashley? Google failed to offer a plausible explanation for the popularity of that one.

At any rate, passwords are now part of the furniture of digital living, which involves the ever-present and perhaps increasing risk of theft. Most people will be victims of hackers at some point, according to experts. One of the few precautions is to manage passwords responsibly, Singer told his audience. That’s important, he said, not only to protect one’s personal data but also to protect the security of the Internet itself. The link was clear last month, when a flaw was discovered in one of the Internet’s fundamental security methods, forcing many heavily used websites such as Yahoo, Facebook and Amazon to fix a bug known as “Heartbleed.” It’s unclear how widely the bug was exploited by hackers or what the implications were for consumers, but personal passwords may have been compromised. Some organizations urged users to come up with new ones.

Our sense is that keeping hackers at bay requires such unending vigilance that most people simply throw up their hands and turn over the keys, metaphorically speaking. It’s no good keeping passwords in plain sight on your computer and little use buying password-protection software, which lets you store user names and passwords on cloud-based servers, which are themselves vulnerable. You could, as some advise, jam on your keyboard to come up with uncrackable nonsense words and store them on an encrypted, password-protected USB drive. But who has the time or inclination for such complication? It seems to us that most people are likely to resist good password hygiene until catastrophic contagion strikes, and digital life as we know it collapses. Pardon the pessimism, but that’s human nature.