When Passwords Aren't Enough to Maintain Account Security

Passwords can be the bane of our online life. In the earliest days of the Internet, we (those of us who can remember it), had one log-in and one password, usually for our ISP so we could access our AOL (News - Alert) or Hotmail.

Fast-forward 20 or more years, and if you’re like most people, you have log-ins and passwords for your e-mail, your screen unlock on your computers, smartphone and tablet, your online accounts such as banking, mortgage, utilities, cable or satellite television, credit cards, car loan, merchant accounts, apps marketplaces, cell phone account, Amazon, PayPal, eBay (News - Alert) and an unlimited number of other things.

And what’s the one thing security experts tell you? “Never use the same password twice and never write it down!” Add to this that passwords are becoming increasingly complex – “must contain one capital letter, one number, one symbol and one Greek alphabet mathematical symbol” – and you’ve got a nightmare crisis of memory. For those of us who seldom remember where we put our car keys, it’s like a daily exercise in frustration.

Passwords are becoming longer, as you may have noticed. Once somewhere around six characters, more and more companies are demanding passwords with as many as 16 characters. Many demand symbols and are case sensitive. It seems like every company has its own theory about what makes for a secure password. The question remains…who is right?

Ars Technica recently set to find out, and spoke to several companies – banks and tech companies – about their views on password security. The general gist is that a longer password does not make for a more secure password. Password guessing to crack an account, while popular in Hollywood movies, isn’t the way most thieves get account information, according to Microsoft (News - Alert).

“Criminals attempt to victimize our customers in various ways and we’ve found the vast majority of attacks are through phishing, malware infected machines, and the reuse of passwords on third-party sites—none of which are helped by very long passwords,” a Microsoft spokesperson told Ars Technica.

Phishing, of course, involves crafting authentic-looking fake e-mails or Web pages and tricking customers into entering their log-in information, which the thieves collect and then use on the genuine sites.

So what’s the alternative? Many companies are turning to two-factor authentication: instead of relying on just a password, companies ask you to answer a security question, or associate an image with a word. But is this enough? Many victims of financial crime find that someone they know is the perpetrator: a relative, a roommate or someone else who is likely to know what your mother’s maiden name is or where you went to high school.

For this reason, many companies are turning to triple-factor authentication, and in the near future, this is likely to involve speech technology. While a thief may be able to phish or guess your password, he or she cannot replicate your voice. And while most of us have yet to encounter voice biometrics for security, the technology is already used at the high end (think Swiss bank accounts) and will soon begin trickling into ordinary usage.

The technology, which first takes a “baseline” of a user’s voice and stores the data to compare it against that user’s voice in future log-ins, is language-independent, highly reliable and able to be set up for self-service, meaning customers can create their voiceprints and change their spoken password phrases on their own with the help of an interactive voice response (IVR).

Perhaps it will never replace passwords – what would life be without starting the morning typing 17 variants of “Fluffy12&” – but it will stop phishers, greedy relatives and others in their tracks.