EDITORIAL

Password fatigue

5/22/2015

According to Microsoft research, the average American has 25 online accounts that require passwords and uses about eight of them every day. But for these accounts, most people use just six or seven passwords, increasing their vulnerability to hackers.

Enter the U.S. government, which proposes to improve cybersecurity and end the nation’s “password fatigue” by making the password extinct. The mantra of the Obama Administration’s cybersecurity coordinator, Michael Daniel, is: “Kill the password dead.”

But don’t write its obituary yet. Options on the table carry their own risks. Another roadblock to freedom from passwords is the government itself, which wants technology it alone can hack.

Passwords could be gone tomorrow, replaced with thumbprints, facial recognition, eye scans, and other sophisticated (and expensive) authentications. Yet many people don’t trust biometric scans. The theft of a thumbprint would be worse than that of a password.

Then there’s the government’s role. Mr. Daniel said its initiative — the ponderous National Strategy for Trusted Identities in Cyberspace — is an effort to “jump-start the private sector into providing different kinds of authentication.”

But the Justice Department and FBI have been hostile to truly secure technological advances, such as the hack-proof phones that Google and Apple introduced last year. “We don’t want to have something that puts it utterly beyond the reach of law enforcement in the appropriate circumstances,” Mr. Daniel said.

This leaves hapless consumers with passwords, until America works out its privacy issues. The private sector stands ready to help there too: New products on the market promise to store and apply passwords for the forgetful.

They’re a solution for now. Until, of course, these companies are hacked.