All eBay users have to change their passwords per news yesterday that a cyberattack exposed a database with people’s names, addresses, dates of birth and encrypted passwords. Sites getting hacked and exposing people’s passwords seems to happen on a monthly basis. Last month, after Heartbleed, people were told they need to change their passwords on every single site they use. This latest breach will inevitably kick off a flood of stories about how much the password system, as it currently exists, sucks. “Passwords are awful and need to be shot,” says a government cybersecurity official to the Wall Street Journal.
While eBay hasn’t said exactly how the hack occurred, spokesperson Kari Ramirez did say it happened because “a small number of employee log-in credentials” were compromised. We can assume it involved the failure of the employees’ passwords.
Experts inevitably suggest biometric solutions to the ‘password problem,’ unlocking accounts instead with fingerprints, face recognition, iris scanners, voice recognition, or perhaps if our smartphones could prick us, DNA samples. But those are all pretty far off, so instead we usually end up talking about the realistic option right now: two-factor authentication. This is a code, usually pulled up on an app on your smartphone or sent to you by text, that you have to enter to get access to a given website. If eBay had two-factor for all of its users, then the password alone would not be enough to get into their accounts. A hacker would also need access to their phones.
But two-factor has problems too. My roommate smartly had two-factor on his Google account, which is great for preventing anyone from breaking into his Gmail. But when he got locked out of our house without his phone or wallet, while a kettle boiled on the stove, it suddenly felt like a problem not a solution. He didn’t have my or my other roommate’s numbers memorized. A neighbor gave him access to a computer, but he couldn’t get into his email to get our numbers because he needed his phone to get his second factor. He had actually printed out emergency secondary codes for a situation like this — an option offered by Google — but they were in his wallet. Unable to break into his own account, he wound up breaking into our house, smashing a window to unlock a door. The security measure made our house insecure for a few days while we waited for the window to be replaced.
My roommate didn’t know it at the time, but Google actually has an option to get a second factor by voicemail, so if he could have accessed his voicemail remotely, he could have gotten into his account. But he’s not the only one to be flustered by needing to get suddenly inaccessible two-factor codes. People who need them by text regularly get locked out of their accounts when traveling abroad or if they’re up in an airplane with Wi-Fi but no cell service. Two-factor certainly makes for better security, but it comes with its own headaches.
Judging from human behavior — the number of people who use easy passwords or the same password on many different sites, and who don’t elect to use two-factor when it is available — most people are content to use very light security and run the risk of getting hacked. It’s all about the short-term versus long-term outlook: Making it easy to sign into a site on a regular basis is worth the seemingly remote and unlikely chance that someone is going to figure out your password, or steal it, and use it against you. There are a slew of services like LastPass and DashLane that promise to make it easier to have different, secure passwords across many sites, but they cost money. And the only thing people seem to hate more than extra effort is actually shelling out dollars to protect something that hasn’t been violated yet.