Building a Better Password

My password is gr8199. I've been using it for more than a decade, ever since a Web site first required me to create a string of six to 12 characters, with a mixture of letters and numbers. At that moment the only sequence I could think of had to do with the Wayne Gretzky vanity license plate my family happened to be considering: the Great One, No. 99, which yielded gr8199. As the requirements for passwords evolved over the years, I added extra nines, cobbled on a question mark, and blended it with my alternate password (which is, insanely, my Social Security number). Until last week, gr8199 and its descendants got you into my laptop, my e-mail, my Scrabble, my bank accounts, my blog, my work PC, my health insurance, Facebook, Skype, Snapfish, Hulu, my tax returns, and at least 39 other sites across the Internet. I can tell you my secret code because I'm changing it; I'm changing it because I'm telling you. My password system is a mess—and I bet yours is, too.

If you're a typical Web user—and these days, what office worker doesn't spend all day plugged in to the browser?—you have 6.5 passwords, each of which is used at four sites, and you're forced to type one eight times per day. Your employer likely makes you create a brand-new code every 90 days. At one point or another, you've probably scrawled a password on a Post-it, e-mailed one to yourself, or made other security-breaching concessions to the fundamental impossibility of memorizing so many strings of gobbledygook. Today we don't have passwords so much as coping systems.

Companies spend billions of dollars protecting their computer systems, and passwords are a linchpin. With so much riding on Americans' faulty passwords, there has to be a better way to make our technology secure—and it's taking shape inside Carnegie Mellon University's cyber-security-research department. There is no password 2.0 in the wings, no genius breakthrough to secure our stuff forever. But for the past five years a few members of CyLab, as it's known, have been studying not just the mathematical theory behind passwords but the way humans actually use them. Their findings suggest there's a lot we can do to make this part of our lives far less of a hassle—and in my case, to move far beyond gr8199.

Though it's housed in an otherwise nondescript building on the north side of Carnegie Mellon's Pittsburgh campus, parts of CyLab resemble James Bond's Q Branch. The biometrics lab in particular is hard at work taking the fiction out of science-fiction movies like Minority Report. The workspace is a hive of activity, with 15 students bent over all manner of gadgetry; it's like a high-school shop class, but with prototype face-tracking cameras instead of band saws. This is where Carnegie Mellon wows its visitors, with toys that can read a person's fingerprint from across the room, reverse-engineer a 3-D model of a face from a simple 2-D snapshot, and recognize a moving iris at 13 meters. Nearly every gadget here would give a civil libertarian a stroke.

With their futuristic sexiness and fat military funding, biometrics and bleeding-edge cryptography have long drawn the best minds in computer security. But for average consumers, biometrics has also been among the biggest letdowns in security. The fingerprint scanners available on some laptops are essentially novelties, for example, and voice authentication has never been reliable or secure enough to function on its own. Cost is also a huge obstacle: unless you work at the CIA, your employer isn't likely to buy you an iris reader any time soon. "Biometrics never caught on, and it never will," says Richard Power, a CyLab fellow who rails about the lack of progress—he calls it a "lost decade"—in computer security.

For regular people accessing Web sites and PCs, passwords are what we're stuck with, primarily because they're simple and cheap. Among computer researchers, passwords are a key aspect of a burgeoning field known as "usable security." At Carnegie Mellon, the scientists who've pioneered the discipline work not in a lab but upstairs in a wing that looks no different from most universities' English or history departments. Look closer, though, and you'll see signs that this is no ordinary place. The doors are all marked with 2-D bar codes; a professor enters his office by snapping a photo with his cell phone. Click! goes the phone; thunk! slides the bolt. It's more secure than a physical key, which can be stolen and copied, and no less handy.

The academics here are rethinking basic questions about what makes something—an office, a Web site—secure, without driving its owner crazy. And their findings call into question many of the recent security advances in the banking, e-mail, and other critical systems you log into every day. Researchers here fault virtually everything your corporate IT department tells you about strong passwords. And they take the radical stance that you, the user, should be listened to when passwords become overbearing, not yelled at when you forget them.