Hass & Associates Online Reviews: Despite Privacy Concerns, It's Time to Kill the Password

I know it is easy to be skeptical of government initiatives, but a burgeoning federal initiative to help us better manage our online identities deserves our attention—and trust.

The White House cybersecurity czar Michael Daniel said in June that he’s on a mission to “kill the password dead.” It’s a laudable goal. The problem with passwords is the false sense of security they provide. In fact, they’re easy to crack—and getting easier every day.

A typical eight-character password has 6.1 quadrillion possible combinations. In 2011, it would have taken a year for a fast desktop computer to crack an eight-character password. Today, thanks to new crowd-hacking technologies, it takes an average of 5.5 hours.

Or less. Any hacker with a decent smartphone can take a seat next to you at the coffee shop and use his phone’s camera to record your keystrokes as you type away on your laptop, capturing all your sensitive usernames and passwords.

That’s why we need to get rid of passwords. And that’s why the White House is implementing an ambitious plan called the National Strategy for Trusted Identities in Cyberspace (NSTIC), which promises to stamp out fraud at government sites by giving users a better way to prove they are who they say they are. The initiative is focused on moving all government sites, and potentially all public-sector sites too, away from usernames and passwords and toward stronger identity management.

As a first step, NSTIC will connect different government agencies with third-party credential providers that will verify certain personal information about their online users and issue secure credentials for them to use in transactions at government sites.

For instance, the system could allow the same person to use a single credential to apply for a driver’s license, fill out a student aid form and file taxes online, all without ever entering a password. The idea is that this secure ID—what some are calling a personal driver’s license for the internet—can eventually be used at other sites around the web not related to government. Because if people have a simple, secure way to prove who they are online, without using passwords, it will be easier and safer for everyone to do business on the internet.

I believe consumers will welcome this proposal, which offers more secure access to important personal websites like banking sites. Passwords are just not good enough. People need stronger proof of identity, like the one envisioned by NSTIC, to better trust authentication—and better trust the internet.

Inevitably, some privacy advocates are crying foul over NSTIC. They fear that if the U.S. government has your ID, it will end up mining that information for its own nefarious purposes. In the wake of the NSA surveillance revelations, critics are concerned that a push toward a single-ID system will enable the government to more closely track citizens online.

That possibility can’t be ruled out, I suppose. But people should realize that the far more immediate threat to their personal information is posed by hackers who crack their passwords—and NSTIC promises to stop them. It’s designed to protect internet users by providing authentication far stronger than can be accomplished by passwords alone.

In fact, those who are most concerned about privacy are the ones who should embrace NSTIC identities, which, like a driver’s license, will come with a reliable vetting process. What’s more, they’ll be based on a cryptographic signature generated by a trusted authority, which for the most part will be third-party certificate authorities.

NSTIC’s goal is not evil. It simply aims to create an “identity ecosystem,” built and maintained by the private sector, in which government agencies can accept log-on credentials issued by nongovernment third-party providers. And in which members of the ecosystem can prove their identity to others who are also in the ecosystem. In this way, NSTIC authentication doesn’t expose your identity, it helps protect it. And you can still choose when and where to use your stronger NSTIC identity—or not.

Furthermore, under the NSTIC guidelines, the service must preserve anonymity around the public data it collects. For instance, personal identifiers like age, gender and address cannot be linked back to their owners. The guidelines also stipulate that activity on government websites cannot be linked to third-party identity providers and vice versa.

Even the Electronic Frontier Foundation, a leading digital rights group, is optimistic about the future of NSTIC. “The NSTIC system is voluntary, run by private companies rather than the government itself and, most importantly, it is decentralized, so that individuals will be able to choose between different providers,” said Lee Tien, a senior staff lawyer at the Electronic Frontier Foundation, in a recent interview.

If we want to achieve a higher level of security for internet users, there is no better place start than the elimination of passwords. And NSTIC is a significant step in that direction.