It's been a rough year for passwords.

First, 6.5 million LinkedIn passwords were leaked online. Soon after, millions of passwords from eHarmony and Yahoo users were published by hackers. These events exposed untold numbers of accounts to criminals, as many consumers use the same passwords across multiple accounts.  

The leaks also proved something experts had fretted about for a while: Passwords are very easy to guess. Analysts quickly compiled results from the list of passwords and  found that really dumb choices abounded. The most common phrase in the LinkedIn passwords, for example, was "link." Not far behind was "1234."

Despite years of warnings, the truth is incontrovertible -- mortal users do a very poor job of defending their data with passwords. To add insult to injury, a recent analysis of debit card PINs shows that 1 in 10 users pick "1234." And the "safest" PIN code, 8068, is no longer safe because it was published in the analysis.

It's quite possible that 2012 will be a turning point in the history of passwords; or rather, it may be the point that passwords become history.

---

For years, you've been hearing about space-aged authentication systems like retina scans and computers that recognize your voice. And yet, for the overwhelming majority of computer users and home and at work, simple user/password combinations are all that stands between their data and the bad guys.

This old-fashioned system has obvious limitations, the most evident being user memories.  Our brains are ill-suited to recall eight-digit combinations of letters, numbers and special characters that are recommended. Sticky notes with password lists taped to computer screens remain common.

Meanwhile, "Forgot your password?" is among the more popular links on websites, and among the more dangerous, as it often puts only your pet's name and your high school mascot -- easily determined from Facebook -- between your data and hackers.

There has to be a better way. And there is, if Carnegie-Mellon University and a small Canadian start-up firm are right. At the school's new "Biometrics Research and Identity Automation Lab," researchers are investigating whether the way people walk can be used as a simple yet secure way to affirm their identities.

“The continuing threats to military personnel and critical infrastructure and the growing national cybersecurity vulnerabilities demand a new breed of credentialing technology, and what our group has achieved certainly puts a whole new spin on things," said Todd Gray, president of Ottawa-based Autonomous ID, which is working with the university on the project. The system uses a "BioSole" inserted into shoes to assess a wearer’s gait, matching that distinctive pattern against an existing record to verify the person’s identity.

BioSoles are among dozens of new authentication systems vying for acceptance in a thriving industry that has gained momentum because of the recent troubles with passwords. Before we describe more of them, it's important to discuss the basics of authentication technologies and why new systems might succeed where others have failed. 

Security professionals often talk about "two-factor" authentication as a way of double-checking to see if a person logging into a system should be authorized. Traditionally, those two factors include "something you have" and "something you know." For example, a debit card is "something you have,” and a PIN code is “something you know.” For a criminal to hack your bank account, he or she must have both elements, which is a much harder challenge than simply stealing a password. 

Biometric passwords expand the possibilities into the "something you are" category. A retina scan or fingerprint, for example, authenticates users based on something they are, and, in most cases, cannot change. Biometrics have a decided advantage over passwords because they don’t rely on users’ ability to remember them -- you are who your retina says you are. There is a dramatic downside, however. Horror films have long exploited the plot line where a bad guy cuts out a target's eyeball and uses it to log into a computer or enter a secure facility.

The newest technologies retain the advantage of biometrics, but don't create the same level of physical risk. They involve "something you do," such as the way you walk, as being researched at Carnegie Mellon. Another similar tool involves quantifying the unique way users type, a technique that's been dubbed "keystroke analysis." These so-called "behavioral" authentication mechanisms give systems architects four distinct methods to choose from. 

Another promising new behavioral technique takes advantage of a skill most video game players know well -- users learn behaviors that become automatic through play.  Later, they can recall these learned behaviors – they can recognize patterns, for example --  without having to think about them. Researchers at Stanford and Northwestern are working on a system that would "teach" users to recognize a pattern of dots in a puzzle-like picture, then have that puzzle serve as a password. As writer Devin Coldewey notes, the most secure password might be the one a user doesn’t have to remember.

Marty Jost, who works in Symantec Corp.'s authentication group, says he thinks behavioral techniques offer the most promise for next-generation "passwords."

"Biometrics have been around a long time, but have historically tended to be unreliable. Just when you need it most, your fingerprints are dirty and they don't read right, for example. That's what's held it back," he said. "The key to success is providing a second factor without making it difficult to use. When you try to use an exotic method, it becomes a different problem, such as a customer service problem or a user satisfaction problem."

Symantec is concentrating on behavioral techniques that don't require dramatic changes by users. For a while, token-based authentication procedures were all the rage -- banks and corporations gave users small gadgets that provided temporary passwords to prove the person logging in satisfied the "something you have" requirement -- but users often misplaced them. So now, companies like Symantec are increasingly using cell phones as tokens. A simple text message or phone call sent to an employee’s phone serves as a second authenticating factor.

"Users are much less likely to lose their phones," Jost said.

Symantec also concentrates on back-end behavioral techniques, such as observing the kind of activities the user is attempting. A user who normally logs in from New York but suddenly appears to be logging in from Hong Kong is flagged for extra security challenges. Similarly, a user who usually transfers small dollar amounts from one account to another is flagged if her or she  suddenly requests a $10,000 transfer.

"Behavioral data over time develop a profile," he said. “We can analyze these patterns without having to involve the user.”

Jost is pessimistic about what he calls "exotic" login tools for mass audiences, because even a small failure rate can create a big problem for consumer brands.

"If you are a bank and you’ve done something exotic, if it’s not working for 1 percent of people, that's a lot of people,” he said. “We try to strike that balance between strength and usability. … We do things that make the activity safer for people without them necessary even knowing about it."

A user’s tolerance for taking extra security precautions depends on motivation. Some "exotic" methods are already in use today where circumstances encourage their use. In high-crime areas of Brazil, for example, "vein printing" machines that detect blood flow patterns in the palm of a user’s hand have been deployed. In the U.S., where ATM theft rates in the U.S. are not published by banks, the American Banking Association recently said that a successful ATM crime nets more than 10 times the cash as a traditional bank hold-up, and it hopes U.S. banks adopt one or more advanced ATM protection technologies. 

Meanwhile, facial- and voice-recognition systems like Samsung’s “Face Unlock,” and Apple’s Siri mean consumers are getting used to biometrics in their everyday mobile lives, and they might be more tolerant of similarly imperfect technologies at work and at home.

Avivah Litan, a security expert at the consulting firm Gartner, thinks that the move to mobile computing holds the key to the future of passwords.  As users perform more and more critical functions with their mobile device – such as mobile banking – authentication methods will have to change with the times. So-called “out-of-band” authentication techniques, like text messages sent to web users warning that their accounts have been accessed, are clumsy to use in concert with mobile banking. So Litan thinks that, finally, mobile users will tolerate a biometric technique that they are already very comfortable with – talking.

“I do think voice has a real shot now,” she said. “Who wants to carry around a token that might weigh more than your iPhone?”

The big hurdle with voice printing is “enrollment,” or getting an initial clean version of a users’ voice that’s used for comparison purposes later. Techniques for mass enrollment are still under development, but cell phone carriers are in a unique position to do this easily when they sell new phones, Litan noted.

“It would be easy for them,” she said. “But there are plenty of other ways this could be accomplished.”

But despite the technological advances, the crime and all those leaked passwords, are passwords really on the way out?  Jost isn't so sure.

"I certainly think the awareness of the problem is rapidly growing," he said. "It's quite easy to guess (passwords) … and by using other types of systems you can overcome that problem. Is this a turning point or not? I'm not really sure. But I hope so. It is a problem that gets bigger and bigger."

* Follow Bob Sullivan on Facebook.
* Follow Bob Sullivan on Twitter.

 

If you think privacy settings on your Facebook and Twitter accounts guarantee future employers or schools can't see your private posts, guess again.

Employers and colleges find the treasure-trove of personal information hiding behind password-protected accounts and privacy walls just too tempting, and some are demanding full access from job applicants and student athletes.

In Maryland, job seekers applying to the state's Department of Corrections have been asked during interviews to log into their accounts and let an interviewer watch while the potential employee clicks through wall posts, friends, photos and anything else that might be found behind the privacy wall.

---

Previously, applicants were asked to surrender their user name and password, but a complaint from the ACLU stopped that practice last year. While submitting to a Facebook review is voluntary, virtually all applicants agree to it out of a desire to score well in the interview, according Maryland ACLU legislative director Melissa Coretz Goemann.

Student-athletes in colleges around the country also are finding out they can no longer maintain privacy in Facebook communications because schools are requiring them to "friend" a coach or compliance officer, giving that person access to their “friends-only” posts. Schools are also turning to social media monitoring companies with names like UDilligence and Varsity Monitor for software packages that automate the task. The programs offer a "reputation scoreboard" to coaches and send "threat level" warnings about individual athletes to compliance officers.

A recent revision in the handbook at the University of North Carolina is typical:

"Each team must identify at least one coach or administrator who is responsible for having access to and regularly monitoring the content of team members’ social networking sites and postings,” it reads. "The athletics department also reserves the right to have other staff members monitor athletes’ posts."

All this scrutiny is too much for Bradley Shear, a Washington D.C.-lawyer who says both schools and employers are violating the First Amendment with demands for access to otherwise private social media content.

"I can't believe some people think it's OK to do this,” he said. “Maybe it's OK if you live in a totalitarian regime, but we still have a Constitution to protect us. It's not a far leap from reading people's Facebook posts to reading their email. ... As a society, where are we going to draw the line?"

Aside from the free speech concerns, Shear also thinks colleges take on unnecessary liability when they aggressively monitor student posts.

"What if the University of Virginia had been monitoring accounts in the Yeardley Love case and missed signals that something was going to happen?” he said, referring to a notorious campus murder. “What about the liability the school might have?"

Shear has gotten the attention of Maryland state legislators, who have proposed two separate bills aimed at banning social media access by schools and potential employers. The ACLU is aggressively supporting the bills.

"This is an invasion of privacy. People have so much personal information on their pages now. A person can treat it almost like a diary," said Goemann, the Maryland ACLU legislative director. "And (interviewers and schools) are also invading other people's privacy. They get access to that individual’s posts and all their friends. There is a lot of private information there."

Maryland's Department of Corrections policy first came to light last year, when corrections officer Robert Collins complained to the ACLU that he was forced to surrender his Facebook user name and password during an interview. The state agency suspended the policy for 45 days, and eventually settled on the “shoulder-surfing” substitute.

"My fellow officers and I should not have to allow the government to view our personal Facebook posts  and those of our friends just to keep our jobs," Collins said to the ACLU at the time.

Agency spokesman Rick Binetti confirmed the new policy, but wouldn't comment on it or the proposed law which may ban it.

It's easy to see why an agency that hires prison guards would want to sneak a peek at potential employees’ private online lives. Goemann said that prisons are trying to avoid hiring guards with potential gang ties -- the agency told the ACLU it had reviewed 2,689 applicants via social media, and denied employment to seven because of items found on their pages.

"All seven of these individuals' social media applications contained pictures of them showing verified gang signs (signs commonly known to law enforcement which are utilized by gangs)," the Department of Corrections told the ACLU  in response to questions it asked about the program. It stressed the voluntary nature of social media inspection, noting that five of the 80 employees hired in the last three hiring cycles didn't provide access.

For student athletes, though, the access isn't voluntary. No access, no sports.

"They're saying to students if you want to play, you have to friend a coach. That's very troubling," said Shear, the D.C. lawyer.  "A good analogy for this, in the offline world, would it be acceptable for schools to require athletes to bug their off-campus apartments? Does a school have a right to know who all your friends are?"

There have been many high-profile embarrassing moments born of the toxic combination of student-athletes and Twitter. North Carolina defensive lineman Marvin Austin tweeted about expensive purchases on his account two years ago, then became subject of an NCAA investigation about improper conduct with a player agent. The incident led, in part, to the school's aforementioned aggressive social media policy.

So it’s not surprising that many schools want to keep a careful eye on what students are posting online.

But avoiding an uncomfortable moment is not a good enough reason to squash free speech, Spear says. Plenty of settled case law in the U.S. sides with students' rights to express themselves publicly, he said, including numerous cases involving student newspapers.  Public displays of protest are also protected: A landmark 1969 Supreme Court decisions known as Tinker vs. the Des Moines School District said school officials couldn't prevent students from wearing armbands protesting the Vietnam War as long as they weren't inciting violence.

Colleges have legitimate concerns about the things students post on social media accounts, but they should "deal with that issue the way they deal with everything else. They should educate," Shear said.

"Schools are in the business of educating, not spying," he added. "We don't hire private investigators to follow students wherever they go. If students say stupid things online, they should educate them ... not engage in prior restraint."

Goemann also noted that the rush to social media monitoring raises an often overlooked legal concern: It's against Facebook's Terms of Service.

"You will not share your password ... let anyone else access your account or do anything else that might jeopardize the security of your account," the site says in its policies. 

Frederic Wolens, a Facebook spokesman, wouldn't comment on the Maryland legislative proposals, but he said many of these school and employer policies appear to violate the site's terms.

"Under our terms, only the holder of the email address and password is considered the Facebook account owner. We also prohibit anyone from soliciting the login information or accessing an account belonging to someone else," he said in a statement to msnbc.com. Wolens said Facebook has yet to take a position on collegiate social media monitoring.

Social media monitoring on colleges, while spreading quickly among athletic departments, seems to be limited to athletes at the moment. There's nothing stopping schools from applying the same policies to other students, however.  And Shear says he's heard from college applicants that interviewers have requested Facebook or Twitter login information during in-person screenings.

The practice seems less common among employers, but scattered incidents are gaining attention from state lawmakers. The blog Tecca.com last year showed what it said was an image of an application for a clerical job with a North Carolina police department that included the following question:

"Do you have any web page accounts such as Facebook, Myspace, etc.?  If so, list your username and password." 

And the state of Illinois has followed Maryland's lead and is considering similar legislation to ban social media password demands by employers. 

But Shear says a patchwork of state laws isn't good enough when the stakes are this high.

"We need a federal law dealing with this," he said. "After 9/11, we have a culture where some people think it's OK for the government to be this involved in our lives, that it's OK to turn everything over to the government. But it's not. We still have privacy rights in this country, and we still have a Constitution."

*Follow Bob Sullivan on Facebook     
*Follow Bob Sullivan on Twitter.