Taking A Pass On Passwords

Turns out we’ve been doing passwords wrong and that in almost any fashion, short or long, rife with symbols or your dog’s birthday, the protection is just not there.  Passwords are good at short circuiting your brain, but not hackers’ brains.  And, viva la ATM, while Ralph Lauren and rental cars get thrown off their respective trails for a bit.

Fizzle of The Week: Passwords

Passwords are one of the necessary evils of the modern digital commerce age. A prolific necessary evil, perhaps. By some estimates, if the current pace is continued, the average consumer will have something like 200 passwords to remember.

But, even if it seems staggeringly difficult — bordering on entirely impossible — to keep 200 separate strings of random letters and numbers straight in one’s head, the payoff is worth it. The greater degree to which one is able to hew to this norm, the safer one's data will be. Right?

Well, about that….

This week, passwords managed to find a whole new way to "fizzle," past being simply friction-filled, hard to remember and often repeated across logins by consumers not interested in trying to remember more than one.

As it turns out, even if one did everything just right — following the instructions and creating a host of passwords full of letters, numbers, symbols and random capitalization — the result would likely be exactly the wrong kind of password. The conventional wisdom about password creation was wrong, and the reveal of that information came from no less an authority than the original author of said conventional wisdom.

That’s not hyperbole. In 2003, Bill Burr was a midlevel manager at the National Institute of Standards and Technology where he authored, “NIST Special Publication 800-63. Appendix A.”

Gripping titled, we know, but that eight-page primer is the original source of the guidance claiming the best passwords are created by inventing awkward new words rife with obscure characters, capital letters and numbers. The document is also the source of the guidance encouraging consumers to change passwords regularly.

In short, Burr is the reason that you had to put an exclamation point in every password you had created for the last fifteen years. But, he has reconsidered his position on this subject, and now believes he may have gotten that advice wrong. As it turns out, short goofy looking passwords are hard to remember and easier to hack than longer passwords that use natural phrasing.

“Much of what I did, I now regret,” Burr noted earlier this week.

Leetspeak, the practice of replacing letters with numbers or symbols that resemble them, doesn’t actually deter hackers.

Using software, a competent cybercriminal can crack a short password that uses leetspeak within 72 hours, which also renders the advice that users change their passwords every 90 days somewhat less-than-useful.

Plus, as consumer passwords are proliferating, consumers aren’t actually able to come up with that many leetspeaky passwords that are distinct. As a result, they start repeating patterns and varying the numbers or punctuation marks. Repetition makes passwords less secure — a cybercriminal who cracked one is maybe one to two digits away from having all of them.

And, it doesn’t make passwords any more usable. Consumers still find it difficult to remember which iteration of a password goes with which account, then end up changing them and thus generate more confusion.

The net result: Consumers are effectively locking themselves out of their own accounts, but not doing all that much to lock out cybercriminals.

“It just drives people bananas, and they don’t pick good passwords no matter what you do,” Burr said.

Easier and more memorable is a long phrase in common English all in lowercase letters. The password “correct horse battery staple” — all one word, no capital letters, no numbers, no symbols: i.e. "correcthorsebatterystaple" — would take 550 years for a cybercriminal to crack with hacking software.

So, why did the world get it so wrong?

The original standards were written in 2003, Burr noted, and there wasn’t nearly as much data about building an effective password back then. The course correction on passwords however, may be coming just as the world is getting ready to leave them behind entirely because, if we are really honest, having to remember a five-random-word password is only marginally easier than keeping track of a collection of letters and symbols.

Samsung has built the latest iteration of its smartphone with fingerprint and facial recognition scanning, and there are rumors that Apple will abandon fingerprint biometrics entirely in favor of facial scans as soon as this fall.

But, it remains to be seen exactly when security will be entirely replaced by something a consumer is — a biometric scan of some kind — as opposed to something a consumer knows, like a password. Until then, it is certainly fizzletastic to know that for the last 14 years we’ve all been following exactly the wrong guidance when password-protecting our data.


Subscription Boxes: Walmart may be gunning for beauty products subscription firm Birchbox, which noted it has been in discussions with several retailers regarding a deal. The subscription business model is one that is obviously turning corporate heads, giving the bigger firms ways to make digital inroads and offer consumers some degree of product personalization. Digital data firm Hitwise estimates subscription business sites saw 37 million visitors in April 2017 alone, and since 2014 the visitor count has soared by 8,000 percent — a strong indicator that this new way of selling online certainly has some legs.

ATMs: It seems the ATM is back after years of stagnation — in the United States, at least. The ATM Industry Association says the total number of machines in the field stands between 475,000 and 500,000, which has been billed as a new milestone. The growth in machine count was tied to new functionality, helping facilitate P2P and other payments types, including contactless payments. In addition, the industry is being buoyed by independent deployments as banks rethink their brick-and-mortar branch strategies. Oh, and let's not forget cash, as it seems paper-based transactions of the legal variety are rather sticky ones. Cash usage is still higher in the United States than elsewhere, according to the PYMNTs Global Cash Index, at a mid-teens percentage of GDP.

Dealmaking: Yes, it’s heating up. See Vantiv and Worldpay, or FleetCor and Global Payments. But look beyond the headlines, and the premiums to stock prices being paid, and see the strategy that lies behind the fanfare: The processing sector is getting attention for taking payments ever further into a business worth a tidy few trillions of dollars. Mobile payments and eCommerce help a little here, too, as noncash transactions are growing in the double digit percentage rates annually. The Vantiv deal illustrates the value of scale — it will be the largest processor in the industry, post-merger — in a world where commerce goes across borders and time zones and truly is 24/7/365.


Ralph Lauren: The guy on the horse with a stick — OK, you know the logo — used to gallop, but now it’s maybe a trot. As part of its “Way Forward” restructuring, the luxury retailer is looking to shutter between 20 and 25 percent of its underperforming U.S. department stores. In looking at the latest quarter, the results of which were announced earlier this month, the company’s sales were off by 13 percent, down to $1.4 billion, and North American revenue was down even more by 17 percent. Not to be a nag, but the stall needs a bit more mucking.

Hertz and Avis: The core business is slogging for rental kings Hertz and Avis. If you believe the latter, rental pricing may firm up, though Uber and Lyft and generally bloated rental fleets hit pricing over the past several quarters. But that’s a big "may." Lots of used vehicles are coming back into the system later in the year, and consumers are already stretched, credit-wise, so they may not take up the slack and buy used cars from the rental firms like usual. Hertz and Avis have been partnering up with the tech-focused upstarts, but the “if you can’t beat 'em, join 'em” model will take some time to gain revenue inducing traction.

Confectionery firms: No sugar rush here for Mars, Hershey’s or any of the iconic candies consumers used to love to snatch up at the supermarket when buying broccoli, toothpaste and other stuff that actually helps them stay healthy. The automated checkout experience has been keeping people from eyeing the sweet treats near the register. The twin threats of self-service in-store and online shopping, in general, have been putting a dent in sugary sales. Now, Amazon’s Whole Foods buy promises to help speed that transition with the possibility of totally cashier-less experiences. So much for the sweet impulse buy as a reward for a long day of cart filling.



The How We Shop Report, a PYMNTS collaboration with PayPal, aims to understand how consumers of all ages and incomes are shifting to shopping and paying online in the midst of the COVID-19 pandemic. Our research builds on a series of studies conducted since March, surveying more than 16,000 consumers on how their shopping habits and payments preferences are changing as the crisis continues. This report focuses on our latest survey of 2,163 respondents and examines how their increased appetite for online commerce and digital touchless methods, such as QR codes, contactless cards and digital wallets, is poised to shape the post-pandemic economy.

Click to comment