Editorial Board

Your New Password: Sur**nder

Changing your passwords after Heartbleed won't do much good. That's because passwords are inherently flawed security measures.
Did you change your passwords? It won't make your information any safer. Photographer Britta Pedersen/AFP/GettyImages

Have you changed your passwords since the security flaw known as Heartbleed emerged? Have you made sure they're all long, alphanumeric and randomized? Did you use a unique one for every site -- every bank account, every e-mail address, every music-streaming service, every social media profile and so on?

Congratulations! Your information still isn't safe. That's because passwords, by themselves, can't make it safe.

Every company is vulnerable to digital intrusions. By one estimate, 97 percent of Fortune 500 companies have been hacked. And stolen passwords, according to a report last year from Verizon Communications Inc., are usually the way in.

True, people tend to use dopey passwords (the most popular password of 2013 was "123456"). But hackers can now overcome even "strong" passwords: They can use powerful algorithms to break down probable combinations, install malware on your computer to log keystrokes, lure the unsophisticated to fake login sites, exploit account-reset mechanisms, and on and on. Even the strongest password in the world would have been vulnerable to Heartbleed, which enabled hackers to siphon data -- including user names and passwords -- from sites that used a common security protocol.

Is there a better approach? The short and sad answer is no. The slightly less short and sad answer is not yet.

Although security technology is growing more sophisticated, it's still flawed. Two-step verification -- in which a site sends, say, a text message with a code to enter before allowing users to access their account -- is an improvement. But it's also vulnerable to hacking. Password managers, which allow users to store tons of complicated passwords in an encrypted file, also could help. But they, too, have their vulnerabilities.

Then there's a growing assortment of biometric devices: iris scanners, fingerprint detectors, palm-print readers, heartwave sensors and more. Motorola has even toyed with the idea of an ingestible pill that would send out electrical signals to identify you.

These would seem like more plausible hindrances to hackers than pairing your e-mail address and your cat's name for authentication. But all these approaches will require some familiar trade-offs: the more secure, the less convenient; the better the protection, the more privacy you relinquish.

Biometrics also present new risks all their own, starting with a false sense of security. Android's facial-recognition authentication, for instance, has been defeated by photographs. Iris scanners can be fooled by synthetic images affixed to a contact lens. Apple Inc.'s Touch ID fingerprint reader, introduced in September to much acclaim, was hacked shortly thereafter.

And any biometric data that are stored in the cloud, or on a company's servers, are as vulnerable to hacking as passwords are. Worse, most people have only two eyes and 10 fingerprints: Once the mathematical representation of someone's biology is exposed, it can't be unexposed or easily changed. The problem of "reuse" -- the tendency to employ the same password on site after site, as every normal person does -- would only be exacerbated if everyone relied on their index fingers.

So there is no one solution to online security, in other words, and there may never be. Where does that leave us?

A combination of many solutions -- while cumbersome, irritating and intrusive -- is probably the best the world can hope for anytime soon. Internet companies can help by making wider use of algorithms that parse behavioral characteristics -- where users are, what kind of device they're using, what time of day they're attempting to log on -- to make a (very) educated guess whether someone's been hacked, not unlike how credit card companies try to detect fraud. Used in combination with other security measures, such as biometrics and passwords, such techniques could make it a lot harder to impersonate someone online. Companies and users alike also need to focus more on recovery plans and damage control, for when even the best security fails. As it inevitably will.