The Yahoo breach could kill off the password

At Bankrate we strive to help you make smarter financial decisions. While we adhere to strict , this post may contain references to products from our partners. Here’s an explanation for

Passwords, you had one job to do.

You were supposed to help ensure that the person logging into a website was the person authorized to log into a site.

But passwords (specifically stolen passwords) made recent huge data breaches far worse than they might otherwise have been. See Yahoo. And Yahoo. And FriendFinder, mySpace and eBay.

Indeed, the thing passwords were supposed to guard against may be the very thing that ends up killing them. RIP passwords. (Alternative take: Yahoo, I say.)

CARD SEARCH: Treat yourself for the holidays. Get a great balance-transfer credit card now.

Look for ‘aftershocks’ from Yahoo breach

“The recent Yahoo data breach, which compromised over one billion user accounts, and other mega data breaches, are hastening the death of the passwords,” Michael Bruemmer, vice president of Experian Data Breach Resolution, wrote in an emailed response to questions. “As more personal credentials are compromised, the risk extends beyond the initial breach as attackers continue to sell old username and password information on the dark web.”

In its fourth annual data breach forecast, Experian, one of the three big credit bureaus, predicted that the “aftershocks” caused by large data breaches could lead security-sensitive websites to abandon passwords in favor of stronger verification methods. (This report, I should note, was prepared before the second – and considerably larger Yahoo breach – came to light.)

Aftershock breaches, according to Experian, are felt by companies that weren’t victimized by a data breach first-hand, but nonetheless find that many user accounts have been fraudulently accessed.

From the report:

“As we saw in 2016, a breach of 500 million Yahoo accounts in 2014 continued to echo consequences. It has been reported those stolen credentials were subsequently resold and used by other criminals to compromise accounts across a wide variety of services where consumers use the same username and password. This exposure of the largest ever breach of usernames and passwords is likely to reverberate for years to come as the exposed credentials make their way through the underground economy.”

Again, this was the smaller of the two Yahoo breaches.

FREE TOOL: Check your credit report for signs of fraud now.

What might replace passwords

I’m not going to blame the victim here. Yes, breaches would be far less damaging if people used better passwords and didn’t repeat them across sites. But the fact that people repeatedly use the same bad passwords shows a flaw in the system.

The system is broken, not the people who use it.

Here’s what Bruemmer thinks could replace (or enhance) the password:

  • Text alerts with temporary passwords that only work one time, in addition to a static password. Otherwise known as two-factor authentication, this technology is already widely used by banks when you try to log into your account on a new device.
  • Geolocation and device-recognition technology to ensure that login attempts are coming from a known device and the proper areas of the world. I’m occasionally asked on one device to enter a six-digit code on another device to ensure it’s being used properly when I’m not at home.
  • Biometric data, such as fingerprints, eye scans and facial recognition to authenticate users. Again, many smartphones already offer these features.

CARD SEARCH: Rewards card offers are very rewarding. Get one today.

In the end, the website that passwords helped cause the most reputational damage to might be the site that leads the charge to kill the password.

Not only did Yahoo recommend setting up two-factor authentication in a note to account holders last week, it also recommended users set up Yahoo Account Key, a push-notification service that sends a message to your smartphone every time you attempt to log on to your email on a mobile or desktop device.

All you’ll need to remember is your username.

Account key, according to the note, is “a simple authentication tool that eliminates the need to use a password on Yahoo altogether.”