Until the beginning of this month, I used one tinpot password for pretty much all my activity online. Eight characters long — without numbers or symbols — its prime value was sentimental, the product of a relationship that started in the era of the floppy disk. Then paranoia struck. On 1 February, 250,000 Twitter passwords were stolen by hackers. Had the hackers cracked mine – and found their way to the Gmail and bank account daisy-chained to it — well, they wouldn't quite have been able to retire, but the fear (and raunchy spam I'd been a vessel for) was enough to spook me into a radical overhaul of my online security.
I won't pretend this is a dramatic tale. It is, however, a drama relevant to many garden-variety internet users. As work and social life shift on to the internet, and people freight their profiles with more valuable data, there's growing consensus that passwords — 'icecream', 'tomcat', 'loveyou' — are no longer up to the job of keeping out intruders (be they 14-year-old 'script kiddies' or state-sponsored agents). Passwords can be forgotten, guessed, tricked or stolen from databases. Bill Gates was among the first — almost 10 years ago — to pronounce them "dead"; now the reedy voice of Microsoft's founder has been joined by a chorus of hundreds — from hacked individuals to governments to Google itself.
These password-o-phobes foresee higher hurdles. More complexity. Biometrics. Soon, many hope, you will sign in to your bank or email via fingerprints, voice recognition or the veins in your palm.
Alarm bells have been ringing for security professionals more or less continuously over the past three years. In 2011, the number of Americans affected by data breaches increased 67 per cent. Every quarter, another multinational firm seems to trip up. PlayStation was a larger casualty, forced to pay $171 million (£112.8 million) to protect gamers after its network was broken into. Before Twitter went down, 6.5 million encrypted passwords were harvested from LinkedIn, 250,000 of which later appeared 'cracked open' on a Russian forum. ('1234' was the second most popular choice; 'IwishIwasdead' and 'hatemyjob' appeared on one occasion each.) Now all these once-precious words have been added to gigantic lists that hackers can spin against other accounts in future attacks.
It seems security fears spread best, however, from person to person. Late last year, Wired published a cri de coeur from writer Mat Honan, detailing how hackers destroyed his digital life in an attempt to steal his prestigious three-letter Twitter handle, @mat. Much of Honan's work – and pictures of his newborn child – were wiped. Dire warnings ("you have a secret that could ruin your life… your passwords can no longer protect you") punctuate the report – and in the two days after it was published, a quarter of a million people (myself included) followed Honan's advice and signed up for Google's two-step verification process. If his story doesn't do it for you, try the woman held to ransom for her email account, or ex-President George W Bush, who found images of his paintings hacked and published across the web.
But a long queue of critics doesn't mean that a slide away from passwords is being slipped down by all. "Despite their imperfections," says Dr Ivan Flechais, a research lecturer at Oxford University's Department of Computer Science, "they're convenient and a cheap option for developers… I don't see passwords changing across the board anytime soon." This line has been unwaveringly accurate since the first articles dismissing passwords appeared in 1995. And Internet users who don't own valuable Twitter handles – or weren't aware there was a market for such things – might be thankful to find a body of opinion sticking up for the right to use whatever brittle codes they choose. Reluctance is understandable. At the moment, safer also means more time-consuming. That half a second needed to chug through the memory for a complex password ("*874 or 8*47?") or go through Google's two-step process (which pings a code to the user's telephone), can feel gratingly out of sync with the warp-speed of modern computer habits. Chip-and-pin devices for online banking are still seen by most as a necessary evil.
The web is a darker place than most of us realise, and while we wait for better technology to filter through, it's probably best to get used to slowing down and locking up. Bad passwords are as out of date as 'wham'.