Passwords are not enough

Warning: this content is older than 365 days. It may be out of date and no longer relevant.

How secure are your digital assets? With the massive database compromises of sites like Gawker and its associated properties, both individuals and groups are finding that passwords aren’t enough. But what’s a realistic alternative or supplement?

Here’s one. Do you see this little gadget attached to my keychain?

Passwords are not enough 1

It’s a World of Warcraft authenticator. It’s a little device that generates a random number bound to my Warcraft account every 30 seconds or so. To log in to play, I sign in with a password and type in the current number. It takes literally seconds to do and ensures that my Warcraft account is harder to hack as you’d need both the physical device and my password to get in.

Now explain this to me: why is my video game, my leisure activity, more secure than everything else I use in my digital life? I swipe my credit card at stores and the bored minimum wage clerk doesn’t even bother looking at the signature. I log into my bank account online with just a password. I used to work in a credit union data center a little while back where passwords for the system were mandatory – but they were four digits only and if you compromised them, you’d have access to literally billions of dollars.

The technology to add strong security – or stronger security at any rate – isn’t especially difficult for users to add to their routine. That’s a baseless fear- millions of Warcraft players like me use a strong security system daily. Database disasters like the Gawker incident highlight just how fragile and easily broken the simple text password  is, and should be a wake up call to us, the consumers, to demand more security out of the institutions we deal with daily

Want to get a jump on institutions? Change your passwords now, and change them in such a way that no one password works for everything. At a bare minimum, add a word for password groups so that password sets can be remembered but are different from major network to network.

For example, if the password you want to use is CheeseBurgers!, then create CheeseBurgers!Banking as a password for financial services, CheeseBurgers!Social for networks like Facebook and Twitter, CheeseBurgers!Email for mail services, etc. You’ll still mentally have “one” password but it won’t work for everything. (the added length is also a minor increase to security since longer passwords are harder to guess) If another Gawker media incident happens where millions of passwords and email addresses are stolen, perhaps only your CheeseBurgers!Blogging password will need to be changed.

Security is and will be only as strong as we demand of the companies we work with. Demand better of everyone and everything you work with!

You might also enjoy:

Want to read more like this from Christopher Penn? Get updates here:

subscribe to my newsletter here

AI for Marketers Book
Take my Generative AI for Marketers course!

Analytics for Marketers Discussion Group
Join my Analytics for Marketers Slack Group!


7 responses to “Passwords are not enough”

  1. Great advice. I had my blog hacked a while back that really made me question the password strength that I was using everywhere. I have since made my passwords more creative ans stronger.

  2. While living in Norway I was surprised and then thankful that they had a password generator just to access the online banking. That was five years ago. Maybe password generators are somewhere in the new financial regulations?

  3. Hi Christopher – this is good advice … as always.

    I have a couple of bank accounts – and they do take real efforts on security. Coutts & Co have a device that I carry around similar to your Warcraft thingy (but a little more tasteful!). UBS are even more secure and I have to have a card, that goes in a little machine, where I type a number, and then transfer this number to the banking system.

    I’m toying with the idea of using one of the “all in one place” password systems – like 1Password. Do you have any opinions on those type of services?

    Enjoy the blog posts – keep up the great work … and regards of the season. Phil

  4. This has been on my mind a LOT lately. I keep hearing stories of how easy it is for hackers to wipe out your data or break into your account. One of the reasons I am comfortable using paypal is because they have a gizmo similar to what you mention above where you press a button and it generates an algorithmically generated # that is different every time. At this point, if drop box, for example, offered this option, i would migrate my online files there in a second instead of google docs.

  5. Kudos, Christopher. May I point you and your readers to an evergreen blog post I wrote two years ago on the how and why to create a mnemonic password? I use a different password for every website that requires one, my system uses strings that are not dictionary words and combine multiple types of characters. Have a look at

  6. […] expert Christopher Penn recently wrote a blog post entitled "Passwords are not enough."… Do you agree that passwords are not enough? If so, should apps like Gmail, Dropbox, Evernote and […]

  7. Great article, thanks for the simple easy tip to have different passwords yet keep them the same. That in itself was a great reason to read this!

Leave a Reply

Your email address will not be published. Required fields are marked *

Pin It on Pinterest

Share This