In fact, according to a paper delivered this week at the ninth annual Workshop on the Economics of Information Security at Harvard University, many Web sites use passwords "primarily for psychological reasons, both as a justification for collecting marketing data, and as a way to build trusted relationships with customers," rather than for security.
The unfortunate side effect of that approach is that less secure sites actually compromise the security of better secured sites.
The study, conducted by researchers Joseph Bonneau and Sören Preibusch, based at Cambridge University in England, analyzed the security practices of 150 Web sites, including e-commerce, news, and social networking sites, all of which offered free accounts secured via user-chosen passwords.
Many sites' password practices are inherently insecure -- they don't demand long or complex enough passwords, and don't filter out simple numerical sequences or family pets. Yet passwords are here to stay, because people expect them. "Efforts to replace passwords with more-secure protocols or federated identity systems may fail because they don't recreate the entrenched ritual of password authentication," said the researchers.
Unfortunately, people often reuse the same password for multiple sites. As a result, attackers can -- and do -- hit a less secure site to harvest passwords that work on higher-value sites.
In January, for example, a hacker stole a database from RockYou, an online gaming website, containing the passwords for 32 million users, as well as their passwords for partner sites. Helpfully, for researchers, the attacker also published a subset of the stolen database, revealing that RockYou had stored the passwords in clear text, and claimed that 10% of them could be used to access people's PayPal accounts.
What can be done? Bonneau and Preibusch suggest taking an economic approach to the problem, perhaps in the form of regulations, such as "a password tax or increased liability which provide strong disincentives for sites to use password-protected accounts when they have no business reason for doing so."
They also suggest branding password security, and issuing publicly-reviewed code to help eliminate the password "best practice" confusion now facing developers.
"Most [password] knowledge remains spread across years of often-conflicting academic research papers, where it is not easily accessible for developers," they said.