What do you think when you hear Target, Neiman Marcus, UPS, JP Morgan Chase, and Sony? Major brands? True. International corporations? Sure. Want to know what I think first? Massive security breaches. Every one of these companies has lost customer information to hackers.

After working with a mobile security company for more than 10 years, I notice how quickly we’re migrating our lives to devices and the cloud—making more personal data more vulnerable than ever. Which could make for a bleak future, unless we change how we secure that information. What would a better tomorrow look like? Who has to change? What’s standing in our way?

We’re Lazy

Okay, we’re not lazy—we’re human. We forget things. No wonder so many of us choose one password to use everywhere.

The thing is, this won’t keep us safe. The question is no longer “Will a website I log on to get hacked?” but “When?” Using one password across many sites is practically no better than no passwords at all. It’s like using the same combination on the padlock for your bike, your garage, and your locker. Once someone cracks the code for 1, they can open all 3.

The question is no longer “Will a website I log on to get hacked?” but “When?”

Perhaps how we use passwords is more to blame than flaws with passwords themselves. My favorite solution is password managers, like LastPass, that let me create unique long, un-guessable character strings (that I don’t need to remember) for each site. Sure, LastPass was hacked, but hackers only got access to encrypted versions of passwords. Plus, LastPass lets me change every site’s password very easily and it automatically re-encrypts all my saved ones.

Some people are excited about biometrics, but frankly those scare me. It’s one thing to change log-in credentials when those get stolen, but you can’t change your fingerprint, or the pattern of your iris. Two-factor authentication is another option, but it’s a hassle and therefore impractical for anything but the most precious data, like bank accounts.

We have to ask, every time we create a new online account, how much information that company needs. Does Cats.com really require my social security number for a Manx-of-the-Month newsletter?

Passwords aren’t all we need to be mindful of, though. We have to ask, every time we create a new online account, how much information that company needs. Does Cats.com really require my social security number for a Manx-of-the-Month newsletter? When a site I’ve used gets hacked, what information will the hacker get?

Log-ins Are Overkill

Let’s consider that most of us take for granted that keeping information secure requires a login (usually a user name and password). Logins were designed to do 2 things:

• Identify: Who are you, so I can remember your preferences for convenience?
• Authenticate: Can you prove who you are for security?

Too many companies require full authentication when simple identification is enough. And plenty who only identify pass up better ways to remember you, like cookies or unique non-identifying keys. Facebook’s shared login is a decent compromise because it provides identification and authentication without requiring that you give a third-party site your actual password. The downside to this model is you do have to give that third party access to your Facebook profile in return, and if your Facebook credentials are compromised, the bad guys have access to all the places where you can “Log in with Facebook.”

Ultimately, many companies don’t need to authenticate at all. Think about the last time you created a login. You probably had to key in your full name (middle initial, too!), home address, mobile phone, maybe even gender or age, probably a hint to help with password retrieval … all so you could order pizza? Really? Seems the default is to extract as much information as possible from users, in the guise of providing security.

Who Will Make the Grade?

Since companies are unlikely, without pressure, to stop unnecessarily extracting personal data from consumers, where will that pressure come from? I propose an industry-wide “security report card.”

Ultimately, many companies don’t need to authenticate at all.

Imagine a grade reflecting adherence to a data security standard, like PCI DSS for credit cards. Consumers can choose who is trustworthy enough to share information with and who’s not. Lax companies can improve practices to earn a higher grade.

On the flip side, we consumers need to think of identity, finances, personal data, as gold bricks. If we keep them on the coffee table, having a front-door lock is vital. But if someone breaks the deadbolt (i.e. steals the one password we use on every site), they can take it all. But even a stronger deadbolt isn’t enough. We need to secure each “brick” behind layers—inside a lockbox, which is disguised to look like a copy of War and Peace, hidden spine-in on an upstairs shelf—then make sure each layer is strong enough. Having a solid password practice won’t help much if the company we’re entrusting our information to isn’t trustworthy.

While a report card won’t eliminate log-ins, it will give us all more insight into how much of our data companies need and how they protect what they get. Plus, even if we’re password gurus, there’s a wide set of issues in how companies handle data that’s completely out of our hands. Companies should be rated on a number of criteria, including:

• Is your data encrypted on the company’s machines? Spoiler: the answer is often “No.”
• How many employees have access to your data? This should be a very small number, on a need-to-know basis, and those people should have to undergo background checks and clearance.
• What kind of auditing, monitoring, and reporting is done? Do they do regular penetration testing and threat modeling with third-party experts?
• How long do they retain your data? And how do they use it?
• What do they do with your data after you unsubscribe / cancel / quit?

While a report card won’t eliminate log-ins, it will give us all more insight into how much of our data companies need and how they protect what they get.

Companies who digitally collect customer information should regard themselves, first and foremost, as custodians of that data. This alone would make a dent in cyber-crime. But it won’t happen without raised standards, and those won’t happen without pressure from the people with the most to lose—every one of us.