A recent study by the UK's National Cyber Security Centre reconfirms what cybersecurity experts have been telling us for years: people aren’t getting the message about password security.
It could be that people don’t know how to generate a strong password, but let’s be honest: names of places, sports teams, children’s birthdays, and favorite songs are easier to remember than a complex string of characters. They make managing multiple logins easier, no matter how risky they might be.
It’s become an annual ritual to wag the finger at end users hoping to shame them into best practice. But when people resist something so simple for so long, maybe it’s time for something new.
With us since antiquity
The concept of password-based authentication began in ancient Rome, where soldiers used "watchwords" to establish identity and authority. You had to be privy to the day’s watchword in order to enter restricted areas and secret locations. Watchwords were updated frequently, and as far as systems designed to limit access to approved users went, they were highly effective.
To make them more secure, watchwords developed into sets of passwords and counter-passwords. A guard might pose a cryptic question to someone seeking permission to enter and expect a predetermined response. Think about the coded exchanges between spies in espionage films and you’ve got the idea.
With so much of what we take for granted in computing having roots in military applications, it’s no surprise that the watchword has been adapted for modern use. Though there have been crucial updates, such as connecting a watchword to a username, the basic concept has literally been in use for thousands of years.
A fatal vulnerability
The problem with passwords is simple: they are all or nothing. It’s a fundamental flaw that can’t be fixed.
No matter how much technical sophistication goes into hashing a password or creating a strong one, the effort is squandered the moment someone else learns what the password is. If they get it – and there are many many ways to get it – the battle is lost. Adding a security question is one way we’ve adjusted, but security questions are just passwords by another name.
The weaknesses don’t stop there:
- A significant number of us just don’t want the bother of creating and remembering one or more complex passwords.
- If people use simple passwords, they probably use them across numerous accounts.
- From gaming consoles, to Sharepoint logins and Netflix accounts, passwords are often shared between friends, family, and colleagues.
- Encrypting or hashing passwords adds another level of protection, but if a cybercriminal manages to install a keylogger, you’re back to square one.
If not passwords, what?
Two-factor authentication is one alternative that’s becoming more and more common. 2FA requires two different kinds of proof, for example combining a password with a unique code sent to your phone by SMS or via a dedicated authenticator app.
Adding a physical security token like a flash drive is another option. Banks have already adopted secure keys, in the form of tiny calculator-like devices used to generate unique access codes for secure online banking – but many customers despise them.
Apple and Samsung are trying to make biometrics like facial recognition a standard way to authenticate identity. It’s not clear yet if the simplicity of biometrics will beat out concerns about privacy and misuse, but they could be our post-password future.
Passwords consist only of information, so they can be breached with information. Moving from intangible to physical authentication seems like a natural evolution.
Protect yourself, from yourself
Passwords are weak and unreliable, but it’s still too early to ditch them. Although more secure alternatives have been developed, they still need more time to prove themselves before they can be widely adopted.
HaveIBeenPwned founder Troy Hunt thinks passwords are here to stay, despite how insecure they are. Speaking to an audience at InfoSecurity Europe in June, he said: "[The alternatives] may be good technically, but every single person in this room knows how to use a password, as bad as it is security-wise.” Basic usability will always trump security concerns.
For now, the best way to safeguard your passwords and sensitive data is to use a password manager. We’d suggest an offline one, that keeps your passwords on your phone, instead of storing them in the cloud, and allows you to access them with your biometrics, not a guessable master password.
Until everyone gets the message about strong passwords, or until biometrics achieve mass adoption, securing and encrypting your passwords offline is an effective personal failsafe.