Have passwords become pointless?

With another report re-confirming that people dislike complex passwords, is it time to wave farewell to passwords entirely?

Analysis by the UK’s National Cyber Security Centre (part of GCHQ) of the 100,000 most popular passwords exposed by hacking campaigns and breaches, reconfirms what cyber security experts have been telling us for years: people still don’t much care about having a strong password.

Hundreds of millions of internet users stubbornly refuse to move beyond basic and easily-guessed passwords – 123456 and QWERTY holding firm in the top 10 – leaving them wide open to hackers.

Maybe people don’t know what constitutes a strong password, but let’s be honest: names of relatives, place names, sports teams, favourite bands or other easily-remembered words are simply more convenient for managing multiple logins – no matter how risky or vulnerable they leave us to data theft.

GCHQ actually gathered the passwords from known data breaches and which have been leaked, shared or sold by hackers on the dark web. The government wants to encourage users to embrace strong passwords in an efforts to minimise cybercrime.

That’s an admirable goal, but we’ve heard all this before. It’s become a sort of annual ritual to remind people their password hygiene is atrocious and shame them into best practice.

People aren’t getting the message:

• The worst passwords of 2018
• Top worst passwords of 2017
• Top worst passwords of 2016
• Top worst passwords of 2013
• Top worst passwords of 2010
• Top worst passwords of 2007
• And so on …

That’s not to minimise the potential damage weak passwords can cause. Using the name of your favourite sports club to protect banking details is risky in the extreme. But when people demonstrate resistance to an idea, persistently, for so long, maybe it’s time for a new idea.

What’s wrong with passwords

Passwords have become a way of life. It’s hard to imagine going online without one. Yet with every new security breach it becomes more evident that they’ve had their day. But if not passwords, what?

As far back as 2007, Bill Gates was warning us that the password/username combo was unfit for purpose in an increasingly connected world.

“Passwords are not only weak, passwords have the huge problem that, if you get more and more of them, the worse the problem becomes.”

Even then alternative security and authentication technologies like smart cards and smart wallets were starting to be adopted. But reliance on passwords remained the norm. It’s worth exploring why.

Blame the Romans

The inspiration for modern passwords comes from ancient Rome, where ‘watchwords’ were used to establish a person’s identity and authority, to access secret locations, or enter restricted areas. Watchwords were updated frequently, sometimes daily, and as an authentication system they were very effective.

To improve security watchwords evolved into sets of passwords and counter-passwords. A sentry might offer a cryptic question or phrase and expect a pre-set response. Think about ‘the crow flies at midnight’ exchanges between spies in WWII films and you’ve got the general idea.

In fact much of what we take for granted in computing technology has its roots in military applications, so perhaps its no surprise that we’ve adapted the watchword mechanism for accessing systems and devices. There have been advancements, connecting the watchword to a username for personalisation is new, but the basic concept has been with us for thousands of years.

One fatal flaw

As an element of security and authentication, passwords work pretty well. But as we’ve seen again and again, total reliance on them makes us vulnerable. Passwords have a simple, glaring flaw that can’t be fixed: they are all or nothing.

Put as much effort and technical sophistication as you want into picking a strong password or encrypting data; all of that effort is wasted the moment someone else knows the password. Once they have it – and there are many, many ways to get it – it’s game over.

We’ve tried to address that weaknesses by adding a security question. But security questions are just passwords by another name.

The weaknesses don’t stop there:

• Human resistance is powerful. As GCHQ has just reminded us, a significant percentage of users just don’t want the bother of creating and remembering a complex password.
• If people use simple passwords, the study says its likely that they also use the same password for many accounts.
• From Netflix to databases to gaming platforms, passwords are often shared between colleagues, friends, and family.
• Encrypting data or hard drives adds another layer of protection, but if a hacker installs a keylogger it’s the same issue all over again – all or nothing

If not passwords, what?

Two-factor authentication is one alternative that’s becoming more and more common. Unlike the password/userid combo, two-factor authentication requires two different kinds of identity proof, for example combining a password with a code texted to your mobile phone.

Using memory sticks as a physical key is another option. These aren’t in wide use outside of corporate environments but the technology is readily available. What if Amazon, or perhaps a consortium of retailers, made it so they’re websites and apps could only be used while the USB key was plugged in?

Apple and Samsung are working hard to make biometrics a standard security feature in handsets, basically using unique human characteristics like fingerprints and facial recognition to authenticate identity and permission.

This is the direction personal security needs to move in. Because passwords are just information, they can be hacked with the same information. Moving from intangible to physical proof of identity makes for a much stronger protection.

Take away

Passwords are structurally weak and an unreliable security measure on their own, but it’s too early to bin them. The better alternatives are slowly moving toward mass adoption but they still need time. Businesses can lead the way by making use of two-factor authentication or biometrics standard for accessing company networks, and a condition of BYOD programmes.

Until then, everyone needs to adopt effective security habits and, yes, get the message about strong passwords. Standard web browsers like Safari are starting to generate them automatically whenever you sign up for a new website or app, then remember them for you.

Want your employees to be better equipped to create and maintain strong passwords?  Why not sign up for a free demo and find out how we’re already helping organisations just like yours.