Is the password dead? For a while now, the IT industry has struggled with the password problem. The conundrum is around the requirement to authenticate a user – making sure they are who they say they are – combined with the fact that the person on the other end is likely to choose an inappropriate password. Indeed, Skyhigh Networks recently analysed 11 million compromised passwords for sale on the Darknet and identified that the 20 most common passwords are used by over 10% of people.
It’s no surprise to find that ‘123456’, ‘qwerty’ and ‘password’ regularly top the lists of passwords that have been compromised. Verizon’s annual Data Breach Investigations Report states that two-thirds of data breaches are caused by stolen or misused credentials. So, if you’re reading this and you’re wondering whether your password is still secret or not, go to security researcher Troy Hunt’s website www.haveibeenpwned.com and click on the ‘password’ link.
You might think the answer would lie in simply creating longer, more complex passwords using lower and upper-case letters and with a mixture of numbers and special characters. This might seem a great idea – and, indeed, a password of 30 characters will take longer to ‘crack’ than one of eight – but the reality is that lengthier passwords are more difficult to remember, and so people simply re-use it repeatedly for different accounts. In fact, according to a study from the University of Cambridge, 31% of online users reuse the same password for several their accounts.
Although long, complex passwords might take longer for a hacker to crack, the fact remains that advances in software and desktop computing power mean that even lengthy passwords are at risk whilst tools for cracking passwords, such as HashCat and John the Ripper, are freely available on the internet. We need something more than just passwords.
There are better forms of authentication out there. Many of us now unlock our smartphones not with a PIN, but with a fingerprint. Biometric sensors are becoming increasingly mainstream, and facial and voice recognition technology is advancing to the point where major banks are rolling out the technology to customers. But can these developments fully replace the password? Whilst that may be the case in future, the technology is still in development – not to mention consumer concerns over biometric tracking.
As things stand right now the answer lies in multi-factor authentication, known as MFA (or sometimes 2FA). As the name implies, MFA requires more than one piece of information to gain access to sensitive data. This can be a combination of password and biometric authentication, or SMS-based authentication – where a user types in a four-digit code sent by a site to their mobile device – or through physical devices such as the YubiKey, or the small number-generation token used by some banks. There are some issues with MFA, notably cost, although many businesses are offering it as a service.
Sadly, though, the uptake has been slow. Gmail has offered 2FA for a while now, where a code is sent to your mobile device every time you log on, but less than 10% of Gmail users have activated it. Some of this may be down to a lack of knowledge and understanding, but it may also relate to the perceived inconvenience users have with MFA. Indeed, a small vox pop I did of family and friends indicated that the extra step of using 2FA was seen as unnecessary and a waste of time. No-one seemed very keen on the idea.
What seems to tick both boxes here is the emergence of new, password-free, mobile ‘push-based’ authentication systems, which increase security but do not impact on customer experience. Authentication is carried out automatically, with no excessive demands on users, and the device itself becomes the prime method of authentication. The first time a user signs in, they will be asked to create a link between their mobile device and the service they are logging in to, which could be by SMS or through scanning an on-screen QR code. This creates an ID tether between the user and their device so the next time the user logs in, a push notification is sent to the device and all they have to do is tap ‘approve’ in order to proceed. As these messages can be sent over the mobile network instead of through the internet, the risk of interception by a third party is greatly reduced.
There are still drawbacks, of course. Mobile devices are much easier to steal than a desktop computer, and so loading more and more authentication services onto them will make them an even more attractive target for the thief. On top of that, we will see cyber criminals creating and distributing more malware intended to compromise smartphones, so they can continue to try and exploit our credentials.
With all their drawbacks, passwords have remained popular mostly because they are cheap to implement, and they have become a part of our daily routines. User experience seems to play a key factor here – to replace passwords entirely we not only need a secure method of authenticating ourselves, but also a seamless method that gives a positive user experience as well.
We’re likely to see an increase in services offering MFA in the coming years, with push-based device authentication and biometrics eventually becoming the main authentication method within the next ten years or so. Until that time, though, it’s clear that we all need to take a little bit of responsibility for our passwords and create unique complex passwords for all the sites we use. To make this laborious task easier, I highly recommend using a Password Manager to assist you in creating complex passwords, as well as taking advantage of any offered MFA services. You’ll then not have the unpleasant experience of visiting ‘Have I Been Pwned?’ and finding out that your usernames and passwords are available to anyone willing to look for them.
So the password isn’t dead just yet – but it’s well on the way to retirement.