Can passwords ever be a thing of the past?
If you are like me, you may have over 100 online accounts. You might be surprised when you start counting them up. Work email, personal email, banks, credit cards, social media, shopping sites (lots of these!), TV licence, mortgage account, council tax account, utilities accounts, mobile phone account, congestion charging, toll road accounts, school or university accounts, online gaming, and on and on and on…
The vast majority of these accounts are still secured using a piece of technology hung over from the ‘80s. The password. It is old, it is tired, and unless you are very disciplined it is next to useless!
The human mind is terrible at remembering passwords, and computers are very good at cracking them. So when we are constantly being told to make our passwords long and complicated, but not to write them down, it quickly becomes impossible to manage. We use the same password for multiple accounts, we use easy patterns like names, places, dates, and regular strings of numbers.
Just check this out:
This is why in 1998 poor password habits were the number one risk to information stored on computers; and in 2019 poor password habits are still the number one risk to information stored on computers.
Passwords are still widely used to keep our online lives secure, but with the rising prevalence of 2-factor authentication, biometric logins, and totally password-free logins, there is set to be a major shift away from password in the future. The question is can we ever really eliminate them entirely, and at what cost?
Are Passwords Secure?
Because we use passwords for so many things, and we use them so often, once you factor in human behaviour, they are often no longer secure.
There are several reasons for this:
- Password reuse: Reusing passwords over several different accounts means if that the password is compromised so is every account you’ve used it on. Hackers will very often take username/password combinations gained from one data breach (e.g. the 6.5 million passwords breached by LinkedIn in 2012) and try them in more lucrative places like PayPal and Amazon. If your LinkedIn password is the same as your Amazon password you may find yourself out of pocket.
- Poor password choice: If you do try to be good and use different passwords everywhere, your brain will fill up very quickly. This is just the way our brains work. This is why people end up using short easy to remember passwords and the chances are if it’s easy to remember, it is easy to guess or easy for a computer to hack.
- Password sharing: Giving your colleague your password so they can access a resource without having the hassle of going to IT to request it. This might seem to be a time saver, but giving your password to someone else increases the risk of it getting into the wrong hands.
- Social Engineering: It is often easier to trick you into giving your password away than it is to hack it. Spam emails and phone calls are commonplace and they’re getting more sophisticated.
What can I do about it?
Well, there are numerous password managers out there that help us choose good passwords, store them securely, and recall them automatically when we need them. Apple keychain will store and automatically fill out passwords for you, so will LastPass and KeyPass and Dashlane and countless others. If you use passwords, it is a good idea to use a password management tool. However, this tool must be secured using something better than a password, otherwise you are putting all your passwords in a box, and just locking it with another password!
What are the alternatives?
Biometrics, Persona, FIDO and Two-Factor authentication are all possible options.
Fingerprint, facial and retina scans are already implemented with a number of phones, doors and ID checks. By using one of these there is no need to remember a long complicated password, all you need is yourself, and as we have yet to perfect human cloning, your biometrics would be hard to replicate.
Persona-based authentication is based on your behaviour and location. Have you ever signed into an account from different location or on different device and got a notification about it? This is persona-based authentication. It knows where you normally log in, and on what device; and once it detects that your logging in somewhere unusual it will send you a notification to verify that’s it you.
Chances are, in one form or another, you’ve already encountered Two-Factor authentication. This is a second one-time code entered alongside your password. If you would like more information on 2FA take a look at our previous blog; What is Multi-factor Authentication and How will it help your business?
FIDO (Fast IDentity Online) is something to be excited about as it has to potential to eliminate passwords and still keep you secure. Chances are you have already used it without even knowing. Have you ever signed into a website or app using your Fingerprint scanner on your phone? That’s FIDO in action.
What are the down sides?
We live in an age of data breaches and leaks. You can’t go a week without hearing about another company suffering some sort of breach.
If your password is breached you can change it, but what about your fingerprints?
In August 2019, it was revealed that parts of a database of were left publicly accessible, leaving the biometric data, unencrypted passwords and personal data of over one million people exposed. Having a biometric data leak is a big deal. This is your face, your fingerprints, essentially YOU. That’s now been left vulnerable to malicious, illegal and dangerous intent.
So whilst these new ways to authenticate are a massive step in the right direction, it is important that they are implemented correctly.
So, can passwords ever be a thing of past?
Possibly, but we are not there yet. FIDO is a massive step towards it, but it’s going to take time to perfect and implement. Watch this space.
There are plenty of ways you can make your online lives more secure right now. Each step of security is more vulnerable on its own, just by adding one extra layer you create a much more secure system. The more layers of security you have, the less chance that someone will have the key to every door.
If you would like more information on how to keep your accounts secure, why not give our experienced team a call on 0345 450 7876.