The Password is Dead! What Next For Security?

Passwords dominate our lives these days; they are part and parcel of spending time online. There are now so many applications, service, devices and websites that require us to log into our secure account using a password that the sheer number of passphrases we have to remember has spiralled completely out of control.

For the best level of security it’s advisable to use a completely different password for each website and service — just off the top of my head I can think of 20 websites that I need to log into (there are probably at least double if I were to sit down and list everything properly); how the heck am I supposed to remember 20 completely unique passwords, each of which comprises a combination of upper and lower case letters, numbers and symbols. Oh, and don’t forget… you’re meant to change these passwords every few weeks!

Like the article? You should subscribe and follow us on twitter.

How many passwords do you have to enter each day? It’s easy to lose count!

How many passwords do you have to enter each day? It’s easy to lose count!

Ultimately, for us mere mortals who have trouble remembering more than two passwords that aren’t blisteringly obvious there are a couple of options available. The first is to simply use the same password for every single website — no chance of forgetting just one password!

Obviously this is a massive security issue; if someone manages to work out that your Gmail password is ih4ve4b4dmemory and uses it to access your email, they’re probably going to try the same password for Facebook, Twitter and any other online service you care to imagine.

Using the same password for a number of different service negates security of a password.

Using the same password for a number of different service negates security of a password.

A single, solitary password is far from ideal, but loads of us do it. We are human, we are fallible.

You’ve no doubt noticed that when you log into a website that requires you to enter a username and password, your web browser helping offers to remember it for you. This leads us onto the second option for us forgetful types. Sure… use a ridiculously long and complicated password — Chrome will remember it for you so you never have to enter it again. Great!

If you have trouble remembering passwords, your browser can do it for you.

If you have trouble remembering passwords, your browser can do it for you.

But is this really helpful? If you browser remembers every password for you, there are two issues to consider. The first is that when you are out and about using an unfamiliar computer, you may well find yourself trying to access websites using a browser that does not have your personal details stored. What to do?! There’s a possibility that you may be able to remember your password, but as you opted to use the browser’s helpful password saving feature, it’s entirely possible that you won’t — when was the last time you actually had to type your password?

The second issue is more concerning. If your web browser is able to remember your passwords for you, they must be stored somewhere. Any data that is stored can be accessed and read. It may be encrypted, but this is not enough to foil someone who is seriously keen on getting their hands on your data.

Having your passwords saved for you opens up the risk that this information could be stolen.

Having your passwords saved for you opens up the risk that this information could be stolen.

It’s clear that another solution is needed, and this is something that is being increasingly recognised by popular online services. All of the main social networks have now enabled two-factor authentication — or two step verification as it is sometimes known.

What does this mean? It is something that Facebook, Twitter, LinkedIn and many more sites are now using, and it means that having your username and password to have are not enough on their own. It is possible for this type of authentication to take various forms, but the basic idea is that you are required to used something you know (i.e. your password) and something you have (such as your phone) to log into your account.

Two-factor authentication adds an extra layer of security but you’ll need to have your phone with you.

Two-factor authentication adds an extra layer of security but you’ll need to have your phone with you.

This usually means that you will need to link a mobile phone to your account and when you go to log in, a verification codes will be sent out to you via SMS. Your account will be inaccessible until you have provided this information. Banks often employ a slightly different take on this idea, requiring customers to use their bank card and a card reader to generate a PIN, but the basic principle is the same.

This obviously helps to increase security, but it does little to eliminate the irritation factor. What happens when you don’t have your phone with you for some reason? What about those occasions when your battery is running low and you need to make an important call? Some sites offer an alternative to two-factor authentication to cater for these circumstances, but this is certainly not the norm.

Verification codes sent out via SMS are great -- so long as you have your phone with you.

Verification codes sent out via SMS are great — so long as you have your phone with you.

So it’s clear that something better is needed. Practically everyone has a mobile phone, but this is not an ideal means of authentication. There are too many ways in which things can go wrong. What do you do if your phone is lost or stolen?

We need to think of something different. A mobile phone seems like a good means of identifications because it’s something that most people have with them most of the time. Apple, with the launch of the iPhone 5s decided to use something else that you have with you as a means of identification. It’s nothing particularly new, but the new iPhone’s fingerprint reader is an interesting security method, and it’s the sort of thing that we need to put more thought into.

The iPhone 5s features a fingerprint reader which could be adopted elsewhere.

The iPhone 5s features a fingerprint reader which could be adopted elsewhere.

This is far from being the only alternative means of logging in to accounts that exists. Hardware manufacturers are starting to take advantage of Near Field Communication (NFC) as a means of authenticating users. With NFC devices your phone can be configured so that entering the PIN you have set up is not enough, you also need to be wearing or carrying a verified NFC device such as an electronic ring or bracelet.

The Nymi bracelet actually ups the game by adding an extra level of authentication. It is not enough to be wearing the bracelet, it is also paired to your heartbeat (which has a unique rhythm for everyone), so it cannot be used by anyone else.

NFC devices such as the Nymi bracelet could offer an alternative to passwords.

NFC devices such as the Nymi bracelet could offer an alternative to passwords.

The fingerprint reader and NFC devices are currently being used to control access to mobile phones, but there is no reason why this should not be extended into other areas such as web site security. it will take a change in the way we think about security, but ideas such as this would seem to be a viable alternative to the passwords we are tied to at the moment.

Increasing numbers of people are starting to realized the limitations and security problems associated with traditional passwords. The appropriately named Petition Against Passwords is keen to highlight a number of high-profile security breaches that have led to millions of passwords being accessed by unathorized people.

The mission statement is fairly simple:

We advocate user authentication that doesn’t require us to remember anything. We’re finding more ways to use the Internet, and we want better ways to identify ourselves. It should be easy to log in to every site we use now and to register at every new site we want to add. We refuse to rely on our memories for security, and instead insist on standards that make it easy to stay safe and keep our data private.

And who wouldn’t like a security solution that did not mean having to rely on memory?

Petition Against Passwords believes we need to find a replacement for the traditional password.

Petition Against Passwords believes we need to find a replacement for the traditional password.

The idea behind the campaign is to try to influence digital service providers to move towards alternative means of authenticating user accounts. There are a number of companies who are already interested in exploring different option, including the likes of Clef, OneID and PixelPin. If more individuals and companies show and interest, momentum could grow and we could find a practical, affordable and secure alternative to having to type in lengthy passwords to access websites.

How do you feel about passwords? Are they something you have become used to, or do you find them a necessary evil that you’d like to replace. Do you think that two- or three -factor authentication is the way ahead or is there a better solution out there?


Comments are closed.