So Long Passwords, and Thanks for All the Phishing
Conventional passwords will become obsolete very soon. Bill Gates already predicted it in 2004, it’s not breaking news. The average consumer using electronic devices that connect to the internet has roughly 25 or more sites, apps and accounts that rely on conventional passwords in order to gain access and enable data protection. I think it is safe to say that the majority of individuals that have had the pleasure of creating a new password, or have used password generators, will welcome more modern forms of access control with open arms.
What is wrong with conventional passwords as a means of data protection?
“Through 20 years of effort, we’ve successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess.” (Explain XKCD, comic 936)
1. Safety. The first, and most common flaw with strong passwords is remembering them, especially if you operate with password generators. In order to create a strong password that will not be easily guessed there are general guidelines. According to Microsoft, tips for creating strong passwords, when not using a password generator, are the following:
- At least 8 characters long
- Does not contain your user name, real name or company name
- Does not contain a complete word
- Is not similar to your other passwords
- Contains, uppercase and lowercase characters, numbers and symbols
This is quite a list to take into consideration… and it leads to people doing an unspeakable thing: writing down passwords (like on a sticky note taped to the monitor). This makes them extremely vulnerable for security breaches and is not ideal when it comes to data protection.
2. Inconvenience. All the guidelines mentioned above makes using a password, not to mention creating a new one, a bit of an annoying task. Conventional passwords, even though they are implemented to be our friend and protect us, becomes the enemy, and potentially the very cause of a security demise.
3. Increasing number of different passwords. With the increasing number of accounts, apps, websites, devices that we use, the number of passwords required increases as well. And by now we know the big “no-no” in password land: don’t use the same password for more than one access control requirement, or else you jeopardise your data protection. You could make use of a password manager or a password generator in order to avoid “password fatigue”, however, you’ll probably need to remember your password to log into your password manager in order to gain access to your other passwords.
But what is the alternative to relying on conventional passwords?
1. Two-step verification. Two-step verification isn’t really an alternative. It’s more of a “double check” method. This access control method would have a two-step verification process consisting of “something you know” (the password), followed by either “something you have” (a security token or an OTP – one time pin) or “something you are” (this is discussed in the next point about Biometrics). Most often the second step would be in the form of a text message with a security token sent to your mobile phone.
2. Biometrics. Remember when the film Minority Report premiered in 2002, and we all watched in amazement as the main character, Captain John Anderton, undergoes a risky eye transplant so he could evade the city-wide optical recognition system? We couldn’t fathom such technology actually being utilised commercially in real life. Well, it’s real. So real that Windows 10 has a feature called Windows Hello which makes use of fingerprint, facial and iris (or optical) recognition in order to grant access to your account. Biometrics replaces conventional passwords literally with “something that you are”. In theory, it’s a great idea for your data protection, but in practice biometrics remain flawed and impractical.
3. Device authentication. Encrypting a device will help protect the data from being hacked. User authenticators is a technology which will confirm, by various means of artificial intelligence, that the person attempting to operate the device is the person that owns the device. A combination of two-step verification and biometrics are used: a pin, a security token, a physical characteristic like a fingerprint, and an "individual human characteristic", like the way a user types, walks or holds the device.
When it comes to data protection, this is definitely the beginning of the end for conventional passwords. And the beginning of extraordinary alternative authentication processes.