Passwords are still a major security weakness. Easy-to-crack passwords can render even the most sophisticated (and expensive) security measures powerless. Yet despite this vulnerability being well known, too many of us persist with passwords that are weak, easy to guess or repeated across multiple log-ins.
It’s understandable: most users struggle to remember different passwords for the half-dozen or more systems they need to do their work. Each new cloud application complicates matters further, adding a new password to remember; it’s little wonder that the sticky notes and the backs of business cards remain popular ways of storing passwords.
Analysis after embarrassing analysis confirms the risk these practices pose. A 2012 Cambridge study, for example, analysed 70 million Yahoo passwords and found surprisingly little security: an astonishing 75 percent of users had never changed their password, and by testing accounts against dictionaries of common English passwords, researchers were able to guess 8 out of every 100 passwords. Other studies have reported hit rates well into double digits.
What's the magic (pass)word?
The good news is that more and more users are adopting password managers such as 1Password, LastPass, and Dashlane, all of which store passwords in secure ‘digital lockers‘ that automatically sync between your devices. They can be set to automatically fill login details for the sites you’ve added, meaning all you need to do is login to your password manager and let it take care of the rest. Other features include security audits and prompts to change repeated and easy-to-guess passwords.
These apps are a big step in the right direction, but too many of us still rely on our memory to access the systems we need. This leaves us – and our employers – needlessly exposed.
It’s not a new problem: a 2000 Cambridge study found many of the same issues. Even making our passwords more complex doesn’t always fix the problem. A recent Carnegie Mellon University research project found that even long, complex passwords combining numbers, letters, and symbols can be guessed using a mathematical understanding of how human behaviour affects our password choices.
When it comes to business systems, IT and HR teams need to tighten up too. Protocols need to be created to cover shutting down access to systems and services when an employee departs – a recent Liebermann Software survey found 13 percent of respondents still had access to systems at their previous workplaces.
Technological weaknesses can also affect password effectiveness. The recent ‘Heartbleed’ vulnerability, for example, opened a security hole through which outsiders could snoop on passwords traveling to and from websites. Worse still, the bug affected an encryption routine used to secure a significant portion of the world’s websites
Secure your data with your body, not your brain
Fortunately, non-password-driven security systems have been with us for some time, and the technology to make them ubiquitous is at hand.
Thanks largely to the wide-scale adoption of sensor-filled smartphones and other mobile devices, security is now focusing on helping users prove their identity through an aggregation of factors that complement passwords. You’ve probably encountered two-factor authentication (2FA) systems that text you a unique, time-limited code that you must enter into the system along with your other credentials. The two factors are something you know (your password) and something you own (your mobile device).
Biometrics are another technology that’s coming into its own as a password replacement. Modern phones, tablets and laptops often include fingerprint scanners, which can be used not only to unlock the device, but also to prove your identity to third party apps and services (like online banking).
Other biometric identifiers being explored (and in some cases, deployed) include facial recognition, iris scanning, voice matching, hand shape and ear shape.
Going further, other identifiers based on behavioural traits are also coming. These include gait analysis (measured by a phone’s or smartwatch’s gyroscopes), typing style (via keystroke analysis), heartbeat (from a smartwatch or fitness tracker), or even online behaviour (based on baseline activity patterns, which can then detect anomalous behaviour associated with your password).
There are even implantable microchips that hold out the promise of logging into systems, making financial transactions, accessing public transport systems and entering secure facilities as easy as the wave of a hand.
The trick, as always, lies in getting the balance between privacy and security right. Unless users are comfortable with how their actions will be tracked and their movements monitored, it’s likely that the humble password – with all its faults and flaws – will remain the most common security measure. It’s really the password problem writ large.
A good system, by itself, does nothing: only widespread user adoption will make it successful. The ball is firmly in the security system makers’ court.