609 years and 11 months. That’s how long the password generator website Random-ize tells me it would take hackers to brute force their way through my most important password. This timescale is reassuring – but those of us who work in technology are likely to have been on top of password complexity for many years. Incredibly, many jaw-droppingly woeful passwords are still popular, for example: ‘qwerty’, ‘123456’ and indeed ‘password’. According to SplashData’s most recent annual top 100 chart of the World’s Worst Passwords, the majority of the top ten can be cracked in less than one second.
Like them or loathe them, passwords are an essential factor for so many of the tasks that shape our daily lives: from checking our bank balances to signing in to a Netflix account or unlocking our mobile phones. According to a 2017 study by Digital Guardian, 70% of people have more than ten password-protected accounts online, and 30% have “too many to count.” However, we are repeatedly advised that we should have different passwords for every login. Hands up if you clicked the ‘forgotten password’ option at least once in the last month. With my current tally of 276 passwords (and rising), it is safe to say that recently adopting a password manager has been a life-changing experience for me.
We use passwords so often in our lives that they present challenges. If a password is easy to remember, perhaps the name of a pet, the street we grew up on or the name of our favorite film star, then it’s probably not very secure. If it’s very complex, it will be a nightmare to remember. According to haveibeenpwned.com, over 5 billion online accounts have been hacked, mine included. Hence the password manager.
So, if passwords are predictable and ineffective for the vast majority of people, are they fit for purpose? The man who predicted mobile devices, the IoT and social media platforms almost 20 years ago later said in 2004 that “there is no doubt that over time, people are going to rely less and less on passwords.” Was Bill Gates right? If the password has had its day, what are the alternatives?
Biometric authentication, i.e., using metrics related to human characteristics, have had mixed results. On the one hand, the iPhone 5S’s Touch ID solution with a fingerprint scanner was met with near-universal acclaim when launched in September 2013. On the other hand, when Alibaba’s “blink test” was introduced to its facial recognition system, it could easily be fooled by a video.
Many financial institutions, including Citibank and Bank of America, have now largely scrapped passwords for their mobile apps, favoring biometric authentication methods such as fingerprint and voice recognition systems, in the hope of reducing the risk of cybersecurity breaches. Moreover, if a picture is worth a thousand words, London start-up PixelPin has developed a new approach to online authentication using personal photos to replace passwords. The user chooses an image that means something to them: a family photo or a holiday snap; then they choose four specific points on that image to touch in sequence.
Apple now allows users to unlock their devices or make payments using Face ID. It even works in challenging conditions such as in the dark, or if the owner is wearing sunglasses, and uses machine learning to detect changes in a face over time.
However, in spite of our many efforts to completely replace passwords, they still have a place in how we manage our information and identify ourselves online. While additional biometric authentication solutions greatly benefit handset protection, what about the multiple online accounts we all live with? In “The Persistence of Passwords,” The Institute of Electrical and Electronics Engineers’ Cormac Herley and Paul van Oorschot argue against the “spectacularly incorrect assumption” that passwords are dead, and conclude that “no other single technology matches their combination of cost, immediacy and convenience”. Staring at my 276 passwords (and rising) I would tend to agree – distributing the risk across this number of points of failure seems like a practical way to contain the impact of any inevitable hacks. But passwords by themselves are not enough.
One reliable way of securing your accounts is through two-factor authentication or 2FA for short. This works when a unique code is sent to the user for a second layer or factor of authorization. Even if a password were to be compromised, the account could not be accessed without the input of this temporary code sent over a separate, predefined method, such as SMS, Google Authenticator or Authy. Many major tech providers actively encourage their customers to use 2FA, while some companies such as MailChimp reward customers with a discount for applying this additional layer of security. The first piece of advice offered to those afflicted by a hack by haveibeenpwned.com is to enable 2FA.
Twitter’s Brenda O’Connell stated at Mobile Sunday 2016: “Email is dead. The core identifier is your mobile number, and 2FA is the new password.” While I suspect she is right in the long term, the reality will rest somewhere in between all of these methods for the foreseeable future.
As our technology advances, biometric and facial recognition software is not only making us more secure, it is increasing the pace that we can live our day-to-day lives. Need to unlock your phone? Just hold it up. Need to pay for a coffee? Your thumb is already on the fingerprint reader. As the challenges of authentication get easier over time, consumers will become more conscious of the fact that their accounts are more secure than they used to be. With various technologies helping us evolve past brute complexity, the primary consideration for the consumer will remain: what is the most convenient way to access my digital life?
Did you enjoy this piece about passwords? Click here for more articles.
Originally published in Forbes.