Are passwords becoming obsolete?

3170874142_a4058c3243_o

Ever since the dawn of computers, organizations, companies, government agencies and individuals have relied on usernames and passwords as the principle way to identify users and grant (or deny) access to sensitive information, communications and software. In tandem, hackers have been searching for methods to crack and obtain passwords in order to steal restricted data, cause damage, or simply to spite the owner. And they’ve devised more than one way to do so.

Though the tech community has constantly been offering new technologies and guidelines to improve the security of passphrases and help users avoid being the victim of identity theft, the hack community has not remained idle and has found workarounds to stay one step ahead.

The increasing cases of password theft has brought many security experts and analysts to question the wisdom and integrity of this authentication method, and rightly so. Here are some of the reasons that may indicate it’s time to get over the use of passwords.

Human memory vs. computational power

No matter what technology is being used, passwords will ultimately remain a string of characters that have to be remembered by their owner. And the complexity of the human brain has its own limits when it comes to remembering things.

On the other hand, malicious actors rely on computational power to develop their hacking tools and find ways to break into your password protected accounts. And as computers are becoming more powerful, brute force attacks, dictionary attacks and wholesale theft of username and passwords from databases are becoming easier to stage for hackers.

Passwords are growing in length and complexity

In order to counter the increasing power of computers, we are forced to think up of longer and more complex passwords. Gone are the days where a simple 4 or 5 letter password made up of alphanumeric characters could protect you against password theft. At the moment, the minimum acceptable standard for passwords are 8 characters long and a combination of lower-case and upper-case letters, numbers and symbols.

And even then, you have to add other factors to make your passwords more complex and immune to dictionary attacks. For instance if you think that cyphering the word “finalize” into “F!n@1!z3” will be enough, think again. Hackers’ password dictionaries are smart enough to try different substitutions for each letter.

But that’s not where problems end.

Passwords are increasing in numbers as our lives become more connected

In days of yore (some 20 years ago), average users only had to manage one or two email accounts and a desktop user account. Today, every person has several emails, social media accounts, and bank and credit card accounts. Many apps on our smart phones require their own username and password combinations. And with the advent of the Internet of Things (IoT), the number of connected things in our homes that require administration credentials are multiplying at a chaotic pace.

And if you want to play by basic security rules, every one of these devices and accounts require their own unique password. Naturally, remembering so many complex strings can become tedious for users, which force them to make serious mistakes.

Using shared passwords

In order to work around the problem of remembering so many complex passwords, many users think up one strong password and apply it to all their accounts and devices, thinking that they’re safe. Others make it a little more clever by adding a few characters to each account that relate to the nature of the service provider (e.g. for twitter, they use “F!n@1!z3tweet”).

But as has been proven time and again, such passwords can only count as one. It will only take attackers one instance of your password, whether it’s obtained through a password database breach at the service provider, or a man-in-the-middle (MitM) attack that grabs your password as it is being transmitted, or a phishing attack that lures you into entering your credentials in a fake site. As soon as they have that one instance, they will figure out your password definition schemes and start entering your email/password combination into your other accounts. And if they’ve breached your main email account, it’ll only take a search in your mailbox to see which bank or credit card provider you’re using. By the time you find out that your account has been breached – if you find out at all – the damage is done and your accounts will be completely hijacked and taken out of your control, your money stolen, and your data stored away to be used for malicious purposes such as blackmail, extortion and doxing.

Using default passwords

Another mistake users make is leaving passwords on their default, especially when it comes to IoT devices at homes. This is again symptomatic of the frustration caused by having to remember so many different passwords. And after all, what damage can a hacked light bulb do in comparison to a breached email or social media account anyway?

But as researchers have proven in the past year, every single connected device can become an attack vector and once hacked, can give hackers a foothold into your network, which they can later use to move laterally and lay hands on the more coveted items, such as files and databases.

Failed password recovery mechanisms

With so many complex passwords that need to be handled by users, forgetting passwords has become a given, thus giving reason to password recovery methods. Password recovery methods mainly rely on asking the user to answer questions pertaining to personal life information. But unfortunately, with the explosion of big data, privacy is becoming a thing of the past and the answer to many of the recovery questions users set on their accounts can be found with a little research in search engines and social media platforms. The alternative is for users to put fake answers on the questions, which becomes self-defeating, because it will put more strain on users’ memories to remember their own lies, and if they forget the fake answer, they’ll effectively lock themselves out of their accounts if they lose their password (I’ve personally experienced this one – don’t try it).

Recovery by email has its own failings as well. If hackers gain access to the recovery email account, they’ll be able to easily reset the password for all other accounts that are linked to that account. If you don’t get what I mean, just ask CIA director John Brennan.

Passwords are stored in a databases

No matter how strong passwords are, they have to be stored in databases. And hackers just love databases. And eventually, when they gain access to those databases, no strong a password can protect your account. Providers might brag about their safeguards, but as we’ve seen in the past year, unencrypted or weakly-encrypted passwords, plain text recovery questions and encryption keys stored next to databases have become a norm in data breach postmortems.

The point is, with passwords, your fate is in the hands of your service provider, and you have no way to make up for the weaknesses in your provider’s security measures. Furthermore, with cloud computing becoming more and more widespread, even your provider can’t give you a full guarantee, and they have to rely on the security standards of their own IaaS (infrastructure as a service) providers.

What to do?

A lot more can be said, but I think I’ve said enough for today. What is evident is that old, simple passwords have to go, and we need to come up with new methods of authentication that will ensure the safety and security of our identities while avoiding to add complexities. Many initiatives have been made by tech giants and startups, some of which are very promising. I will definitely talk more about this in future posts, but for the time being, brace yourself, strengthen your passwords and pray (and if you have any comments, leave them below).

Advertisements

46 comments on “Are passwords becoming obsolete?

  1. […] The early January theft of more than 320,000 user emails and passwords from cable giant Time Warner gave validation to the argument that simple password authentication is becoming less and less reliable. […]

    Like

  2. […] The early January theft of more than 320,000 user emails and passwords from cable giant Time Warner gave validation to the argument that simple password authentication is becoming less and less reliable. […]

    Like

  3. […] The early January theft of more than 320,000 user emails and passwords from cable giant Time Warner gave validation to the argument that simple password authentication is becoming less and less reliable. […]

    Like

  4. […] The early January theft of more than 320,000 user emails and passwords from cable giant Time Warner gave validation to the argument that simple password authentication is becoming less and less reliable. […]

    Like

  5. […] The early January theft of more than 320,000 user emails and passwords from cable giant Time Warner gave validation to the argument that simple password authentication is becoming less and less reliable. […]

    Like

  6. […] The early January theft of more than 320,000 user emails and passwords from cable giant Time Warner gave validation to the argument that simple password authentication is becoming less and less reliable. […]

    Like

  7. […] The early January theft of more than 320,000 user emails and passwords from cable giant Time Warner gave validation to the argument that simple password authentication is becoming less and less reliable. […]

    Like

  8. […] The early January theft of more than 320,000 user emails and passwords from cable giant Time Warner gave validation to the argument that simple password authentication is becoming less and less reliable. […]

    Like

  9. […] The early January theft of more than 320,000 user emails and passwords from cable giant Time Warner gave validation to the argument that simple password authentication is becoming less and less reliable. […]

    Like

  10. […] The early January theft of more than 320,000 user emails and passwords from cable giant Time Warner gave validation to the argument that simple password authentication is becoming less and less reliable. […]

    Like

  11. […] The early January theft of more than 320,000 user emails and passwords from cable giant Time Warner gave validation to the argument that simple password authentication is becoming less and less reliable. […]

    Like

  12. […] The early January theft of more than 320,000 user emails and passwords from cable giant Time Warner gave validation to the argument that simple password authentication is becoming less and less reliable. […]

    Like

  13. […] The early January theft of more than 320,000 user emails and passwords from cable giant Time Warner gave validation to the argument that simple password authentication is becoming less and less reliable. […]

    Like

  14. […] The early January theft of more than 320,000 user emails and passwords from cable giant Time Warner gave validation to the argument that simple password authentication is becoming less and less reliable. […]

    Like

  15. […] The early Jan theft of some-more than 320,000 user emails and passwords from wire hulk Time Warner gave validation to a evidence that simple cue authentication is apropos reduction and reduction reliable. […]

    Like

  16. […] 窃取了超过 32 万用户的邮件和密码信息 ,这起事件再一次说明了 简单的密码认证方式正在变得越来越不可靠 […]

    Like

  17. […] 窃取了超过 32 万用户的邮件和密码信息 ,这起事件再一次说明了 简单的密码认证方式正在变得越来越不可靠 […]

    Like

  18. […] 窃取了超过 32 万用户的邮件和密码信息 ,这起事件再一次说明了 简单的密码认证方式正在变得越来越不可靠 […]

    Like

  19. […] the situation with passwords. I’ve already discussed the inherent problems with passwords in a previous blog post, and I listed the possible alternatives to passwords in my latest piece in TechCrunch. In this […]

    Like

  20. […] many years, the issues with password-based authentication have been riddling the cybersecurity industry. Passwords are being stolen, bruteforced and […]

    Like

  21. […] I can go on for days, but I think you get the point: passwords per se aren’t enough to protect you. […]

    Like

  22. […] fact that plain passwords are no longer safe to protect our digital identities is no secret. For years, the use of two-factor authentication […]

    Like

  23. […] fact that plain passwords are no longer safe to protect our digital identities is no secret. For years, the use of two-factor authentication […]

    Like

  24. […] fact that plain passwords are no longer safe to protect our digital identities is no secret. For years, the use of two-factor authentication […]

    Like

  25. […] fact that plain passwords are no longer safe to protect our digital identities is no secret. For years, the use of two-factor authentication […]

    Like

  26. […] actuality that simple passwords are no longer safe to shield our digital identities is no key. For several years, the use of two-issue authentication […]

    Like

  27. […] fact that plain passwords are no longer safe to protect our digital identities is no secret. For years, the use of two-factor authentication […]

    Like

  28. […] fact that plain passwords are no longer safe to protect our digital identities is no secret. For years, the use of two-factor authentication […]

    Like

  29. […] fact that plain passwords are no longer safe to protect our digital identities is no secret. For years, the use of two-factor authentication […]

    Like

  30. […] fact that plain passwords are no longer safe to protect our digital identities is no secret. For years, the use of two-factor authentication […]

    Like

  31. […] fact that plain passwords are no longer safe to protect our digital identities is no secret. For years, the use of two-factor authentication […]

    Like

  32. […] fact that plain passwords are no longer safe to protect our digital identities is no secret. For years, the use of two-factor authentication […]

    Like

  33. […] fact that plain passwords are no longer safe to protect our digital identities is no secret. For years, the use of two-factor authentication […]

    Like

  34. […] fact that plain passwords are no longer safe to protect our digital identities is no secret. For years, the use of two-factor authentication […]

    Like

  35. […] fact that plain passwords are no longer safe to protect our digital identities is no secret. For years, the use of two-factor authentication […]

    Like

  36. […] fact that plain passwords are no longer safe to protect our digital identities is no secret. For years, the use of two-factor authentication […]

    Like

  37. […] fact that plain passwords are no longer safe to protect our digital identities is no secret. For years, the use of two-factor authentication […]

    Like

  38. […] fact that plain passwords are no longer safe to protect our digital identities is no secret. For years, the use of two-factor authentication […]

    Like

  39. […] fact that plain passwords are no longer safe to protect our digital identities is no secret. For years, the use of two-factor authentication […]

    Like

  40. […] fact that plain passwords are no longer safe to protect our digital identities is no secret. For years, the use of two-factor authentication […]

    Like

  41. […] fact that plain passwords are no longer safe to protect our digital identities is no secret. For years, the use of two-factor authentication […]

    Like

  42. […] fact that plain passwords are no longer safe to protect our digital identities is no secret. For years, the use of two-factor authentication […]

    Like

  43. […] fact that plain passwords are no longer safe to protect our digital identities is no secret. For years, the use of two-factor authentication […]

    Like

  44. […] fact that plain passwords are no longer safe to protect our digital identities is no secret. For years, the use of two-factor authentication […]

    Like

  45. […] fact that plain passwords are no longer safe to protect our digital identities is no secret. For years, the use of two-factor authentication […]

    Like

  46. […] 事実は非常に明白だ。オンラインでわれわれの身元を認証する手段としてパスワードはもはや安全ではない。何年も前から2段階認証(two-factor authentication=2FA)や多段階認証(multi-factor authentication=MFA)身元確認と各種の詐欺の防止のためにが用いられているが、その有効性については議論が続いている。 […]

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s