Ever since the dawn of computers, organizations, companies, government agencies and individuals have relied on usernames and passwords as the principle way to identify users and grant (or deny) access to sensitive information, communications and software. In tandem, hackers have been searching for methods to crack and obtain passwords in order to steal restricted data, cause damage, or simply to spite the owner. And they’ve devised more than one way to do so.
Though the tech community has constantly been offering new technologies and guidelines to improve the security of passphrases and help users avoid being the victim of identity theft, the hack community has not remained idle and has found workarounds to stay one step ahead.
The increasing cases of password theft has brought many security experts and analysts to question the wisdom and integrity of this authentication method, and rightly so. Here are some of the reasons that may indicate it’s time to get over the use of passwords.
Human memory vs. computational power
No matter what technology is being used, passwords will ultimately remain a string of characters that have to be remembered by their owner. And the complexity of the human brain has its own limits when it comes to remembering things.
On the other hand, malicious actors rely on computational power to develop their hacking tools and find ways to break into your password protected accounts. And as computers are becoming more powerful, brute force attacks, dictionary attacks and wholesale theft of username and passwords from databases are becoming easier to stage for hackers.
Passwords are growing in length and complexity
In order to counter the increasing power of computers, we are forced to think up of longer and more complex passwords. Gone are the days where a simple 4 or 5 letter password made up of alphanumeric characters could protect you against password theft. At the moment, the minimum acceptable standard for passwords are 8 characters long and a combination of lower-case and upper-case letters, numbers and symbols.
And even then, you have to add other factors to make your passwords more complex and immune to dictionary attacks. For instance if you think that cyphering the word “finalize” into “F!n@1!z3” will be enough, think again. Hackers’ password dictionaries are smart enough to try different substitutions for each letter.
But that’s not where problems end.
Passwords are increasing in numbers as our lives become more connected
In days of yore (some 20 years ago), average users only had to manage one or two email accounts and a desktop user account. Today, every person has several emails, social media accounts, and bank and credit card accounts. Many apps on our smart phones require their own username and password combinations. And with the advent of the Internet of Things (IoT), the number of connected things in our homes that require administration credentials are multiplying at a chaotic pace.
And if you want to play by basic security rules, every one of these devices and accounts require their own unique password. Naturally, remembering so many complex strings can become tedious for users, which force them to make serious mistakes.
Using shared passwords
In order to work around the problem of remembering so many complex passwords, many users think up one strong password and apply it to all their accounts and devices, thinking that they’re safe. Others make it a little more clever by adding a few characters to each account that relate to the nature of the service provider (e.g. for twitter, they use “F!n@1!z3tweet”).
But as has been proven time and again, such passwords can only count as one. It will only take attackers one instance of your password, whether it’s obtained through a password database breach at the service provider, or a man-in-the-middle (MitM) attack that grabs your password as it is being transmitted, or a phishing attack that lures you into entering your credentials in a fake site. As soon as they have that one instance, they will figure out your password definition schemes and start entering your email/password combination into your other accounts. And if they’ve breached your main email account, it’ll only take a search in your mailbox to see which bank or credit card provider you’re using. By the time you find out that your account has been breached – if you find out at all – the damage is done and your accounts will be completely hijacked and taken out of your control, your money stolen, and your data stored away to be used for malicious purposes such as blackmail, extortion and doxing.
Using default passwords
Another mistake users make is leaving passwords on their default, especially when it comes to IoT devices at homes. This is again symptomatic of the frustration caused by having to remember so many different passwords. And after all, what damage can a hacked light bulb do in comparison to a breached email or social media account anyway?
But as researchers have proven in the past year, every single connected device can become an attack vector and once hacked, can give hackers a foothold into your network, which they can later use to move laterally and lay hands on the more coveted items, such as files and databases.
Failed password recovery mechanisms
With so many complex passwords that need to be handled by users, forgetting passwords has become a given, thus giving reason to password recovery methods. Password recovery methods mainly rely on asking the user to answer questions pertaining to personal life information. But unfortunately, with the explosion of big data, privacy is becoming a thing of the past and the answer to many of the recovery questions users set on their accounts can be found with a little research in search engines and social media platforms. The alternative is for users to put fake answers on the questions, which becomes self-defeating, because it will put more strain on users’ memories to remember their own lies, and if they forget the fake answer, they’ll effectively lock themselves out of their accounts if they lose their password (I’ve personally experienced this one – don’t try it).
Recovery by email has its own failings as well. If hackers gain access to the recovery email account, they’ll be able to easily reset the password for all other accounts that are linked to that account. If you don’t get what I mean, just ask CIA director John Brennan.
Passwords are stored in a databases
No matter how strong passwords are, they have to be stored in databases. And hackers just love databases. And eventually, when they gain access to those databases, no strong a password can protect your account. Providers might brag about their safeguards, but as we’ve seen in the past year, unencrypted or weakly-encrypted passwords, plain text recovery questions and encryption keys stored next to databases have become a norm in data breach postmortems.
The point is, with passwords, your fate is in the hands of your service provider, and you have no way to make up for the weaknesses in your provider’s security measures. Furthermore, with cloud computing becoming more and more widespread, even your provider can’t give you a full guarantee, and they have to rely on the security standards of their own IaaS (infrastructure as a service) providers.
What to do?
A lot more can be said, but I think I’ve said enough for today. What is evident is that old, simple passwords have to go, and we need to come up with new methods of authentication that will ensure the safety and security of our identities while avoiding to add complexities. Many initiatives have been made by tech giants and startups, some of which are very promising. I will definitely talk more about this in future posts, but for the time being, brace yourself, strengthen your passwords and pray (and if you have any comments, leave them below).