The slow death of passwords

People and companies have struggled to escape passwords, but credible alternatives might finally be emerging

Passwords, at their best, are inelegant. The complicated and indecipherable strings of characters which make up an effective password are impractical for the average person, with companies searching for a neater way to protect accounts. While a credible alternative does not yet exist, it’s potentially not very far away.

Yahoo! recently announced users now have the option to ditch their password for an alternative security system. Called the Yahoo Account Key, users can sign into their account by confirming a login attempt is real by responding to a notification on their phone. “It’s secure, and there’s no need to remember a difficult password”, said Yahoo! Product Manager Lovelesh Chhabra in a blog. Google is also trialling a similar system. While neither will likely create a killer blow for passwords, it is another step to ending the awkward and relatively weak security measure.

The origin of the password dates back to the 1960s and the earliest computers. Naturally, so does password fraud. Wired reported that a researcher from the Massachusetts Institute of Technology printed out all the passwords of the school’s Compatible Time-Sharing System in 1962 so he could use the system for more than his weekly allotted time. While systems for securing passwords in computer networks have improved, people have not.

When major security breaches hit big companies, the public gets a peek at what the most commonly used passwords are. Lists are generally pretty miserable. Following the Ashley Madison attack, research found the five most common passwords were, from most to least, ‘123456’, ‘12345’, ‘password’, ‘DEFAULT’ and ‘123456789’.

Since people tend to use the same password for multiple websites, one leak such as this might be enough for hackers to access several different services. Even if a password was more unique – like the name of a first pet – the programs hackers use to guess passwords in quick succession are weighted towards trying words and names first. A shorter, more random sequence could be tougher to crack.

The origin of the password dates back to the 1960s and the earliest computers. Naturally, so does password fraud

There are plenty of free tools online that will generate an example of a strong password. Passwordgenerator.net is one, and also provides a mnemonic device to help remember it. It’s also useless in practice. For example, it suggests the strong password ‘Y3N’:QPn\tC_t:[n’ could be remembered with ‘YELP 3 NUT ‘ : QUEEN PARK nut \ tokyo COFFEE _ tokyo : [ nut’. While one highly complex password could probably be committed to memory by the average person, the dozens needed for multiple accounts can’t be.

People can also easily be tricked into compromising their own security. Social engineering is the act of compelling people to hand over their password, or the information needed to guess a password. An example might be someone impersonating a bank employee and asking for login details.

John McAfee, cybersecurity icon and founder of McAfee Security claimed he could socially engineer his way into the iPhone that has been the focus of the FBI’s recent court battle with Apple. While he backed down quickly after commentators pointed out the iPhone’s owner is deceased, tactics like this are highly effective.

There are a few credible alternatives to developing passwords. One solution has been biometric security, in particular fingerprint scanners. Apple now integrates fingerprint scanners on many of its devices, and as the technology improves its use is only going to become more widespread. Other measures include looking at a person’s iris, voice and even a heartbeat.

Amazon recently filed a patent for a ‘pay by selfie’ system, where your camera takes a photo of you winking, smiling or turning your head to confirm a transaction. A gesture is required as to prove someone isn’t holding up a photo.

While a person might be worried of criminals cutting their thumbs off to access their bank account, the reality is more benign. iPhone fingerprint scanners have, and will continue to be, tricked in relatively pretty straightforward ways, including photocopies. The bigger problem with biometric security though is if it is compromised, a person can’t generate new biometrics. Once the code of a ‘heartbeat signature’ is in the hands of hackers, short of getting a heart transplant someone couldn’t use their pulse for security ever again.

While none of these provide complete security, a combination of two or more might make sense. Two-factor authentication is currently very common, with many services asking for a single use code sent via email or SMS to verify a login attempt. It’s not difficult to imagine a combination becoming the standard in the future, with passwords eventually being replaced by a code and a fingerprint perhaps.

Until then, the best way to make use of passwords remains password managers. Password managers automatically generate, change and secure passwords in one place, taking the hassle out of having to change and relearn your details on a regular basis. It turns out the best password is the one you don’t even know.

While Bill Gates might have had his timing wrong when he predicted the end of password in 2004, he will be right in the long run. The password will be made redundant in the coming years as better and safer solutions are refined and combined.