For all the money and effort we spend on securing our computer systems, users continue to compromise security with passwords that are easy to remember—and easy for outsiders to guess.
It’s understandable: most users struggle to remember different passwords for the half-dozen or more systems they need to do their work. Each new cloud application complicates matters further; it’s little wonder that the sticky note remains a popular way of remembering passwords.
Analysis after embarrassing analysis confirms the risk these practices pose. A 2012 University of Cambridge study, for example, analysed 70 million Yahoo passwords and found surprisingly little security: 75 percent of users had never changed their password, and by testing accounts against dictionaries full of common English passwords, researchers were able to guess 80 out of every 1,000 passwords. Other studies have reported hit rates well into double-digit percentages.
How good is your memory, really?
Some people have turned to password managers such as 1Password, LastPass, and Dashlane—all of which store passwords in secure digital lockers that automatically sync between your devices. Visit a secure website, and these tools will automatically enter your credentials and log you in. They’ll even generate long, complex passwords and store them for you.
As greater Internet usage forces us to use more passwords on a daily basis, password managers are a step in the right direction. But with most of us still relying on our memories to access the systems we need, we—and our employers—remain exposed.
It’s hardly a new problem: a 2000 University of Cambridge study found many of the same issues. Even making passwords more complex—which stretches the memories of most of us to their breaking point—doesn’t always fix the problem. A recent Carnegie Mellon University research project found that even long, complex passwords combining numbers, letters, and symbols can be guessed using a mathematical understanding of how human behaviour affects our password choices.
Lax policies can compromise the effectiveness of passwords—13 percent of respondents to a recent Liebermann Software survey said they can still access systems at their previous workplaces. Technological weaknesses can also affect password effectiveness. The ‘Heartbleed’ vulnerability, for example, opened a security hole through which outsiders could snoop on passwords travelling to and from websites. Worse still, the bug affected an encryption routine used to secure a significant portion of the world’s websites.
Designing the new identity
Largely driven by the ubiquity of sensor-filled smartphones and tablet devices, security is now focusing on helping users prove their identity through an aggregation of factors that complement passwords. For example, websites using two-factor authentication (2FA) will SMS you a unique, time-limited code that you must enter into the system along with your normal credentials.
Biometrics are another popular advancement that are being leveraged to complement or replace conventional passwords. For example, fingerprint scanners are now built into many mobile devices to provide additional protection. Researchers are looking into other biometric identifiers that can be easily measured using phones and their cameras—including the shape of your hand, the features of your face, the shape of your ear, and voice matching.
The focus on mobile device sensors is driving research into new biometrics that involve careful analysis of behavioural traits such as your gait (which can be measured using a phone’s built-in gyros), your typing style (based on your interactions with the device), or even your heartbeat rhythms (based on readings from wearable fitness trackers).
New network security systems even watch you while you work on-line, establishing baseline activity patterns that can be used to detect anomalies the next time someone logs on with your password. Some people are even looking into implantable microchips that let you prove your identity by waving your hand over a sensor.
It may be a long time before we do away with passwords entirely, but new identity verification processes can reduce or eliminate the chances that someone else can access our systems by pretending to be us. Given the world’s growing interconnectedness, this assurance will be crucial moving forward.