Why the password is dead

If someone told you passwords were a thing of the past, you might well laugh in disbelief. 

Undoubtedly, passwords have been the cornerstone of digital security for a long time. As technology has improved, however, passwords have become increasingly easy to hack, forcing the IT community to search for new solutions.   Most people regularly use weak passwords - in fact we’re getting worse at this- but with the constantly expanding list of websites and services, the demand for us to remember unique usernames and passwords for is growing all the time.  

No matter which way you look at it, the problem is enormous. Consider, for instance, the fact that 42 per cent of the world’s 7.2 billion population are now connected to the Internet, and that 52 per cent of these people use the Internet on a mobile device. In the US, these statistics are even higher, with 64 per cent of adults are enjoying the Internet via a connected smartphone - a number that shoots up even further in the 18 to 24 year age range.

Most of these people subscribe to email accounts such as Gmail, and have social media accounts such as Twitter and Facebook. Others use workflow management applications like Trello, and messengers like Skype or Slack. Then there are forums, online magazine subscriptions, banking and PayPal accounts, and online shopping accounts, and so much more.

In other words, with a seemingly endless list of reasons for passwords, and an ever-increasing number of connected people, we can’t help but see the enormity of the problem.  This is exacerbated by the fact that most people do not do enough to ensure their digital security.

A recent string of celebrity hacks has reinforced the danger of weak password management. No-one, it would appear, is safe from cybercriminals and their malevolent technical prowess. Peer a little closer at the startling phenomenon, however, and you’ll discover the reason Facebook’s Mark Zuckerberg and Twitter’s Jack Dorsey were hacked is that they had weak passwords. Passwords they had unwisely used across various online accounts.   The problem with passwords is that unless they are incredibly complicated (and by that, I mean impossible to remember), they are easy to hack. Astonishingly, despite that knowledge, Zuckerberg reportedly used ‘dadada’ as his password. 

The next problem is that you can’t use the same password for different accounts, because if one gets hacked, then they all will. This, again, is precisely the mistake that Zuckerberg made, and is why his Facebook was hacked after his password was stolen from a different service’s (LinkedIn) servers. 

If passwords are so insecure, then, and easier to crack with every passing moment, what are we supposed to replace them with?

For some time now, firms with an online presence have been choosing to employ a number of techniques to shore up their websites’ security. A famous example of this is the somewhat annoying ‘Captcha’ feature. The hard to read characters are designed to distinguish you from a Bot that is attempting to ‘brute force’ the password stage of your login. Though Captchas do work well for this purpose, they aren’t a convenient security implementation, as they negatively affect the user experience.

The security feature that has so far emerged as the winner in the rush to abolish the password is two-factor authentication (2FA) – which mainly uses SMS messages to verify users’ identity. With almost 100 per cent of young adults in the US owning at least one phone, just about all of them could apply for a two-factor authentication code. Logging in with a code that arrives via SMS is a very robust form of security, because it involves you having to actually possess a phone verified as belonging to you.

While, of course, it is possible for you to be mugged or lose that phone, it should (hopefully) also have built-in password security. So the steps involved in getting into your account are much stronger than with a password alone. Sadly, hackers have ways of accessing your phone’s SMS messages.

A Remote Access Tool (RAT) such as the one discovered in the unofficial Pokemon Go .akp file, gives a hacker permission to use all a phone’s features, meaning that they have access to any 2FA codes sent via SMS.

Another solution to the password problem is to use password management tools such as KeePass. These protect your passwords behind strong encryption.  You need only remember one password, and can then give all your accounts long, random, and (most importantly) different passwords.   This certainly does decrease your chance of getting hacked, but with the rise of quantum computing (for example the kind of systems being developed by D-Wave), we are fast approaching a time when government intelligence such as the NSA or GCHQ will be able to crack even the military grade encryption protocols used by password managers.

So the password truly is dead. So, now what?

Wells Fargo & Co. (WFC) says that the password will be gone in 5 years, and the firm is predicting that biometrics are the solution. Most people agree.

Retina scanning for bank account access is another area currently being examined into by WFC. These work by taking pictures of veins and other unique physical attributes in people’s eyes. These unique features are then turned into a digital code, which is matched against a stored template.

Smartphones have also introduced fingerprint scanners as a replacement to passwords for unlocking mobiles and tablets, so certainly, there is hope in tech security circles that our physical features are the solution to the problem.

Once again, however, there are problems, and they involve the fast-paced evolution of technology. D-Wave company founder, Geordie Rose, has already described the second generation of his company’s technology as ‘like standing in front of an alien altar’. NASA and Google have claimed that one in their possession is 100 million times faster than a regular single chip traditional computer.

With so much power to hand - and so much more on the way - we have to wonder whether WFC’s servers, which contain the digital templates of people’s eyes, are going to be the weak link. After all, crack them, and you have access to all the unique eye signatures stored there.

So what is the answer to the password problem?

Nobody knows, but I can tell you one thing – the password is dead.

Ray Walsh at BestVPN