Do we still need passwords?
Passwords have been with us for such a long time that we have come subconsciously to put faith in some bunch of characters – digits, alphabets, and special characters – as a form of protection for our personal and sensitive data. And with our increased use of websites and apps which require us to enter passwords as means of authentication, our dependence on passwords have heightened. The cliché is “get a stronger password to protect your data”. Wrong! Why would you think you would ever be safe behind a string of keyboard characters?
Traditional passwords are a high-security risk. When databases are compromised, like the ones that occurred at JP Morgan Chase (76 million users), Adobe (36 million users) and eBay (145 million users), the hackers primarily target passwords. Even when passwords are stored online cryptographically in “hashed” form, these guys are still able to obtain the database containing these hashed passwords. Once a hacker gets hold of your password, he is more likely to try it out on several popular websites and apps. Now that makes you very vulnerable.
How they get in
As long as you have entered your personal information online or on an app, you are exposed and vulnerable. Cracking your digital life is just too easy for hackers. If I want to take control of your email account, all I need to do is simply go to the email account provider, enter your name and maybe the place where you were born, of course, this info is readily available on Google, and I will be given a password reset. When I successfully reset your password, I can log in as you!
From your email account, I could proceed to take over your online banking account. All I need do is to search for “bank” in your email account. From there I could get to see all your online transactions. Again, I could log in to your online bank account and reset your password and take full control of your bank account. Simple as a breeze. In less than 30 minutes, hackers could easily take full control of your entire digital life – your credit cards, SS number, Amazon, eBay, Netflix, Verizon, Paypal accounts. In all of these hacks, the entry point had always been the passwords.
But how are these guys able to gain access to our accounts? By trickery: simple. A popular trick they use is what is known as phishing in which they mimic a popular site and request people to enter login details. Here they won’t have to bother about cracking your password as you willing volunteer it to them. No matter how strong you feel your password is, that won’t save you when it comes to phishing.
Far worse than phishing is the use of malware. These are programs that hidden within your computer without your knowledge and work by installing keyloggers on your computer that monitors your keystrokes and what you view and export your data to third parties. They mainly target large organizations with the aim of accessing their entire network.
Last summer, my friend’s company lost close to half a million dollars to these hackers. What the hacker did was quite simple. He hacked into their email server and got into the company’s email account and read through all their transactions with their technical partners abroad. He intercepted emails from each end, reconstructed it and sent it to the unsuspecting recipient. He told their partners that they are to make the next batch of payment to a new bank account. Even when the bank sent verification for the transaction, he hacked into the mobile phone and got the verification codes. Till date, the Interpol is still trying to resolve the issue. I could go on and on giving you chilling instances where people’s accounts –private and corporate – have been compromised all beginning with a password. The era of passwords and its relevance are long gone. We are simply yet to realize it.
Security Vs Convenience
Apart from the inherent risk involved in the use of a string of characters as passwords, users would have to remember username and passwords for dozens of websites and applications. This can be very frustrating especially when you use different usernames and different passwords for different websites and apps. I have personally changed passwords countless times till I got confused which was applicable for what website or app. Yeah their apps that could store passwords and usernames, but once again, is it really worth the risk? In a survey recently conducted, more than half of the respondents preferred nontraditional passwords. That tells you a whole lot.
Ethical Hacking Training – Resources (InfoSec)
Alternatives to traditional passwords
Use of traditional passwords will continue to decline in the years ahead. So assuming we choose to confine passwords to the trash bin, where does that leave us? We still need some form of security and authentication to protect our stuff online. What alternatives to traditional passwords for authentication are we left with? Since authentication helps to ascertain whether or not a technology user is who and what they claim to be, we have to find options that would securely protect our information and without sacrificing our convenience. Preferably one that thrives more on personal and highly customized methods of identification.
There is a subtle paradigm shift towards biometric authentication in providing protection and security for our personal and corporate information. Fingerprints, facial recognition, voice recognition, and a few others are gradually becoming mainstream. The question with these newer means of authentication is if they can be deployed everywhere, on every device and in all weather and lighting conditions.
We could also incorporate the use of passive authentication methods with the use of biometrics. Such passive methods include trying to identify if your Wi-Fi network is on or if your Bluetooth is connected. You may also choose to login using your social media accounts. All of these actions are directly under your full control. These “multi-factor authentication” processes are necessary to provide an additional layer of protection for your stored data.
Imagine if you could deploy this multi-factor authentication exclusively to your personal devices such that even if a hacker were to manage still to get around your facial and fingerprints authentication, as long as they are not using your personal devices, they still can’t access your data. Wouldn’t that just be lovely? Now with “device authentication” that is now a reality. Here, whenever anyone is trying to access your data, they would be required to provide inbuilt features that are peculiar to your device. However for that to be of any value to you, it means that the websites and apps you use would be compliant with this technology already. To achieve that, it would have to save your passwords in an encrypted format such that each time you visit these sites, it simply enters the saved passwords and log you in automatically.
As technology continue to increase, the risks posed by their continual use also increases. Technology users would want more security, protection, and privacy than what traditional passwords can offer. Better alternatives would become mainstream as passwords gradually lose their relevance and become obsolete. The sun may just well be setting for traditional passwords as we know it.