Time to reset the password

I started secondary school in the late eighties, where our regular Comprehensive had the luxury of two computer suites; one with pale grey RM Nimbus PCs running Windows 3.1 and the other with lots of colourful 8-bit BBC Micro and Master computers. They were great for students, introducing the BASIC programming language and simple graphics editing, and very much of their time. Yet these yellowing museum exhibits have one thing in common with today’s devices: passwords.

We’re talking about a period of time well over TWENTY-FIVE years ago. There’s little point trying to draw out a comparison between what we do and have now electronically – it’s a whole universe away – and yet our security hasn’t changed, perhaps other than the hidden text once appearing as the oddly attractive, ASCII-based asterisks to small, circular blobs in our password text fields. It’s got to stop.

There have been promises, predictions even, but nothing has really materialised other than simple fingerprint readers on phones to access them and content in our apps. It just seems crazy that for all the amazing evolution in digital security, the only common contact point between it and regular users is a slightly reworked concatenation of a favourite pets’ name and date of birth. It’s as if it hasn’t evolved at all, like building an ever grander house over time but leaving a paper lock on the front door.

mr-robot-s02e08-succ3ss0r-p12-3
In this scene from hit TV series Mr. Robot, hacker Trenton, played by Sunita Mani, finds user and password details simply written down on a Post-It note.

Recent data breaches haven’t just been bad publicity for big tech companies. It has provided a chance for cyber specialists to uncover the fact that the world’s most common password is 123456. I’m surprised, actually – I’d have bet on simply “password” – but it’s not those users we should be aghast at. It’s the security software we’re given and over time have come to accept, lose faith and/or interest in, before taking ridiculous shortcuts.

Users are inherently lazy and will routinely take the path of least resistance. The trouble is, that path may secure our bank account access, social media profiles or email. Brute force attacks to find passwords are easy enough, but if you’ve written yours down (and attached it to a monitor), you might as well tell everyone in the street.

Yet all this isn’t the users’ fault. For all the benefits and complexities that our digital tools provide us, access to them must not be the responsibility of the end user. The digital culprits encouraging this behaviour are everywhere. For instance, browsers that save your login data, causing you to forget when the password either expires or you get a new device (and then subsequently enter an old, shared or simple password just to get connected quickly). We might feel lucky that usernames are more commonly email addresses to help us remember – in the past that wasn’t always the case – but for hackers this is a dream, as the passwords you’ve been sharing across your social media sites can be quickly repeated across lots of networks to gain entry.

Two-factor authentication is the way forward in the short-term. Combine a biometric with a simple, personal question (like your first pet’s name, or favourite football team), then let the biometric allow access with the personal question thrown in again from time to time. The encrypted biometric is a random, meaningless string of ones and zeros but to a device it’s very much you.

The next big cyber security battleground must be ridding the world of these damned passwords once and for all. We can’t be typing them in 25 years from now, that’s for sure.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s