The Password is Not Dead
By David Gilbert | February 16, 2013 4:09 AM EST
The password has been dead for 20 years or so, but it continues to persist and only a fundamental change in how the internet operates will finally put a nail in its coffin.
The Romans invented passwords over 2,000 years ago. Passwords or watchwords were used in the military, passed on each day from unit to unit in a coordinated and simple fashion. Fail-safes were even built into a system which was simple, straightforward, and most importantly difficult to crack.
Today people are creating new passwords every single day in order to gain access to the latest social network, order something through an online store or just to view content on a website. By contrast to the time of Caesar, passwords today are complex, confusing and, most worryingly of all, easy to crack. It seems as if we have not come a long way over the last 2,000 years.
To say the password is dead is to state the obvious. The problem is, we have been stating the obvious now for some 20 years. It has been clear for almost two decades that the username/password system we use every single day does not work in today's always-on, always-connected world.
The problems are clear. As more and more of our lives are tied up in online services such as Facebook, Twitter, email and many more too numerous to mention, the need to remember multiple passwords grows.
Passwords should, on the face of it, work. Security experts tell us to have different passwords for every login we use online, and that each of these passwords should be long, random combinations of upper and lower case letters, numerals and special characters.
The problem is people.
People are lazy and will always do the minimum required of them when setting a password. Password policies have raised the bar slightly, but only insofar as people will include one uppercase letter, one numeral and make their password just eight letters long.
The graph below shows this clearer than I ever could:
This results is Password1 being the most used password according to Trustwave's recent Global Security Report. Indeed lists such as this serve to crystalise the problem. Year-after-year passwords such as: 123456, Password1, Welcome1, ninja and hello123 are used by tens of thousands of people across all online portals.
This makes the lives of cyber criminals a lot easier. Once they have a list of usernames, all they need to do is try the top ten most common passwords and they are likely to get access to a huge number of accounts.
And once they have access to one account, human nature and hard evidence suggest they will then be able to access a lot more of that person's accounts, as people just cannot be bothered to remember different passwords for every one of their accounts.
The security experts all tend to agree that the username/password system is well past its sell-by date.
In a paper entitled "The Death of Username and Password" CEO of CertiVox Brian Spector says: "Manifestly, username and password logins are no longer fit for purpose" calling it "fundamentally flawed" and one which has "been repeatedly compromised in many high-profile incidents."
Spector lists a number of high profile companies which have had their username/password databases stolen, including Yahoo, Nvidia and LinkedIn.
Trustwave agrees: "The days of passwords are gone. Even a completely random eight-character password that utilizes all four character types, such as J*1jaw)2, is far easier to crack than a 25-character passphrase with upper and lower case letters, such as HereIsMyPassphraseGuessIt."
In its latest Threat Report, F-Secure doesn't pull any punches: "The password is dead and we all know it." It goes on to say that with today's processing power, passwords which are strong enough to withstand brute force attacks, are simply "too difficult for the human brain to remember."
But, as I said earlier, this has all been known for a number of years now, yet nothing has emerged as a clear successor to the username/password problem. There are however a number of solutions vying to be our online saviour.
Google is one company working to resolve the problem, as outlined in a research document published by Vice President of Security Eric Grosse and Engineer Mayank Upadhyay. It details how we could use a token to authenticate our identity by simply tapping it onto the computer we want to log into our Google account with.
The token could be anything from your bank card to your smartphone or as Grosse and Upadhyay mention, a ring with an embedded smartcard. While you will still have to use a password to unlock the screen, without the token, nothing will work.
This however presents its own problems. If your token is stolen, it's going to be difficult to identify yourself online in order to cancel the token. Aside from the problem of theft, having to remember your token everywhere you go is an added hassle.
Another solution is being investigated by Pixel Pin, a UK company which believes that pictures will replace traditional passwords. Founded in 2011, Brian Taylor used his experience of working in Homeland Security to create a more secure way of logging in online.
Using a picture of your own choosing, you pick a number of passpoints (a minimum of three is recommended and the more the better) and you tap these in the right sequence when you want to sign-in.
This of course depends on websites and online services signing up for Pixel Pin which is some way away yet, through the company did tell me it was currently trialling a beta version of the system.
A third option is two-factor authentication. This system relies on something you have, and something you know. Take for example the ATM card in your pocket. The card itself is something you have while the Pin is something you know.
Now imagine this system but where both elements are digital and the environment in which they exist is created by software not hardware. That is what CertiVox has done with its SkyPin system.
This is how the system will work. You fire up your browser, up pops a virtual 9-digit keypad like at an ATM, and you are requested to input your SkyPin. Once you have entered the code, you will then be signed into any service which has signed up to use SkyPin.
Spector reckons any web developer worth his or her salt would be able to implement the SkyPin authentication on their site within five minutes. He believes the system is infinity more secure and infinitely more memorable that username/password.
However, like picture passwords and Google's token idea, SkyPin will only work if it is adopted on a widespread basis. It is no good remembering your SkyPin for a handful of sites if you still need to remember your passwords for the other 50 you log into on a regular basis.
Passwords have been around since the time of the Romans for a reason. They are ubiquitous and people understand them. Changing the system is going to be a monumental shift in the way the internet works, and thus how an increasingly large chunk of our lives work.
The password is dead, it has been for 20 years or so, but we are likely to be talking about its imminent demise for many more years to come.
To contact the editor, e-mail: