Home / Crime / Passwords just don’t hack it

Passwords just don’t hack it

Like everyone, I’m completely fed up with passwords and online security.

It just doesn’t hack it anymore, or is that makes it easiest to hack.

The system is thirty years old – I used to use passwords to get onto the company network back in the 1980s.  In fact, it’s even older than that. Polybius recorded the use of passwords back in the Roman Military days two millennia ago.

And now the system is broken.

I mean, even back in the 1980s it was more secure because the company made me change my password every four weeks.  Today, I am rarely forced to change a password and I’ve just got too darned many of them.

There’s a password for iTunes, a password for email, a password for Amazon, a password for the bank, a password for my airline, a password for my mobile, a password for Google, a password for the credit cards, a password for the lottery …

Yep, there’s a password for everything.

And, like everyone, we’re told to not write the things down but how can you remember so many passwords?

You can’t.

So you put them all in a notepad or secure them somewhere on your PC or put them into some online password manager, but it’s all just crass stupidity.

Even with these secure systems, you just end up making all your passwords variations of the same thing.  Even that doesn’t work as some sites use capital and lowercase letters, some are just lower case, some demand numbers whilst others want a minimum of 8 characters … can you ever remember which site demanded which format?

What you end up with is a mess of passwords that you can’t remember.

So you then use the same one for everything, but that has dangers too.

How a cyber-security firm got hacked

“Barr and some of his colleagues, Anonymous then discovered, had committed computer security's biggest sin: They used the same password on multiple accounts. The hackers commandeered Barr's Twitter and LinkedIn accounts, lacing both with obscenities. One of the passwords also opened the company's corporate Google account. Jackpot. In less than 48 hours, the hackers had the keys to the kingdom.”

And then it gets worse.

So how do you create a secure signon?

If you’re a bank, you force customres to logon to the bank with a password and a PIN, and then demand that they put their PIN in again on another device in order to generate a one-time passcode.  You then enter the passcode, get another code back, enter online and off you go.

It is ridiculous, and none of it is easy or intuitive.

So what’s the solution?

IP address?

Pattern recognition?

Biometrics?

DNA testing?

It’s a question that’s been asked for a while and has no good answer, although I'm sure lots of password alternative solutions firms will be posting answers to this blog post.

But if there were a solution then some academic would have it nailed by now and the Register recently summarised two such research papers on alternative to passwords.

Neither has a good alternative to passwords. 

What they do say is the same thing I’m saying:

“From a usability viewpoint, passwords and PINs have reached the end of their useful life. Even though they are convenient for implementers, for users they are increasingly unmanageable. The demands placed on users (passwords that are unguessable, all different and never written down) are no longer reasonable now that each person has to manage dozens of passwords. Yet we can't abandon them until we come up with an alternative method of user authentication that is both usable and secure.”

Come on folk, give me an alternative.

Here’s my suggestion.

When signing on, you enter your mobile telephone number. 

You receive a text with a passcode.

You enter the passcode.

Off you go.

Obviously for more secure sites, you might add a PIN, but nothing as complex as three thousand passwords that are all variations of “123456”.

 

From Tom's Hardware, 2010

The Most Common Passwords 

Last year, a major security breach at RockYou.com resulted in the release of 32 million passwords. With such a large data set available, security firm Imperva Application Defense Center (ADC) analyzed and found that, when given the chance, most users will choose a simplistic password.

Imperva found that nearly a third of users chose passwords whose length is equal or below six characters and almost 60 percent of users chose their passwords from a limited set of alpha-numeric characters. Almost half of users used names, slang words, dictionary words or trivial passwords (consecutive digits, adjacent keyboard keys, and so on), with the most common password being "123456".

Here are the most popular passwords from the RockYou.com leak.

     Password                   Number of users

  1. '123456'                          290,731
  2. '12345'                             79,078
  3. '123456789'                       76,790
  4. 'Password'                        61,958
  5. 'iloveyou'                         51,622
  6. 'princess'                          35,231
  7. 'rockyou'                          22,588
  8. '1234567'                          21,726
  9. '12345678'                        20,553
  10. 'abc123'                           17,542


 

 

 

About Chris M Skinner

Chris M Skinner
Chris Skinner is best known as an independent commentator on the financial markets through his blog, TheFinanser.com, as author of the bestselling book Digital Bank, and Chair of the European networking forum the Financial Services Club. He has been voted one of the most influential people in banking by The Financial Brand (as well as one of the best blogs), a FinTech Titan (Next Bank), one of the Fintech Leaders you need to follow (City AM, Deluxe and Jax Finance), as well as one of the Top 40 most influential people in financial technology by the Wall Street Journal’s Financial News. To learn more click here...

Check Also

Crypto? It’s only illegal if we say it is

I haven’t blogged about cryptocurrencies and blockchain for a while, as it’s been a bit …