Like everyone, I’m completely fed up with passwords and online security.
It just doesn’t hack it anymore, or is that makes it easiest to hack.
The system is thirty years old – I used to use passwords to get onto the company network back in the 1980s. In fact, it’s even older than that. Polybius recorded the use of passwords back in the Roman Military days two millennia ago.
And now the system is broken.
I mean, even back in the 1980s it was more secure because the company made me change my password every four weeks. Today, I am rarely forced to change a password and I’ve just got too darned many of them.
There’s a password for iTunes, a password for email, a password for Amazon, a password for the bank, a password for my airline, a password for my mobile, a password for Google, a password for the credit cards, a password for the lottery …
Yep, there’s a password for everything.
And, like everyone, we’re told to not write the things down but how can you remember so many passwords?
You can’t.
So you put them all in a notepad or secure them somewhere on your PC or put them into some online password manager, but it’s all just crass stupidity.
Even with these secure systems, you just end up making all your passwords variations of the same thing. Even that doesn’t work as some sites use capital and lowercase letters, some are just lower case, some demand numbers whilst others want a minimum of 8 characters … can you ever remember which site demanded which format?
What you end up with is a mess of passwords that you can’t remember.
So you then use the same one for everything, but that has dangers too.
How a cyber-security firm got hacked
“Barr and some of his colleagues, Anonymous then discovered, had committed computer security's biggest sin: They used the same password on multiple accounts. The hackers commandeered Barr's Twitter and LinkedIn accounts, lacing both with obscenities. One of the passwords also opened the company's corporate Google account. Jackpot. In less than 48 hours, the hackers had the keys to the kingdom.”
And then it gets worse.
So how do you create a secure signon?
If you’re a bank, you force customres to logon to the bank with a password and a PIN, and then demand that they put their PIN in again on another device in order to generate a one-time passcode. You then enter the passcode, get another code back, enter online and off you go.
It is ridiculous, and none of it is easy or intuitive.
So what’s the solution?
IP address?
Pattern recognition?
Biometrics?
DNA testing?
It’s a question that’s been asked for a while and has no good answer, although I'm sure lots of password alternative solutions firms will be posting answers to this blog post.
But if there were a solution then some academic would have it nailed by now and the Register recently summarised two such research papers on alternative to passwords.
Neither has a good alternative to passwords.
What they do say is the same thing I’m saying:
“From a usability viewpoint, passwords and PINs have reached the end of their useful life. Even though they are convenient for implementers, for users they are increasingly unmanageable. The demands placed on users (passwords that are unguessable, all different and never written down) are no longer reasonable now that each person has to manage dozens of passwords. Yet we can't abandon them until we come up with an alternative method of user authentication that is both usable and secure.”
Come on folk, give me an alternative.
Here’s my suggestion.
When signing on, you enter your mobile telephone number.
You receive a text with a passcode.
You enter the passcode.
Off you go.
Obviously for more secure sites, you might add a PIN, but nothing as complex as three thousand passwords that are all variations of “123456”.
From Tom's Hardware, 2010
Last year, a major security breach at RockYou.com resulted in the release of 32 million passwords. With such a large data set available, security firm Imperva Application Defense Center (ADC) analyzed and found that, when given the chance, most users will choose a simplistic password.
Imperva found that nearly a third of users chose passwords whose length is equal or below six characters and almost 60 percent of users chose their passwords from a limited set of alpha-numeric characters. Almost half of users used names, slang words, dictionary words or trivial passwords (consecutive digits, adjacent keyboard keys, and so on), with the most common password being "123456".
Here are the most popular passwords from the RockYou.com leak.
Password Number of users
- '123456' 290,731
- '12345' 79,078
- '123456789' 76,790
- 'Password' 61,958
- 'iloveyou' 51,622
- 'princess' 35,231
- 'rockyou' 22,588
- '1234567' 21,726
- '12345678' 20,553
- 'abc123' 17,542
Entering your phone number isn't good.
Passcodes sound like passwords that just get sent to you insecurely.
As for the solution, that's a question it'll take a big checkbook to answer, make cheques out to me.
It has no passcodes passwords or pins, the content of transactions can be in plain txt, identifiable details are never sent,
there is no encryption involved,
and it works on the net or for transactions, on any phone.
You are the ones losing all the money. :)
Posted by: Dean Procter | June 16, 2011 at 12:21 PM
Chris, we dontlack the brain power neither the money, as everyone wants to have a secure "life"... Its just that there are competing organisations that want to "own" our private keys. Would you ask Microsoft to own them ?...Apple...?...Google..?. The neighbours ?..you need to hide them somwhere for use in the bank app, amazon...itunes...getting those orgs around the table to decide on how its done..sounds like REALLY hard...but soon, very soon it will become THE priority.
Posted by: Simon_Bale | June 16, 2011 at 09:37 PM
That password by SMS is called otp - one time password - this is used by a uk based bank for initiating payments. It's not for getting into the account though; for that you have to use a password and a passcode; and they have to be complex ... So no way for someone to remember these unless you are blessed with good memory.
Posted by: L Kolhe | June 17, 2011 at 06:37 AM
I agree with the sentiment above - having external devices, having to remember multiple passwords remembering long lists of numbers...
What's needed is a way to authenticate by device/user/session on unique information. Also, that it will be a one-time-only session so that no one can copy it.
Funnily enough, we working on something like this right now. Please get in touch to know more.
Posted by: Alpeshdoshi | June 17, 2011 at 02:09 PM
Increasingly we're seeing a trend towards leaning on other security (facebook, openID etc) as a means of authentication.
I'm not suggesting that any of these existing bodies could be trusted with banking passwords but perhaps there's a good financial opportunity for a trusted security company to create a centralized security system which issues and manages passwords, guarantees security and uses a combination of tokens and biometrics to authenticate.
Of course, putting all your eggs in one basket is fine provided that nobody steals the basket.
Posted by: Gavin Bollard | June 20, 2011 at 01:17 AM