Future of Authentication 2020

Issue link: https://raconteur.uberflip.com/i/1243008

Contents of this Issue


Page 3 of 19

F U T U R E O F A U T H E N T I C A T I O N 04 sing passwords to access our online lives is a com- monplace experience and so are the attendant frustrations. Cybersecurity demands evermore complicated formulas: passwords might necessarily be of a mini- mum length, use a capital, num- ber or special character. There is the regular insistence that a pass- word be updated and not just to one slightly different or back to one you've used before. "The good thing about pass- words is they're easy to use and, if compromised, easy to replace," explains Mariam Nouh, researcher in cybersecurity at the University of Oxford. "There are no compatibility issues. You don't need extra hardware. And business likes them because their use can be implemented cost effectively. The problem though is they can be compromised in so many ways." Certainly, while attempts at cyber- security breaches may be evermore sophisticated, the fact is passwords butt up against human psychology or, more specifically, memory. There are only so many discrete passwords an individual can retain without the security no-no of writing them down, which is one reason for the rise of password vault software. The result is, when possible, the use of familiar, emotionally sig - nificant phrases, which is to say utilising the same mechanisms behind how humans remember a lot of things. But the familiar makes it easier for hackers to crack the password. According to a 2018 survey by password management company LastPass and Lab42, 59 per cent of respondents use the same password across multiple accounts. A majority of people would only go through the bother of updating their passwords if they were hacked; after all, they seem secure until that point. But then, according to a 2019 study by Verizon, 80 per cent of hacking-related security breaches are a result of weak or compromised credentials. When LinkedIn suffered a data breach in 2012 and some 117 million passwords were compromised, many were revealed to be rather obvious. Among those used hundreds of thou - sands of times were "123456", "linke- din" and "password". "There's a lot of dissonance between how we know we should use passwords and how we actually do," says Rachael Stockton, senior director of product at LogMeIn, makers of LastPass. And it's not just a matter of memory. "A lot of our customers are just after sim- plicity, less time-wasting and more productivity. And we're going to need more simplicity [in our pass- word management] because the number of accounts we each use on the internet is only going to increase," she says. That most of us don't make much effort with our passwords isn't just our fault. Arguably, security soft- ware design has failed to take human psychology into consideration. "The industry has not done well in educating consumers how to use passwords," concedes Rolf Lindermann, vice president of prod- uct at Nok Nok Labs, an authentica- tion software vendor. "The result is this trade-off between security and convenience. That's the dilemma." And especially given the vast majority of websites still use pass- words. It's estimated there are now some 300 billion active passwords. Even Fernando Corbato, the man who pioneered the use of the pass- word online, has described the situ- ation as a "kind of nightmare". There have been new kinds of pass- words proposed. Because people recognise pictures better than they remember words, so-called graphical passwords request users click certain points on an image in a certain order. The number of possible points essen- tially makes each user's sequence unguessable. The efficacy of this approach is still being worked out. But the likes of George Waller, co-founder of StrikeForce Technologies, a US startup with a number of patented cybersecurity inventions under its belt, argues the problem isn't with passwords per se. Although he points out that most online businesses typically want to offer consumers the path of least resistance to gain access to their sites. The problem is with passwords' delivery to servers down the line. "Ultimately, it's not really a mat - ter of whether we use passwords or not, or whether or not you enforce stricter policies on their use. It doesn't matter so much what you Most cyber attacks and data breaches remain the result of weak password security. So, with a growing number of more secure alternatives now available, why are they still widely used? Why do passwords still exist? U Josh Sims MOS T USED PAS SWORDS Analysis of breached accounts worldwide P A S S W O R D S We're going to use passwords for some time because, from a security point of view, the whole system out there is just so complex 123456789 123456 qwerty password 1111111 7.7m 23.2m 3.8m 3.6m 3.1m National Cyber Security Centre 2019

Articles in this issue

Archives of this issue

view archives of Raconteur - Future of Authentication 2020