Why you should give a •••• about the future of passwords

With password hacks becoming increasingly common, individuals need to secure their accounts and industries need to strive for something better, says Craig Grannell

At the time of writing, mere days have passed since shoe retailer Office was hacked, compromising customer login details; a week or so earlier, online giant eBay suffered a similar fate.

But even if you’re reading this many months later, chances are you only need to change the names for this column to remain current. Password hacks are now a depressingly inevitable and regular occurrence online, yet they somehow always come as a surprise to affected individuals and corporations alike.

This is the price of progress. Even 20 years ago, most passwords only blocked access to standalone computers. But then the internet happened, and anyone spending any amount of time online suddenly needed an awful lot of passwords. Today, we’re at the point where passwords are often the primary means of protecting access to critical data and services woven into everyday life, such as payment details, bank accounts, device access and location tracking.

As ever, the human factor is the problem. On one side, people store important information online, and are faced with using an increasing number of passwords; a sense of complacency or overload often leads to a reliance on absurdly simple constructions and/or using identical passwords across multiple accounts.

On the other side, hackers recognise the value in personal data and use increasingly elaborate tools to break into systems, retrieving password dumps or simply brute-forcing their way into individual accounts.

The system is broken and needs to change — the problem is in figuring out what comes next and what to do in the meantime. In the short term, systems must do better and individuals should make more of an effort to secure their online data.

When companies are hacked, they must be quicker to inform people and transparent about what’s happened, along with making it far more obvious how to access and amend password data. Moreover, they really need to be better at dealing with passwords in the first place.

‘GclCOtjFNCbchKiOqTlF’

Password-creation is too often hamstrung by arbitrary rules that are a kind of security theatre, complexity providing the appearance rather than the reality of security. eBay is a good example, displaying a password strength indicator, and providing various prescriptive rules regarding any new password. But algorithms fail, and here ‘Password1’ is oddly deemed similar in strength (‘Medium’) to ‘cRVdaChMcl3qBJcXQN1H’ and stronger than ‘GclCOtjFNCbchKiOqTlF’. You cannot copy to or paste from the password field, hampering the use of some password managers, and you must use between six and twenty characters, presumably because of the limitations of eBay’s database rather than any logical reason surrounding securing your data.

eBay’s far from the only culprit. Passwords are now regularly twinned with ludicrous and overly specific questions and answers required for account retrieval, charging you with retaining a kind of meticulous knowledge of your own life and preferences (“What was your favourite film in 1996?” “What colour was your second car?”); and password demands have increasingly baffling specificity in terms of construction, full of numbers, ‘special’ characters, and a mix of upper- and lower-case letters — but only in a manner that each specific system can cope with. Heads need bashing to make these systems more human and — crucially — more usable and secure.

More after the break...

“What colour was your second car?”

eBay’s far from the only culprit. Passwords are now regularly twinned with ludicrous and overly specific questions and answers required for account retrieval, charging you with retaining a kind of meticulous knowledge of your own life and preferences (“What was your favourite film in 1996?” “What colour was your second car?”); and password demands have increasingly baffling specificity in terms of construction, full of numbers, ‘special’ characters, and a mix of upper- and lower-case letters — but only in a manner that each specific system can cope with. Heads need bashing to make these systems more human and — crucially — more usable and secure.

Apple Touch ID

Fortunately, there are things individuals can do, although each comes with its own shortcomings. Where two-step verification is offered, take advantage of it, even if it complicates matters due to the added layer of security. Consider a password manager, such as 1Password, which can cook up insanely complex unique passwords for every online account and remove from you the responsibility of remembering them. Such systems do admittedly have drawbacks — 1Password’s integration with iOS is weak, for example, Apple’s iCloud Keychain naturally only works with Apple’s own products, and both systems are initially a little opaque and tricky to grasp for less technically minded users; but they’re nonetheless worth persevering with, if only to make it tougher for someone to brute-force their way into your accounts and to stop you using similar passwords or password patterns online.

In the longer term, perhaps Apple’s Touch ID provides a glimpse of a future where passwords are finally consigned to history, using your body as a means to access online services. But even then, work is needed, given that iOS demands the manual input of a standard password for the first purchase made after a reboot.

Then there’s also a level of paranoia surrounding biometrics that people need to get past. When Touch ID first appeared, there were erroneous claims Apple was ‘collecting’ fingerprints, and then there’s the truly irrational fear regarding someone stealing body parts to access data. Frankly, if someone lops off your finger or scoops out your eyeball, you’ve bigger concerns than whether they can now access your eBay account.

And that’s just not going to happen anyway, but the chances of someone worming their way into your existing online data increases with every password hack that happens. Therefore, do what you can today to secure yourself, ramping up password protection where possible, and when a better future looms into view that might eradicate passwords forever, grab it eagerly rather than fearfully retreating into the system equivalent of a bunker held together with sticky tape.

READ MORE: 9 genius uses for the iPhone 5S' Touch ID fingerprint sensor

Comments

Just thought you'd want to know... You've repeated the paragraph starting 'eBay’s far from the only culprit' after the picture...

I like how you managed to squeeze Loki into the article.

You have to login or register to comment.