Monday, 25 February 2019

Passwords: Can we live without them?

Passwords form one of the major cornerstones of our digital era. Wouldn't a future without having to remember a huge list of passwords be truly incredible?

For thousands of years, passwords have been used as a means of authentication; a way in which people could be confident that security was maintained.

Today, passwords form one of the major cornerstones of our digital era, providing us with peace of mind in almost everything we do, locking down our internet banking accounts, credit cards, mobile phones and our laptops in order to keep personal data secure.

The problem with this is that we end up with so many different passwords for so many things. It can be so hard to remember them all that we often resort to writing them down, or using the same one for multiple accounts, leaving us open to security issues.

Wouldn't a future where we didn't have to remember a huge list of passwords be truly incredible?

While it might seem like a resolution that we are still a long way from achieving, potential solutions are emerging every day that may eventually make passwords a thing of the past.

Do more passwords mean less security?

When it comes to passwords, there are some simple rules, and these really haven’t changed. To fully embrace this technological era and all the logins we need to remember it is vital that we pay heed to these rules.

According to a study carried out in 2017, the boom of online services has led to an increase in the number of accounts people have. It is estimated that we have an average of 191 accounts each. With such a large number of accounts per person, it is easy to understand why people fall into the trap of re-using passwords or creating a pattern for them.

How is it possible to secure access to a corporate network if too many people use the same password as they do at home for their online shopping accounts? This is a problematic issue that IT Managers find themselves faced with, and with almost one in five victims using the password 123456 in 2016 it is certainly something that needs looking at.

We need to not only keep our passwords safe but also protect the personal data that they secure, as this can often point to further information that could identify further passwords. It's a slippery slope.

Can passwords be fixed?

From a user point of view, it is entirely possible to improve password hygiene with awareness campaigns. In the first instance, a password safe also offers a great chance to create those complex passwords that will keep all your accounts secure. Of course, this, in turn, needs a password of its own and this certainly needs to be secure.

While these password safes offer a great solution, they are little known amongst non-IT experts.

Performing authentication on the user side is one way of avoiding the risk of passwords leaks of interception. FIDO – Fast Identity Online – is a collection of companies who are united in this common goal. A staggering 1.5 billion users authenticate today using their concepts which mean the password is never transmitted away from the computer. Authentication is done by a physical device that the user owns. This tells the compatible services online that the user is who they say they are. FIDO means there is no need to remember all your passwords, but it does still need a PIN and of course, while the chances of it happening are low, a PIN can be stolen.

So, is it possible to move to a future where we don’t have anything we need to remember?

Authentication on a multifactor level

A life without passwords is possible, and in fact does already exist! However doing this is a secure manner relies on defence in depth, the most fundamental principle of modern security.

This is a 17th-century principle that was invented by a military engineer. It relies on these things:

• Something we know: such as a password or a PIN

• Something we have: like a key or a card

• Something we are; our DNA or fingerprints etc

Now two of these are considered enough for public use, an example being the password and 2-factor code sent to a mobile. Adding a third piece of information could add that extra level of security, and it is what is used in environments where there is high security. However, it is currently too clumsy for general use.

NO more passwords

Something we have and something we are requires no memorisation. A FIDO-compatible digital key is an example of such a solution that has just been launched onto the market. The eventual solution to the password problems we have is out there, but this is going to take time and won't happen overnight. Until it does happen, it's clear that we're going to have to continue doing our utmost to ensure the passwords we use are secure.

If you’re looking for better security hygiene than passwords alone but that is easy for anyone to use, then find out more about our 2-factor authentication service here – or get in touch with our security experts on 0808 164 4142.