How to make bad passwords better, and more hope for the future of authentication
Would you tell me your password? Probably not, but there might be a good chance I could guess it. In SplashData’s list of the the worst passwords of 2015, culled from data from various breaches and hacks, “123456” and “password” continued to top the list.
You’ll also probably be surprised at how easy it is for cyber miscreants to crack passwords. No wonder we all want an alternative badly. For now, though, there are two things you can do: Make your crummiest passwords at least somewhat better, and check out some of the password alternatives starting to come online.
Think in phrases, not words
The first principle of better passwords is to avoid simple words and numerical pairings. Even Edward Snowden pointed this out when interviewed by John Oliver last year.
You need to think in phrases rather than pass-words, and forget about simple words found in the dictionary. For example Oliver’s “admiralalonzoghostpenis420YOLO” is silly, but the person that came up with it could easily remember it, and it’s harder to guess than something like “admiral1”. Obviously, I don’t recommend using either of those now; just think of them as inspiration for the future.
You should also aim to have much more than eight characters in your password and never have any reference, however vague, to yourself. Sorry, but your mother’s maiden name just isn’t going to cut it anymore.
We’re all guilty of reusing the same passwords. With more sites and social media than ever before, it’s easy to become a little complacent, even accidentally. If there’s absolutely one password you shouldn’t reuse, however, it’s your email’s. Once compromised, it could be used to wreak havoc.
Finally, and I know this hurts, you need to change passwords regularly. Just as you should change your login details if a site’s been hacked, you really need to keep changing passwords so your data is never a sitting duck.
Ideally, someone or something would do all this for you, and that’s where password managers come in. “Today the best option for users is a password manager that can create and remember complex passwords so you don’t have to. Most rely on a master password to verify you and secure all of your logins,” Mark Hocking, VP and GM at Intel Security’s True Key told me.
However, like any software, password managers aren’t perfect. Trend Micro’s antivirus program comes with a built-in password manager. Recently a Google security researcher discovered that it could accept remote code that could be used to steal the passwords stored in the software. LastPass, another popular password manager, fell prey to a phishing attack that could spoof users into divulging their main passcode for accessing their stored passwords.
The future: Multifactor authentication, biometrics
Two-factor authentication has become standard advice among many of the security pros I spoke with. This involves a two-step process for logging in, usually using another device like your phone synced to your online account. It will, in theory, ensure it’s really you who’s accessing the account.
Biometric logins are slowly becoming more common too, and it could usher in a new level of verification. Apple’s Touch ID and Samsung’s fingerprint scanners got an early start. Microsoft features facial recognition technology in Windows 10 with Windows Hello, which Dropbox has added it to its login options.
Banks and payments companies have also dipped into biometrics. JPMorgan has integrated TouchID into its iPhone app, while MasterCard has trialed a “pay by selfie” feature to verify online purchases. Intel’s latest version of Authenticate requires fingerprint verification and, in some cases, detection via Bluetooth that your smartphone is physically present.
It’s not your fault
It’s not the consumers’ fault that they’re struggling to secure their digital lives, said Marc Boroditsky, president of authentication start-up Authy. Rather, he lays the responsibility on apps, websites, and companies that have failed to develop and foster real, and secure, alternatives.
“Apps and services are already responsible for every other area of a user’s online experience. Why should user authentication be different?” he explained. “We need to stop blaming the user for creating a weak password when the site itself could have adopted stronger security that would make a cracked password practically useless to an attacker.”
Meanwhile, do just a few things to make your crummiest passwords a little better. You’ll grumble now but thank me later.