The enigmatic Sherlock Holmes (more accurately Sir Arthur Conan Doyle) got it right when he said, “I consider that a man's brain originally is like a little empty attic, and you have to stock it with such furniture as you choose..." As our online accounts grow in number we find ourselves filling that attic of the mind with more passwords than we have room to remember. Since no person wants to go to the effort of remembering a slough of passwords, they instead keep one for all of their accounts, leaving them open to countless potential attacks.
The fact of the matter is that regardless of how many passwords you maintain, the very nature of password based ID management is unsecure.
There are countless recent examples of significant security breaches, many of which were caused by password management. Passwords have essentially become a tool that hackers use to breach the walls of personal and public information security. If you’ve been living under a rock, take a moment to check out these hacks that were caused by poor account ID management. It’s important to note, if you’re thinking of running to a password keeper that holds all your passwords in one place, LastPass, popular password manager, was also hacked in 2015.
These hacks indicate that passwords need to change. In fact they likely need to go away altogether to make way for new forms of information security. In order to keep cloud based applications safe, a new approach is needed.
The Future Of The Password
The weak points in passwords are two fold. The first lies in the interconnectivity of our online accounts. In the early days of online account management, most accounts were completely separate from one another. But now with the connectedness of email, mobile, and social media, our accounts begin to intertwine in ways that leave them open to attack. The second reason passwords aren’t secure? Because they are made and managed by humans. People don’t create secure passwords or security questions, which will inevitably end in some sort of breach. So if passwords fail easily due to human mismanagement, what could possibly provide a safer solution?
Multi-factor authentication is one approach that can help improve information security to a degree. By requiring more than just a password these tactics can potentially prevent a hacker who has acquired a password from gaining access to the account. For example, when you sign in with your user-name and password you are required to provide a security code that was sent to your phone via SMS messaging. If a hacker has your account information, but no phone, he’s out of luck.
Another form of multi-factor authentication comes in the form of biometric data. Information pulled from fingerprint or retina scans adds an additional layer of security. Only you have your fingerprints and retinas. It should be noted that like any information, at some point these forms of authentication might be easily replicated or fabricated, but for now they remain unique identifiers that would prevent security breaches. Additionally these biometric data sets are often backed by a unique device ID/signal. If a hacker was able to get a hold of your fingerprint, replicate it in a way a fingerprint reader would recognize, it would still be blocked based on it’s unknown origin. Creating multiple layers of access management clearly helps prevents breaches in ways that passwords cannot.
Unfortunately the password of the future, though well thought out, still has yet to be implemented on a large scale. Very few companies and institutions leverage these technologies to protect their users’ data. Here are a few simple recommendations for the time being before future passwords are fully realized:
- Create unique logins for your various financial accounts. Never reuse usernames/passwords across multiple sites/accounts/emails.
- Don’t store your passwords anywhere in the cloud where they are open for attack. While password managers seem like a great place to keep your information, remember, they can be hacked too.
- Create the longest password possible and make sure the alphanumeric combinations don’t represent any real words. As hackers and their bots get more sophisticated, it’s possible that they may be able to decode logical, language based passwords.
- Avoid security questions that have answers that anybody who knows your name could find. For example, city of birth, street you grew up on, first pet’s name, etc. Think of these questions as additional passwords and create unique answers to them.
Do you have a hack-proof password system?