Over the past couple of decades it has become abundantly clear that human beings can't be trusted to come up with decent passwords. We might combine the name of a childhood pet with a two-digit number and proudly use it across multiple services, imagining that it ranks alongside Fort Knox in terms of its security. But it doesn't. Bad passwords continue to be exploited by criminals, either by using computers to work their way through large databases of breached passwords, or simply by guessing them. Credentials, cash and personal identities are stolen and misused on a daily basis.
The password problem
The battle against bad passwords has been waged in many ways over the years. Services ask us to change them, they force us to litter them with unusual symbols, and they send additional codes to our mobile phones to confirm our identities. But an industry consortium has now made a significant step towards a future in which passwords become obsolete. Recent versions of the Android mobile operating system – currently used by about one billion devices worldwide – are now certified to use a security system called FIDO2.
The result is that developers can allow access to websites and apps with a fingerprint or a USB security key. No longer will we have to think up strings of letters and numbers, remember them and type them out. FIDO2 may finally save us from our failing memories and lack of imagination.
The move can’t come soon enough. A report released at the end of last year by password management company SplashData revealed that, for the fifth consecutive year, the two most popular passwords online are still “123456” and “password”.
The difficulty of remembering multiple passwords causes us to reuse the same ones across several different services, and that's what makes breaches of password data so dangerous – by using a technique called "credential stuffing", criminals can force their way into a series of accounts. In the past few days, for example, accounts with smart home product manufacturer Nest were attacked in this way. But it's not their fault, it's ours.
Can FIDO2 save us?
The burning question is why, despite being told repeatedly that our passwords are terrible, have we been reluctant to change our ways? One reason is that we become emotionally attached to them, not least because they often (unsafely) incorporate the names of people or things we hold dear. Also, because we need so many, we make passwords easy to remember. Even computer experts do that. In 2016, researcher Elizabeth Stobert surveyed several experts and was surprised by their password habits. "It is telling that they have chosen to trade off security for usability in certain situations," she said. "The social and contextual pressures that affect everyone also affect computer security experts."
As our dependence on digital services grows, the password problem grows, too, but FIDO2 shifts the whole idea of authentication over to the device you're using. In other words, instead of your device sending a password to a service for checking, FIDO2 merely asks for proof that you are who you say you are. That can be done with a fingerprint sensor or a USB key, so passwords aren't needed. Some online banking services have used this system for a while, but the certification of Android should help to establish it as the norm.
Per Thorsheim, a self-confessed password obsessive who runs a global conference called PasswordsCon, which addresses the challenges surrounding digital authentication, is optimistic about FIDO2. "At the last conference, everyone in the room, from geeks to police, and intelligence experts to hackers, agreed that nothing came as close as this to improving security beyond the username and password," he says. "We actually think this might work – and we haven't said that about anything for the past 15 years."
What's the practical solution?
But while the technology is sound, he believes that there are practical issues that stand in its way. "If I gave a USB security key to my mother and told her that it replaces her password, she wouldn't be interested in spending even two minutes learning how to use it. And people will obviously lose them or forget to carry them," he says.
Thorsheim also notes that fingerprint logins are easily bypassed on an iPhone, for example, because you can swipe to log in with a PIN instead. "That's not security, it's convenience," he says. "It doesn't remove passwords from the equation, it just hides them. Passwords are not disappearing. They'll be around for at least the rest of my days on Earth."
If Thorsheim is correct, and the death blow to passwords is more than 20 years away, how should we secure ourselves in the interim? The commonly held belief that you should use a mixture of capital letters, lower-case letters and numbers, while changing your password every 90 days, has been rescinded by Bill Burr, the American software engineer who championed the practise in 2003.
One hacker says any eight-character password can now be cracked by a computer in under three hours, so longer phrases are essential. Two-factor authentication, in which your phone receives additional confirmation codes, is worth adopting, but the critical piece of advice is to use different passwords for each service. And if that becomes a headache, use a password manager such as 1Password, DashLane or LastPass.
When breaches are reported in the media, they're often made out to be cataclysmic events, such as when more than 21 million passwords from a number of sources were dumped online in January. But the truth is, they mainly contain old passwords, which with luck, you will have stopped using by now. However, if you're worried, services such as Google's Password Checkup can tell you if yours is floating around the internet, and if it is, Thorsheim says you are a target for hackers.
"People don't understand the benefit of strong passwords because nobody has been hacked until they've been hacked," he says. "That's the moment when they realise how bad it can actually be."
