Article Lead Image

Illustration by Max Fleishman

Why won’t the password die already?

Passwords need to die—so why can't we kill them off?


Ben Dickson


Posted on Jul 3, 2016   Updated on May 26, 2021, 12:34 pm CDT

If you’ve been following the cyber news lately, you’ve probably come across stories about access to hundreds of millions of accounts for popular social media websites being sold cheaply on dark net black markets.

LinkedIn, Twitter and Myspace are just some of the bigger names that have been affected by data breaches. Given the age of the breaches, some of them dating back to as early as 2012, the extent to which users will be affected cannot be calculated, but we’re already seeing the names of prominent tech entrepreneurs such as Facebook CEO Mark Zuckerberg and Twitter co-founder Ev Williams, as well as celebrities such as Drake and Katie Perry sitting among people whose accounts have been compromised.

At the heart of the crisis are passwords, the strings of letters, digits, and symbols that we’ve been using for years to protect our online accounts against intrusion. But despite the fact that passwords no longer suffice to protect us against data breaches, we still keep on trusting them with some of our most sensitive information. Thanks to recent developments, we might have finally reached the point to move beyond passwords—if we can bring ourselves to take the leap of faith.

What are companies doing wrong?

Service providers and vendors store millions of user passwords on database servers, where mistakes and bad practices can yield disastrous results. Companies usually encrypt passwords when storing them in order to avoid wholesale compromise of user accounts in case of data breaches.

But not every encryption algorithm is unbreakable. As was discovered in the recent theft of 45 million password from VerticalScope, the Toronto-based firm had ostensibly secured its passwords with the long-obsolete MD5 hashing algorithm. The 177 million passwords collected from LinkedIn were hashed with unsalted SHA1, another weak algorithm that is easily reversed.

But aside from weak encryption, developers and companies are slow to adopt technologies that protect user accounts beyond passwords, such as two-factor and multi-factor authentication (2FA/MFA) and biometrics. “The username and password remain the lock and key to gain access to the service,” says Edward Robles, CEO of authentication startup Qondado. “Despite innovations that allow us to move beyond usernames and passwords, developers are still thinking in the same legacy terms.”

What are users doing wrong?

For their part, users are wont to put convenience before security. That’s why we see endemic disregard of well-known guidelines and practices for protecting passwords. As the post-mortem of the LinkedIn hack shows, “123456” still remains the most popular password among users. The same goes for the VerticalScope hack.

Users also tend to reuse passwords across accounts for the sake of convenience and to avoid memorizing extra passwords. Such carelessness is not limited to average users, and can also inflict the likes of Mark Zuckerberg, whose Twitter and Pinterest accounts were hacked because he had shared his ill-chosen “dadada” password across multiple accounts.

“Individuals are treating all accounts as equal,” says Robles. “There is an expectation held by users that their credentials are secure. As a result, they tend to repeat passwords across services to alleviate the need to manage or remember their passwords.”

Users are also opening up accounts and sharing information with new online services without thinking of the consequences of giving up that information. “We also need to consider that casual interaction with technology exists and that we will not associate a high degree of security with data that is perceived to be of little value,” Robles stresses. “We will do whatever is most convenient at the moment to gain access to that service. We do not, however, take into account that the account will live on for an undetermined length of time, and the password we’ve chosen for that service may become known to an attacker at some point, thus increasing our vulnerability over time.”

What’s wrong with passwords anyway?

Whether it’s a sequence of taps on the door to allow entrance or a combination of words used between soldiers to distinguish friend from foe, passwords have been our main method to authenticate ourselves and identify one another in different settings. But with the advent of computers, the password model has been challenged like never before.

There are just too many ways your password can become hacked, and maintaining passwords that are unique, long, and complex enough is becoming a nightmare, especially when each of us might be using a dozen or more online accounts. That’s why, despite knowing the basics of password protection, users tend to continue to follow bad practices.

Moreover, as our lives become increasingly digitized, the activities and information that are being tied to online accounts are becoming more and more critical. From financial data to confidential personal and business records, in many cases, the only thing standing between our most sensitive information and malicious actors is a simple passphrase.

That is something we usually take for granted, until the worst comes to pass. “The main issue with passwords is that they don’t tie permissions to identity,” says Robles, “and individuals are adopting their most convenient means of dealing with that problem, which for most people is to reuse a password again and again.”

Are we ready to move beyond passwords?

Companies need to adopt a means of identifying customers beyond security questions and data points, and make sure both the company and the user remain protected even if the credentials fall into the wrong hands.

But even though the issue of replacing passwords has been brought up many times, it’s been dismissed on every account because of the alternatives being either too expensive or introducing too much friction and alienating users. As the saying goes, old habits die hard.

But thanks to the progress in mobile technology and machine learning, we are now much better positioned to explore and implement alternatives that offer increased protection without adding noisome complexity to the user experience.

The ubiquity of mobile devices with hi-tech features such as fingerprint scanners, hi-res cameras and hi-fi microphones make the implementation of biometric-based authentication inexpensive and within the reach of all firms and consumers. Also, machine learning now enables service providers to implement adaptive and risk-based authentication, where they analyze and profile the user’s interaction habits and only push second-factor authentication requests upon detecting anomalous behavior that indicates a potential account compromise.

“Multi-factor authentication needs to be an option available for all users of all services,” explains Robles. “The adoption rate will be directly tied to the user experience.” Robles’ startup is one of the several firms that leverages mobile technology to streamline the implementation of biometric multi-factor authentication while breaking down the complexity of passwords to short pin numbers that are easy to remember. “We are able to deliver ease of use along with three factors of authentication, one of them being biometric,” he says.

The need for a change of mindset

Despite the fact that our lives are becoming more and more connected, we’re still treating our online accounts and assets with the sensitivity of the early days of the digital age. Robles, who has a background in legal technology and experience managing highly confidential and sensitive data, insistes it’s time for a change of culture.

“We have accepted disruption in certain aspects of our lives in the post 9/11 world,” he says. “Air travel is different, access to office buildings and critical infrastructure is all different.”

But in contrast, we haven’t kept pace with the changes overcoming technology, he explains. “We haven’t adjusted our expectations of our ability to live our on-demand, always-online lives. We haven’t necessarily been asked to adjust by service providers for fear of losing users. We need service provides and users alike to embrace multi-factor authentication as the new and necessary normal. Introduction of authentication methods that are easier to remember than passwords and far more secure are necessary.”

The bottom line is, like everything else, the added security to online assets will require some extra measures and a little sacrifice on the part of users in terms of changing habits and sometimes giving up a little comfort and ease. We have to start getting over old ways and embrace the fact that digital security is often on par—or even more critical—than physical security. Until then, password breaches and hijacked accounts will continue to hit the headlines.

Share this article
*First Published: Jul 3, 2016, 8:00 am CDT