Are Passwords Dead?

With the recent news of the AP social media hacking incident, passwords have been in the spotlight. In this post, we'll take a look at how we can use them in a safer way.

Wired Magazine has a provocative article entitled Kill the Password: Why a String of Characters Can’t Protect Us Anymore. Are passwords dead? Should we all cry “uncle” and move on to whatever’s next?

My question above pretty much answers itself, in that there is no clear successor to text-based passwords. Biometrics using fingerprints, voice, or iris have major security challenges and social acceptability issues, let alone cost and reliability. Special hardware tokens are good if you only have one or two of them, but not so much if you need 15 or 20 of them. Graphical passwords, such as PassPoints or Draw-A-Secret, are promising, but tend to be easy to shoulder-surf, and have the same memorability challenges as text-based passwords once you have 15 or 20 of them.

So until a better alternative comes along (and one that is well-vetted, cheap to deploy, reliable, resistant to phishing attacks, and usable), we’re going to be stuck with passwords for quite a long time. However, in the meanwhile, here are the three easiest and most useful things you can do to protect yourself:

• Don’t re-use passwords for important accounts. Have a separate and unique password for each of work, personal email, social networking sites, and your banking web sites. There have been so many break-ins recently, that is you do re-use passwords for important accounts, you are exposing yourself to great risk for no good reason.

• Use longer passwords. A lot of the advice out there rightfully advocates using special characters like &+=%$# as well as upper and lower case letters. This is good advice, but even better is to just use a longer password, at least twelve characters. The longer the password, the harder it is for an attacker to guess what it is.

• Use two-factor authentication where possible. Facebook calls it Login Approvals, Google calls it 2-step verification, and Yahoo! calls it Second Sign-In Verification. The basic idea is essentially the same, which is to use an extra form of authentication (usually a text message sent to your mobile phone) as a double check to make sure it really is you. Lifehacker has a good article about all the sites that support two-factor authentication.

   

Wombat helps organizations teach end users to build stronger passwords with our Password Security training module.