Have Passwords Become Obsolete?

As the technology is expanding its footprints, so are threats associated with it. The frequency and sophistication of cyber attacks are accelerating. According to Microsoft’s Identity Security and Protection team, there has been a 300 per cent increase in user accounts attacked over the past year. A large chunk of these compromises can be attributed to weak, guessable passwords and poor password management, followed by targeted phishing attacks and breaches of third-party services.

According to Microsoft’s Security Intelligence Report Vol22 (January-March, 2017), “An increasing number of sites are breached and passwords phished, attackers attempt to reuse the stolen credentials on multiple services. Therefore, one of the most critical things a user can do to protect him/her is to use a unique password for every site and never reuse passwords across multiple sites.”

Pukhraj Singh, a cyber-security expert who played a key role in the setting up of the cyber operations centre of the Indian government after the 26/11 attacks told BW Businessworld, “Passwords have become the biggest burden costing many people a lot of money, and even lives. This ad-hocism has been witnessed in almost facet of information technology, simply because we never knew the internet would become so vital to our lives.”

Thereby, keeping simple passwords can lead to data breaches. The report further adds, “Organizations can further minimize risk by training users to avoid the use of simple passwords (easy to guess/crack), using alternative authentication methods or multi-factor authentication, and implementing solutions for credential protection and risk-based conditional access.”

Singh believes that passwords are symptomatic of how poorly we envisioned computer security.

“The Border Gateway Protocol (BGP) is a routing system which decides how a network packet travels through the internet to reach its final destination. The researchers who created the BGP in the eighties drew the blueprints of the protocol on a piece of napkin in a café somewhere. Security was, of course, secondary to them as the computing resources were just too scarce to offer anything fancy. A quarter-of-a-century later, those small problems have gotten magnified a million times over, threatening the internet and the very foundations of our connected society,” adds Singh.

The businesses have moved away from face-to-face transactions and passwords have become the de-facto method for determining someone’s identity. Be it banking, email access or social networks, people are identified by their public username and their private password. However, the system has frequently collapsed because most people’s passwords are easy to crack.

Microsoft automated systems detect and block millions of password attacks each day. When an attacker is observed using a valid credential, the request is challenged and the user is required to provide additional validation in order to sign in. However, attackers can be sophisticated and skilled at mimicking real users, making the task of safeguarding accounts, a constantly evolving challenge.

Picking simple passwords is not the only problem but using the same password across a number of sites can dramatically weaken the security of a person’s data as well. In a recent study of four million users’ online habits over a year, security firm Trusteer found that nearly three-quarters of users reuse the banking passwords on at least one other non-financial site, and nearly half shared both their username and password with other non-financial sites.

The fundamental reason behind picking up an easy password is that most people want to memorize them as passwords are meant to be secret and not everyone cannot keep dozens of complex sequences of alphanumeric characters in his/her head. Although on financial websites, where compromised credentials could lead to significant harm, people should use a complex password.

According to an annual ‘Worst Passwords List’ compiled by SplashData, it was revealed that the two most commonly used passwords are ‘123456’ and ‘password’, both of which have remained at the top of the list since it first started back in 2011.

Coming to the solution of the issue, Singh said, “The solution, it seems, is far from simple. Of course, multi-factor authentication could work, but its underlying mechanisms need to be vetted. SMS may fail, even biometrics are not full-proof in the current form. Introducing a technological change is more about getting people on board and building consensus than anything else. That has rarely worked in computer security, especially when geopolitics and business interests are involved.”

At the root of the password problem is the cognitive phenomena called “interference of memory”, by which we cannot firmly remember more than 5 text passwords on average. More attention could be paid to the efforts of expanding the password system and maybe, include images.