Future of passwords – don't expect much to change, at least anytime soon

Hack Reactor

Future of passwords – don't expect much to change, at least anytime soon's Image

By Peter Suciu for Hack Reactor

Passwords have been used since antiquity, and according to biblical scholars, the first example may have been at the "shibboleth incident," which is referenced in the Book of Judges. According to tradition, in the war between Gilead and Ephraim, Gileadite soldiers used the word "shibboleth" as a way to determine friend from foe as the Ephraimites pronounced the word different.

In the eons that have followed, passwords have been used by military sentries, and more recently as a way to gain access or entry to a speakeasy or secret society's meeting place, and most notably in fiction where the right word provides access to an entryway where brute force could not. 

Passwords have been used with computers since practically the early days of computerized networks. It was at the Massachusetts Institute of Technology (MIT), which had developed its Compatible Time-Sharing System (CTSS) that all researchers had access to – and in 1960 Fernando Corbató created the first passwords so that researchers could only access their own specific files

In the 60 years since, passwords are used for accessing email, to log into e-commerce sites, and for virtually every other online application where an individual needs to be identified. The system is simple, yet from its earliest days, it has been flawed.

Make a password that is "easy" to remember and it can be easy to "crack." Birthdays, children's or pets' names, or old addresses are barely a step above using the word "password" or "1234." A password that can be guessed based on personal interests or habits isn't exactly a strong password. 

The other problem is that far too many people today use a handful of passwords – or just as often a single password – across everything. This makes it all too easy for cybercriminals, because if the password is cracked one platform for service, it is akin to handing the bad actors a skeleton key for one's house, car, and safety deposit box!

Strong Passwords

Experts suggest that users create "strong" passwords, which are much harder to break. These should include a mix of letters, symbols, and numbers; and not be something that can be readily identified by what one posts on social media. In other words, if you're a fan of a football team and post about it on your social media feeds, don't use "Cowboys4Ever" and think that it isn't easy to break.

More importantly, having a distinct password for each and every login is recommended.

"Bottom line is that people need strong passwords for everything, not just their banking and email," said Laurence Pitt, strategic director for security at Juniper Networks. "The issue with things like streaming services is that they need the password entered on any device that wants to use the service I know this myself, as entering my Netflix password is a pain when using a television remote control. So people set weak passwords to make it easier and, even worse, they use the same password between services. Easy to get in, but then they forget that this same password is also protecting their email, payment details, and address."

Authentication Vs. Passwords

In recent years there has been a shift to "authentication," which isn't simply another word for “password.”

"It refers to the broader goal of gaining assurance as to the identity of a user or system requesting service or data," explains Jim Purtilo, associate professor of computer science at the University of Maryland.

"Passwords are just a small piece of that security puzzle, and in fact, there are many pieces that must all fit together well," Purtilo added. "More generally, authentication won't just rely on something you know (like a password), it might also incorporate something about you (a biometric feature such as facial recognition or fingerprint scan) or something you have (such as a key, whether physical or cryptographic.)"

The key could be a one-time code that is sent to the user via email, text, or phone call. In this way, it requires that the user has more than just the password, but a failure here is that if someone loses their laptop and phone it wouldn't be too difficult to break even this two-factor authentication.

Moreover, even with successful two-factor authentication, a password is likely to remain one of those factors. One reason, despite the fact that passwords can be easily hacked and stolen, these are still the most simple method of online identification.

"Passwords are easy to change if compromised and work with nearly anything," said Roger A. Grimes, a data-driven defense evangelist at KnowBe4.

"Those two features beat the alternatives hands down," said Grimes. "Nothing else comes close. But one day, logons will probably be frictionless, meaning very little input from the user. Logon authentication will be based on registered devices and behavioral analytics."

This could involve the user coming to a previous expected location (real or virtual) with devices doing the same thing.

"Logon authentication will be closer to how we use credit cards today, where you use and use and occasionally you get denied or slowed down and asked for more authentication when your transaction seems strange for some reason," added Grimes. "But those days of passwordless authentication are long-off. I've been hearing about the death of passwords and anti-virus software and firewalls since at least the 1990s."

Multi-Factor

The future of passwords could be one that simply ups the ante on the number of authentication factors, and it could require more trained software engineers to develop those increasingly complex authentication factors. 

"Until we get to better frictionless logons, multi-factor authentication (MFA) is going to gain strength," explained Grimes. "But the increased use of MFA doesn't mean that hacking and logon crime won't happen. MFA is often better than passwords (although not always), but it doesn't mean that hackers will suddenly be defeated and just give up."

As MFA can still be hacked, in the end, passwords may simply be the best method. The catch is to make passwords harder to guess, and if a unique password is used for every single login if one is hacked the others likely won't be. 

"They may not be sexy, but as long as you can't be tricked out of revealing them to some unauthorized party, they work quite well," said Grimes. "And sometimes there is actually less risk to using a password then in using something supposedly better, like MFA."