Let’s talk about Passwords.

First off, passwords are an inherently flawed system. Like a lot of elements of technology they were only ever created as a quick fix to a small problem. In this case, making it harder for students and researchers to steal expensive computer time from other students and researchers (to play games usually). (source: https://www.wired.com/2012/01/computer-password/) This solution was then taken and expanded to cover things that need far more security than computer time. These days our entire identity can be stolen with the right password.

We are stuck in a flawed system that we have to deal with, and with larger and larger data breaches being reported every year. Like the largest data breach in history reported just last month: https://techxplore.com/news/2021-06-largest-password-breach-history-leaked.html

Why Do Passwords Suck?

Someone with their head on their keyboard and their arms in a defeated pose.

It’s not a secret, everyone finds passwords frustrating.

They suck because passwords are pieces of information that are easy for computers to store rather than humans, and all of our best practices are built by people who are looking at the problem from the perspective of computers trying to store or break passwords. Humans have a great capacity for storing information, but that information has to have some kind of meaning behind it.

We have a couple of things that can help us manage them. The easiest and one of the best is to change the way we think about passwords. We’ve talked about this in the past, but the best way to protect against cryptographic attacks is character length. The longer a password is, the exponentially harder it is to brute force, and the less likely it is to appear in lists of common passwords or brute-force dictionaries (also known as rainbow tables). So, if you can think of a long phrase, rather than a password, something like IEatPigeonsButOnlyAfterLaborDay, it’s long enough to be cryptographically secure, but it’s also odd enough that your brain is already thinking of information to contextualize that phrase. That extra information will make the phrase much much easier for you to remember in the future.

But we use passwords to identify us for everything these days: banks, government services, social media, utilities, entertainment, smart devices and appliances, and after 2020 many of us have even gotten used to the idea of using them to order our groceries. We have to accept that one or all of these services are going to get breached at some point, pretending otherwise is to deny an objective truth. So if we accept that risk, we now have to minimize that risk as much as possible.

So, we need unique passwords for each and every thing that has a password. That way if something does get hacked, we only have one password to change, one set of actions to undo. I don’t know about you, but I have accounts on well over 100 different websites, and especially where work is concerned I have multiple accounts per some websites. That way more passwords than anyone should have to remember.

Multi Factor Authentication

A photo of a phone on a desk with a security app displayed on the screen.

For most people this is probably as convenient as you can get while still gaining security.

Multi-factor authentication is a popular way to strengthen passwords by requiring users to have an additional method of proving they are who they say they are. The most popular method is a short code sent to a phone number or email address. This isn’t perfect because both email accounts and phone numbers are vulnerable to spoofing, and if someone really wants to get access to all your online accounts targeting your phone or your email address are usually the easiest way to get access to everything else. You know how password resets all go to your email, if I have access to that I can easily change every password you have.

There are other methods. A close second in popularity is authenticator apps. There are a number of different ones, but they all work on the same basic principle. They generate quickly expiring codes (usually a matter of seconds) that are tied to your account in that app. If you lose access to your authenticator account there are usually a collection of 4 or 5 single use recovery codes that will allow you to log in instead.

And last, there is physical authentication. This can be biometrics like reading your face or fingerprint, or USB “keys” that software will look for as further proof of your identity and access to this information.

Unfortunately these have a huge drawback. They are often complicated or expensive. Asking users to learn new behaviors or work with unforgiving limits on failed attempts frequently leads those users to fall into less secure habits because they are far more manageable and far less likely to lock them out of their own accounts. This is compounded for users who suffer from ADHD or disabilities that make it hard for them to switch tasks or create new habits.

The Best We Have

It’s a flawed world we live in. There’s a lot of talk about the limitations of passwords going on in the tech world, which is a good sign, so hopefully we’ll only be in this space for a short time longer, but right now the best solution we have is an imperfect one.

You need to download a password manager. There are a lot of opinions about what ones are the best ones, but you’re probably going to want to use one that lets you sync accounts between your browser and your phone, and one that encrypts the data when it is in storage. Mozilla’s password manager does this, so does LastPass, so does OnePassword, and there are going to be more and more as people realize how much of a problem this is.

You need to set up Multi Factor Authentication on that password manager, you also need to think of a strong passphrase for your account. What we are doing is creating the juiciest target we possibly can for attackers, so we need to protect it like our very lives depend on it. Once you have the password manager set up and secured how you like it, you let it generate passwords for every one of your accounts. The idea is that you only have to put up with intrusive multi-factor authentication for one account, you only have to remember one password.

It’s a huge compromise. You have to trust that your password manager will remain secure, but by following all the best practices you can on this one account you’re doing your absolute best to ensure that one account remains protected no matter what, and that’s the best you can do. The best compromise between security and risk.

What that means for the future

A finger touching a phone with a picture of a fingerprint on it.

We think of fingerprint biometrics as highly secure, but the truth is we’ve been defeating them for years.

We need to replace passwords. No one is really sure what that means yet. Consumer grade biometrics like fingerprints and FaceID continue to be defeated by talented hackers in a variety of ways and have been for decades (https://phys.org/news/2005-12-biometric-expert-easy-spoof-fingerprint.html). Physical keys are only secure until they are lost. Security questions are only helpful if you’re not accidentally posting the answers on social media. But the need is there, we need something better than passwords.

For now we have to live by the principles of risk assessment:

  • Above all else, assume the worst will happen eventually
  • Set up systems to minimize how much that effects the rest of your life when it does happen
  • Make choices that are good, but that you can reasonably maintain for the rest of your life.

But it’s not all bad. We get the frustrations, and we know how to find the best balance between your security and your frustration. Get in touch with us today.