Most people have experienced a toxic relationship that they have stayed in too long.
For society, the use of passwords is like that boyfriend or girlfriend that you know that you should move on from but, you stay with way too long.
So I am sorry, I am going to be that interfering friend that tells you to: “Ditch your passwords.”
“Why? I am happy with passwords,” you may respond or, perhaps you are just wondering if you can find a replacement?
You should ditch passwords because they don’t deserve the trust you place in them. You have outgrown them. And, You can do so much better.
It’s harsh but true. It’s time for the reality check.
Passwords don’t deserve your trust because the security they provide is low and very easily compromised
Passwords are only too happy to cheat on you with someone else who so much as smiles at them at a party.
Luring your password away can be as simple as ‘shoulder surfing’. This can simply means someone spying your password when you’re working on your laptop at the airport or coffee shop. It can also mean a camera or skimming device fitted to an ATM to record your PIN and capture your account details.
If you’re thinking regular passwords changes, referred to as ‘ageing’, will solve the problem, think again. It’s just not that effective because, you have to be lucky enough for the password change to happen during the short period of time between password theft and unauthorised use.
Password ageing may even cause you to use predictable patterns: Sameletters01, Sameletters02, Sameletters03….
Why do we do this? Because convenience often trumps security, when it comes to human behaviour.
Password theft can also be far more sophisticated
Password theft can occur via social engineering, in-person, the phone or, social media. In these thefts, tactics are frequently used to trick people into revealing passwords or personal information that may then be used to answer security questions for password resets.
Phishing, via phone or email, are common social engineering methods used for internet banking fraud and other crimes. For example, some phishing scams send an official looking email requests from your bank to provide your password information, for false reasons such as security upgrades.
Think you are too smart to fall for these kinds of tricks? Well, that may be true for the simple tricks but, be warned, there are many very smart criminals who spend all day testing ways to trick the clever, as well as the gullible and the vulnerable.
I know from my experience at the Queensland Police Service Fraud and Corporate Crime Group, that ICT savvy professionals and blue chip companies can be victims too.
The bad news is that even if you are very careful to avoid shoulder surfing and social engineering, you still can’t trust passwords with your security.
Risks include:
- ‘Brute-force’ attacks by computers trying combinations of letters, numbers and characters until they get it right.
- ‘Trojan horse’ malware can seem like legitimate function of an app or a game but, really be there to steal your passwords. A Trojan horse may access data you have stored or may engage in keystroke logging to discover your passwords as you type.
- Online ‘Man in the middle attacks’ (I am pretty sure not all hackers are men but, I digress) could be described as eavesdropping on network protocols…..
OK..OK… your eyes may be glazing over right now and you’re thinking about clicking on another funny Anthill video. The point is passwords are an easy to defeat security measure.
You have outgrown passwords, because so much more of your personal and business life is now online
Think about Moore’s law, the NBN, Facebook, eHealth and, mobile apps that you wonder how you lived without.
Fast technology growth means even more of our lives will either be experienced online or, at least, augmented by our connected devices.
For example, during my recent trip to Italy I used HERE City Lens. It helped me see local points of interest on the live streetscape in front of me. In that situation, we expect security and convenience for our online or connected experiences but the risk and inconvenience of more passwords grows with our further expansion of a digital life.
The personal risks can be very significant. Think about the most embarrassing thing you have ever told a partner? How would you feel if they posted that secret on Facebook? What impact would that information being public have on your professional and personal reputation? Can you imagine the sinking feeling of finding your bank account drained of funds the day before you need to pay the deposit on your dream house or, just after stepping off the plane for a well-earned overseas holiday? Even if you get your money back, there will be effects on your life.
Data breaches can have a huge effect on business
Data breaches, often related to password theft, could cost a large company millions. I am not going to rub salt into to wounds by naming recent examples.
Just Google ‘data breach millions‘ and you will get all the examples you need to take this threat seriously.
Data security is a problem for businesses of all sizes. Todd Harland, Managing Director of Contego Consulting, knows firsthand from helping SMEs comply with Anti-Money Laundering legislation. Harland says, “Owners and managers perform so many duties each day that their level of expertise simply does not stretch to data security. They are a soft target for crime syndicates who are involved in identity theft and many other white collar crimes.”
The cost to our economy manifests not just as fraud but, also, as efficiencies that are never realised. For example, how many more businesses would use cloud-based services if they felt confidence in the security of their data?
Security in a digital life
If you are one of those who have already embrace all the Internet has to offer, how many passwords do you have? Include both personal passwords and business passwords in your calculations.
Please don’t tell me use you use the same passwords for both types of online interactions!
It could be so munch easier and better! Imagine the convenience of getting rid of them for a simple authentication method like a scan of a finger vein.
If you are currently patting yourself on the back for using the same password for several accounts, you should really re-read why passwords don’t deserve your trust. However, you are not alone.
Research by Microsoft has found that web users have an average of 25 accounts with just 6.5 passwords. This means most people are likely using each of their passwords for about four accounts.
A recent report by the Poneman Institute and rising Silicon Valley star Nok Nok Labs, has shown that transactions such as buying products or services online were frequently unable to be performed because of website authentication failures.
This means forgotten usernames, passwords and answers to knowledge based questions were the source of the majority of these frustrations, rather than website glitches or similar. So, while these may make things slightly more secure, they are far from the ideal customer experience.
It’s time to break up…
So, we’re back at that awkward conversation about this toxic relationship. It’s time to realise, you have outgrown passwords. They can’t meet your security and convenience needs.
Passwords are the equivalent partner that’s off drinking at the pub while you’re work late to pay the mortgage. It’s time to move on, for the sake of your personal and business security.
Or, if you would prefer that in language for the C-suite, take it from an industry expert, Sebastien Taveau, FIDO Technology Working Group Chair and CTO of Validity Sensors, Inc., “The need for universal strong authentication has reached a tipping point.”
Now for the good news: you can do so much better
You no longer need to rely on passwords. There really will be plenty of fish in the sea for you to choose from, thanks to the FIDO (Fast IDentity Online) Alliance.
Formed in July 2012, the FIDO Alliance “plans to change the nature of authentication by developing specifications that define an open, scalable, interoperable set of mechanisms that supplant reliance on passwords to securely authenticate users of online services. This new standard for security devices and browser plugins will allow any website or cloud application to interface with a broad variety of existing and future FIDO-enabled devices that the user has for online security.”
What does that mean?
In short, it means you can combine security and convenience in your online world.
For example the fingerprint scanner built into your laptop could allow you to sign into many different web accounts, purely by swiping your finger.
An embedded piece of hardware in your mobile, such as a trusted platform module, may give you automatic sign-on to many websites but a transaction might require further authorisation such as voice recognition.
It may be that you have a USB drive as a FIDO token for use with many sites. That token could have password, but importantly it never leaves the device, avoiding many risks. This way two-factor authentication is achieved, rather than reliance on a password alone. But, you don’t need a different token for every site like you would need with existing proprietary systems.
If this sounds too good to be true, know that the momentum is already with this change. On the 23 April 2013, it was announced that tech heavyweights Google, NXP and CrucialTec had joined the FIDO Alliance Board of Directors. This built on the already impressive founding board members Lenovo, Nok Nok Labs, PayPal, and Validity.
FIDO is being lead by the right people and company alliances that can drive change. The open FIDO specifications promise to restore trust with stronger security that also simplifies the user experience and, importantly, ensures privacy.
You don’t have to be business analyst of the year to work out which large companies will continue to favour proprietary solutions over open systems. The reality is that proprietary tokens are often hard to use, expensive, complex and not scalable.
Not everyone will use FIDO but it’s likely to become synonymous with its function, the way Google is with search. Think Xerox, Fedex, Coke, you get the idea but with one importance difference: it won’t be a single business. FIOD will be a standard, a marketplace that welcomes broad participation.
I understand breaking up is hard to do because you’re used to relying on passwords, just focus on the future and be tactful.
Tell passwords, ”It’s not you, it’s me. I’ve changed and you haven’t. You just can’t give me the security and convenience I need in my life now.”
Kenneth King is the CEO of identity authentication technology company Check2Protect, the first Australian member of the FIDO Alliance. He is a former member of the Victoria Police and the Queensland Police Service, with specialist investigative and security intelligence experience. His career started as a police officer protecting people and their property. He believes we all deserve to enjoy both security and convenience. Criminals should not keep decent people from enjoying the streets of our cities. Nor should our online lives be governed by fear.
(Image source: LazyBuddy)
