We all know that we should set stronger passwords. Despite warnings not to use phrases as basic as ‘123456’ or ‘password’, many people still don’t take digital security seriously. They choose easy-to-remember (but also easy-to-guess) codes like ‘12345678’, ‘abc123’, ‘qwerty’ and ‘password1’. If a password as simple as this is stolen via a hack, you could be in serious trouble.
The problem is two-fold. First, we use a myriad of online services and have a ton of passwords to keep track of. It’s why people typically choose simplistic codes and often use the same username/password combo on multiple websites. This flies in the face of security advice, which urges changing your password to something unique that doesn’t contain personal info (or common words) and one that features a mix of letters, numbers and symbols.
Even then, long and seemingly complex passwords can be hacked. Using a Linux machine equipped with four Titan X graphics cards, the University of Nottingham’s Dr. Michael Pound has demonstrated how password crackers can ‘brute force’ stolen data in seconds (trying sequential combinations like ‘aaaaa’, ‘aaaab’, ‘aaaac’, etc), crunching 40 billion combinations per second until a match is found.
Of course, the effectiveness of a brute force hack is reduced as you increase the number of characters in a password, so longer phrases are better. A password is even harder to bust if it uses lower and upper case letters, digits and symbols.
Unfortunately, modern hackers won’t just try to use brute force on a stolen password list. With the immense processing power that modern computing systems provide, a ‘dictionary attack’ tries to match commonly used words (with some rules to modify the searches — toggling upper/lower case, adding numbers, etc). It’s much more effective and if you’re using a long password with recognisable words in it, your password can be cracked.
Wait. It gets worse. Hackers have one more trick up their sleeves — a dictionary that consists of real, stolen passwords. By using this, and by determining the rules by which the codes are constructed (e.g. two-word passwords, keys that incorporate dates), only a random string of characters will survive an attack. Anything recognisable will be discovered.
All of which brings us to the second problem. Changing your password isn’t the answer, because passwords themselves aren’t safe. In a recent report by mobile identity company TeleSign, 69% of companies believe that “usernames and passwords alone no longer provide sufficient security”.
“The theft of hundreds of millions of consumer records by hackers has made account takeover a significant threat,” the report explains. “Fraudsters use stolen consumer credentials to access accounts to launch phishing attacks, withdraw money, make unauthorised purchases, harvest virtual currency, and conduct other malicious activities.”
It’s no wonder that 36% of companies surveyed predict an end to passwords in the next four years, while another 36% foresee that passwords will be obsolete in five to nine years.
We’re already seeing the technologies that will replace them — fingerprint scanners on laptops and smartphones, 3D cameras like Intel RealSense that enable facial recognition logins via Windows Hello. You can find RealSense in new 6th generation Core laptops like the Dell Inspiron 17 5000 Laptop Touch and the HP Spectre x2 12-a001dx.
Behavioural biometrics also shows promise. This technology continuously authenticates users by analysing the way they use a device — the programs they open, the way the mouse moves, the keystrokes they input. If this behaviour differs markedly from normal usage, then the system is locked down.
But passwords aren’t quite dead yet. In the shorter term, password manager services like LastPass, and 1Password provide reinforced security, while other services have introduced two-factor authentication, which you should always turn on if the option exists. Otherwise, there’s no better time to change your password to something longer, stronger and harder to crack.