How is modern business security moving beyond passwords?
Passwords are a staple of corporate cyber security, but they have flaws that many companies are now looking to new technology to move beyond.
Our accounts have been protected by a combination of letters, numbers and special characters since pretty much forever.
However, many within the cyber security sector are calling time on the humble password in light of recent high-profile cyber attacks and the arrival of more secure approaches.
What's actually wrong with passwords?
Chances are you’re reading this article on a device that required some sort of password or character combination to gain access; be it a laptop, tablet or smartphone.
You probably use this device every day, or at least several times a week, but what about accounts you don’t use so often? Many of us would struggle to remember the password for those accounts at a moment’s notice.
The majority of people get around this by adopting one of two approaches. Either they use the same password for every online account (a humongous no-no in the eyes of cyber security professionals) or they have a different password for each account.
Considering the average person has 19 passwords (research suggests), going for the latter method can often require resetting the password to gain access - something that can be time-consuming and frustrating, not only for the user but also the IT departments that have to spend hundreds of hours every year handling passwords issues or the effects of them.
In 2018, passwords are far from perfect and computer scientist Joel Lee did a great job at outlining why.
In his article for MakeUseOf.com, Mr Lee explained how passwords may have served us well in the past, but their ‘all or nothing’ nature just isn’t fit for the future and once a password falls into the wrong hands, then it’s game over.
“Passwords are intangible, they can be compromised by knowledge alone,” he writes.
“In essence, password protection is security through obscurity, a security practice that’s universally lambasted as weak and ineffective.”
Imagine your computer being protected by a padlock on a storage container unit. If someone has the key or even some bolt cutters, they’re free to help themselves to whatever’s inside.
What might replace passwords?
Who said passwords have to be replaced at all? They might not be up to scratch, but that doesn’t mean passwords are entirely useless and should be forever consigned to the history books.
Two-factor authentication means passwords can still play a vital role in online security. By being combined with a security question or other form of identification - for example, texting a code to the user’s mobile phone - they can used to be double-down security.
Meanwhile, the latest mobile phone models can be unlocked with just our face or fingerprint.
Elsewhere, Google announced in the middle of 2016 that it would kill off passwords by the end of the year (maybe a tad optimistic, considering it’s now 2018 and they’re still very much a thing).
Let’s not be snarky though, because the internet giant’s idea seems to have legs. Rather than replace passwords with one super-secure solution, it hopes to mix together many weaker indicators into one solid piece of evidence that leaves no doubt that the user is who they say they are.
Qualities such as face shape and voice pattern, as well as some less obvious traits like how you move, how you type and how you swipe on the screen, are all assessed by the system. The idea is being trialled with “several very large financial institutions”.
Microsoft hasn’t been dragging its heels on devising a new solution either. Its Windows 10 operating system came with the biometric-based Hello function, which looks at the user’s fingerprints, irises and facial features, such as the distance between the eyes, the width of the nose or the shape of the jaw.
How behavioural change can be the best security upgrade of all
As you’ll know by this point, passwords aren’t ‘passed it’ and they’ll probably be widely used 50 years from now. So the most effective security upgrade available lies with the user themselves and how we handle our passwords.
It has been said countless times, but having a secure password that can’t be easily guessed is essential. If you don’t have one already, pick an object, place, colour, number or whatever and combine two of them with the odd capital letter, number and hyphen or pound sign and memorise it.
Passwords aren’t necessarily the problem; it’s how we treat them, and changing our behaviour could stretch the relevant lifespan of passwords for some time yet.