You can trace the history of the password back to Roman times. Sentries asked those approaching for a password to determine friend from foe. The consequences of forgetting that password probably weren’t worth thinking about. But, even if somewhat less fatal, does that make the problems of today any less of an irritation?
Forgotten account details account for the majority of support requests I handle in my day job. And it’s not just passwords. Usernames and emails are just as difficult for less experienced users to remember.
It doesn’t help that everything seems to require a password now. Even where it isn’t strictly necessary. Think about it. When was the last time you were asked to create an account to do something you’d likely never do again? You’re now required to create an online profile to book an event place, make a one-off purchase or submit a support request when once a simple email would suffice. Account profiles have proliferated throughout the digital world making it harder for people to manage what should be simple online tasks.
A survey by Centrify found people create an average of 50 new account profiles every year. That’s a lot of passwords to remember if you want to follow the rules.
Yet people choose to avoid password managers because they fear having all their eggs in one basket. But would they? Good password managers never know what your passwords are. They’re encrypted by your master password before leaving your machine and only decrypted again when you need them. Lack of awareness around zero-knowledge and how encryption works is steering people away from the very solution that can help them.
As for keeping all their eggs in one basket, most already do. Consider how many accounts can be accessed if someone gained control of your email? They could use this access to reset passwords across your entire digital footprint. Game over for the majority of people.
So, in the absence of password managers, password reuse is still common place. Even among people who should know better.
The vulnerabilities posed by password reuse has led experts to advise that websites and software producers move to require at least 15 characters in your password. A number believed to make it less likely that the password chosen has been used elsewhere. However, distributed computing and new powerful graphics cards make password cracking easier. To protect yourself from this emerging threat, experts recommend the use of long passphrases not words. Forget 15 characters, you’ll need at least 20 and if the password is protecting something important then 43 plus is your minimum.
No amount of special characters, capital letters or numbers will protect you if a password is too short. People lean towards predictable patterns when they use this technique and the software cybercriminals use knows exactly what to look for. In fact, passwords are such a poor solution to account protection that experts expect them to be compromised. This has given rise to the adoption of two-factor-authentication (2FA). Where a one-time-passcode is generated by an app, security key or sent to your phone or email account. While 2FA offers protection against the theft or guessing of a password, it is unlikely to be used by the people who need it most. Those less confident using technology while more likely to fall for social engineering scams are, paradoxically, less likely to employ 2FA.
Pouring oil onto the fire are organisations that, despite advice to the contrary, force people to change passwords every few weeks as a ‘protective measure’. Their users have little option but to use predictable patterns or write their password somewhere as a memory aid. The very acts a security policy should seek to avoid.
While on the horizon, alternatives to the password are still a long way off. Biometrics and single factor authentication like SQRL or the new YubiKey promise an end to passwords. But, website and software creators need to implement them and they’ve been incredibly slow to act on this in the past.
The password, such as it is, will be here to stay for some time yet. We just need to be smarter about how we use it.