Australian technology news, reviews, and guides to help you
Australian technology news, reviews, and guides to help you

Why passwords are problematic, but why we have trouble moving on

Your password may as well be easily broken, but these days we have other methods of keeping your life secure, so on World Password Day, we’re asking why are we still using passwords?

We all rely on passwords in some form, but there are major differences between what constitutes a good password, and what acts as a bad one.

The latter is pretty easy to identify: if it’s something like “password123” and uses numbers in a sequential order, or just generally seems easy to guess — like your name or birthdate — it’s an example of a bad password. Lots of people use bad passwords. So many that it’s all a little dizzying.

On the other side, there are good passwords, and these are often complex. They’re frequently a word or phrase with uppercase and lowercase letters mixed with numbers and punctuation, while the best passwords are long, complex, and don’t follow patterns. Great passwords are almost impossible to remember and made up of a sequence of letters, numbers, and other characters, making it almost impossible for either human or machine to work out.

“When it comes to passwords, it doesn’t matter how randomise the capitol or special characters are arranged. What matters is length,” said Tyler Moffitt, Senior Security Analyst for OpenText Security Solutions.

“The longer your password is, the stronger it will be,” he said.

You can use tricks to help you remember them, and make them long with words or phrases only you know where you make your own cipher and key replacing characters for letters, but that mightn’t be enough. Strong passwords are important, but they can also be broken. Worse, they can be stolen.

You can be tricked by any number of ways, and with the sheer number of pushes from scammers attempting to fleece using phishing tactics, it’s not inconceivable to see people inadvertently handing over their passwords without realising it.

The most recent smishing scams have found ways to embed credit card fleecing scams with real Australia Post text messages, making it just that much easier for even the savvy digital citizen to accidentally give over a password.

Fortunately, there are solutions, though they come in something we’re not all quick to embrace. Password-less security might be the solution, but whether strange or just not yet convenient for all, it’s taking time before the concept truly takes over.

How do you replace a password?

For years, we’ve been told that passwords are important. The first computer you used came with a password to your account, and you likely memorised that. You did that in school and you’ve probably done it at work, and the same is true when it came to protecting your bank account, bank card, credit card, and so on. No one knows your bank PIN — and you should keep it that way — with that passcode being your password of sorts.

But passwords and passcodes can be broken, stolen, and otherwise misused, and so we’ve turned to other methods.

While, the CSIRO’s approach for a gait-based password system hasn’t necessarily taken off yet to let you secure your tech using your walk, there are other things that are taking the place of passwords, and they’re a little more physical.

First up is your phone, because these days, everyone has one of these, and they can be used as a secondary form of check, also called “multi-factor authentication”.

Initially started as two-factor (2FA) but now expanding to three (3FA) and beyond, multi-factor authentication relies on the idea that you can go beyond a mere password for a login, but also checking another device or service, like a phone, smartwatch, and so on.

It can be switched on for Google services, social media, and other platforms, and your workplace may rely on it already, often sending a sequence of numbers to your phone as a form of check before you log in. You’re the only one in possession of your phone, so that message acts as the check and adds to the checking of your password. It authenticates you alongside your password, because only you can have both.

“Passwords are more secure than no protection, but they should not be the sole method for authenticating an identity or verifying access authorisations. Combining a password with multi-factor authentication (MFA) adds an additional layer of security and protection,” said Rebecca Taylor, Incident Response Specialist at Secureworks.

There are also password-less solutions built in hardware, made as a “password key” so to speak. It’s an area helped pioneered by Yubico, which produces the “Yubikey”, a USB stick of sorts that can be plugged into devices and used as the password for services, primarily for business. The technology acts as a physical solution to defeating passwords, and can even be found in iOS equivalents to use on the iPhone, as well as NFC variants to use with mobiles wirelessly.

Yubikey password security stick

Why can’t we let go of the password?

Finding solutions to move beyond a mere password is clearly not difficult, so why do we have problems moving on? That might come down to ease of use — the convenience angle — and that it’s just something new to learn and adapt to.

Everything new takes time. While you may be comfortable with the touchscreen on your phone now, it wasn’t all that long ago we were typing on the T9 predictive text number pad in the late 90s and early 2000s of mobiles back then. A good twenty years ago, phones looked totally different, and when proper touchscreen phones started turning up in 2007 and 2008, things started to change well and truly. You had to learn how to use these, how to adapt, how to type quickly on them, and so on and so on.

Learning things takes time. It’s typically not an easy switch, and the more we become accustomed to something that’s new, the more it becomes standard.

Password-less security is likely going to sit alongside password security for some time because of that comfort, and won’t be going anywhere in the short term.

“While passwords have proven time and time again to lack the robustness to protect sensitive data, many organisations still rely on them as the means to authenticate their customers – and this is likely why users are still most comfortable with them,” said Simon Marchand, Chief Fraud Prevention Officer for Nuance.

“The more banks, telcos and other companies offering alternatives such as biometrics to quickly and effectively authenticate their customers, confidence in biometrics and uptake will grow, resulting in passwords being displaced with this faster, more effective alternative,” he said.

Read next