FOR years we’ve been told to make passwords as complex as possible, using upper and lower case characters, numbers and various other symbols to make it as cryptic as an MI5 code — only to find out that most of the trusted tricks we employ when crafting custom passwords actually make us more vulnerable to hackers. That’s according to former National Institute of Standards and Technology (NIST) manager Bill Burr, who popularised the tips back in 2003 but admitted this month that a document he wrote on crafting strong passwords was misguided.
With the organisation recently revising its password guidelines to combat nefarious digital behaviour, and modern biometric authentication gaining ever more momentum by the day, this raises one very important question: what is the best method for securing your personal data and digital identity?
The last rites for the traditional password were read long ago by industry experts. Bill Gates predicted its demise 13 years ago, and back in 2011 IBM predicted there would be no passwords by 2016.
Fast forward to 2017 and headlines about high-profile hacks and mass data breaches have become standard fare, with evidence to suggest password convenience still trumps security for most people and users still rely on predictable patterns.
This explains why year after year the world’s most popular log-in remains ‘123456’, a password so obvious it accounted for almost one in five of the ten million compromised passwords analysed by password management company Keeper Security.
The 2016 Adults’ Media Use And Attitudes study by Ofcom shows how bad password hygiene really is, noting that four in ten internet users use the same password across multiple websites. But the US-based NIST’s revised guidelines diverge greatly from what we’ve been force-fed over the years. Now it suggests scrapping the complicated mixes of lower and upper case letters and special characters, instead using simple, long and memorable phrases, with lower case letters and typical English words that never need to expire and should only be changed after a security breach. This is plainly great news if you rue the all-too-frequent days when IT makes you change your password.
While these rules may seem suspiciously easy, Paul Grassi, senior standards and technology adviser at NIST, says otherwise. ‘It works because we are creating longer passwords that cryptographically are harder to break than the shorter ones, even with all those special character requirements,’ he says.
Biometric-based authentication is set to become more prevalent in the UK, according to the Fraud & Risk report carried out by Callcredit Information Group, as 53 per cent of organisations expect to significantly increase their investment in biometric technologies.
TSB, for example, will be the first bank in Europe to roll out iris scanning for authentication in its mobile banking app in September, and Mastercard is testing fingerprint sensor-enabled payment cards that could arrive this year. In April, Lloyds Bank said it would test Microsoft’s Windows Hello technology, which lets users access accounts by fingerprint or by gazing into their webcam.
However, German hackers recently tricked a Samsung Galaxy S8’s iris scanner with a picture of the device owner’s eye and a contact lens. This was in the same month that HSBC’s voice recognition security system was fooled by a journalist, proving that while biometric identification is the latest weapon in the cyber-security battle, it is not without risk.
‘The general perception is that biometric security — iris scans, fingerprints and voice recognition — is inherently secure because it’s taking something that never changes and using it as a means to verify your identity,’ says Etienne Greeff, chief technology officer and co-founder of SecureData. ‘When a password is hacked, it’s easy to reset your password. But what happens when your biometric security settings are hacked? You can’t change your voice, you can’t replace your eyes, you can’t reset your fingerprints. Those things are constant.’
The NIST says biometrics as an authentication system is not accurate enough to stand on its own. But that’s not to say biometrics won’t play a crucial role.
Where in the world are you?
Supporting the argument that traditional passwords will be replaced by better methods, James Thompson, of web security firm SecureAuth, says many organisations are dumping them and replacing them with multi-factor, or repeated, authentication that takes into account where the attempted log-in is taking place.
‘This technique links your device with a biometric element such as your fingerprint and several layers of risk analysis based on things like your IP address, location and “normal” behaviour like the device you use,’ he says. Any deviation from the norm will be flagged for additional security measures.
‘So if an hour after you’ve logged off in London, someone pretending to be you tries to log in from Shanghai, adaptive authentication would recognise the impossibility of that journey and block the login.’
Adaptive authentication is thought to be 3,000 times more secure than traditional two-factor authentication methods, so in theory, even if an attacker was able to spoof your face or use your wifi network, they would still be blocked because they weren’t using your laptop. So is the future all about biometrics and behaviour? Not quite — the password may be dying out but the authentication debate is alive and kicking.
PayPal, in 2015, said it was working on a new generation of embeddable, injectable and ingestible devices that could replace passwords and potentially pave the way for internal body functions like heartbeat and vein recognition. This would allow ‘natural body identification’ using devices like brain implants, silicon chips embedded underneath the skin, as well as ingestible devices powered by stomach acid. Since PayPal’s global head of developer evangelism, Jonathan LeBlanc, confirmed it was looking into new biometric verification technologies, the company has since said in a statement that it has no immediate plans to develop injectable or edible verification systems and that as passwords as we know them evolve they aim to be at the forefront of those developments.
MIT Media Lab and Microsoft Research are experimenting with a temporary tattoo dubbed DuoSkin that can control your connected devices and could act as your digital identity. It uses layers of gold leaf to form a conductive coil that connects to an NFC tag for communication, which could also mean on-skin controls for connected devices.