The Password Is Dead, So Why Are We Still Using It?

By Ary Bandana, DIGITS Staff Writer

Today we are gonna talk about passwords. That secret arbitrary string of characters including letters, digits, or other symbols that we use to secure almost everything. Believe or not passwords have been around since ancient times usually as a way to distinguish between an ally or an enemy in ancient Rome or simply it was a simple way to protect information.

Passwords on computers?

In 1961 Fernando Corbató introduced the concept of password for MIT’s Compatible Time-Sharing System (CTSS) which became the first operating system to use a password. The problem was all researchers had access to the CTSS. However, they shared a common mainframe as well as a single disk file. The password was developed so that users could only access their specific files for their allotted four hours a week because at the time computer use was uncommon and still expensive so ensuring that you are who you say you are is important.

In the 1970s a cryptographer Robert H. Morris Sr. developed “hashing”, the process by which a string of characters is transformed into a numerical code that represents the original phrase.  This has the effect of not having to store the actual password itself in the password database.

With the advancement of modern technology today we use user names and passwords as common as we use door locks. We use a password to protected computer operating systems, online accounts, mobile phones, cable TV decoders, automated teller machines (ATMs), etc. But is it still safe?

Is my password secured?

On July 18, 2011, Microsoft Hotmail banned the password: “123456”. That put a perspective on how little people care about a password.

On August 31, 2014, the worldwide media is an uproar because of a security breach, which later would be labeled as “The Fappening.” A crude but arguably appropriate title to a massive breach in security affecting high profile celebrities. “The Fappening” is simply the exploitation of passwords to gain access to iCloud (cloud backup service specific to Apple devices) in which important information such as pictures of an unsavory nature was stolen and distributed. At first, it was believed to have been obtained via a breach of Apple’s cloud services suite iCloud, or a security issue in the iCloud API which allowed them to make unlimited attempts at guessing victims’ passwords. However, access was later revealed to have been gained via spear-phishing attacks. It’s baffling how dangerous a compromised password can be used for malicious intent.

But still, in 2018 Splashdata, a company working in security applications and services and the makers of SplashID release their annual “Top 100 Worst Passwords of 2018”. They study 5 million leaked passwords from recent breaches and found that many of the commonly used passwords on the list are commonly used bad passwords from previous years, like “123456,” “password,” “admin,” and “abc123.”

Top 10 Worst Password of 2018:

  1. 123456
  2. password
  3. 123456789
  4. 12345678
  5. 12345
  6. 111111
  7. 1234567
  8. sunshine
  9. qwerty
  10. iloveyou

SplashData estimates almost 10% of people have used at least one of the 25 worst passwords on this year’s list, and nearly 3% of people have used the worst password, 12345. This is crazy because, despite warnings by security experts and repeated breaches, it appears that some internet many people still think a secured password is not important.

Wait, is the password dead?

“There is no doubt that over time, people are going to rely less and less on passwords. People use the same password on different systems, they write them down and they just don’t meet the challenge for anything you really want to secure.

Bill Gates (RSA Security conference, 2004).

Passwords are done at Google.”

Heather Adkins, manager of Information Security (TechCrunch Disrupt, 2013)

The password is dead but we can’t deny that it still provides a level of security, not the best but still a level of security, most companies with online portals still use them. Despite all of the predictions passwords remained on top of authentication on the web. In “A Research Agenda Acknowledging the Persistence of Passwords” Cormac Herley, a Principal Researcher at Microsoft Research and Paul van Oorschot, a professor of computer science at Carleton University  argued  that

 “no other single technology matches their combination of cost, immediacy, and convenience

and that

“passwords are themselves the best fit for many of the scenarios in which they are currently used.”

In another technical report by Herley and van Oorschot, Bonneau et al. after they systematically compared web passwords to 35 competing authentication schemes in terms of their usability, deployability, and security. They found that most schemes do better than passwords on security, some schemes do better and some worse concerning usability, while every scheme does worse than passwords on deployability.

“Marginal gains are often not sufficient to reach the activation energy necessary to overcome significant transition costs, which may provide the best explanation of why we are likely to live considerably longer before seeing the funeral procession for passwords arrive at the cemetery.”

What can I do now?

Password hacking is often carried out in one of the following ways:

  • Brute force attacks. A hacker uses automated software to guess your username and password combination. The software tries every possible character combination
  • Dictionary. With this method of hacking, a hacker will run a defined ‘dictionary’ against your passwords.
  • Phishing and social engineering. Accessing someone’s password using phishing or social engineering attack is not technically a type of hack, but it provides the ‘hacker’ with access to your passwords and confidential information.

To create a secure password you should never :

  • Use your personal information or sequential lists of numbers or letters. All of these are far too easy to crack, and you should avoid them at all costs even from 15 minutes searching on your social media.
  • Use dictionary words. When hackers attempt to access your accounts, they run various dictionaries against your passwords in an attempt to crack them. There are many password dictionary available to download online so you have to think of something unusually random for your password.
  • Write your password down. Memorize your password I can’t stress this enough. If you write down your passwords you’re putting your key under a rug.
  • Enter a password over an insecure Wi-Fi connection. Insecure network is everywhere from malls to cafes. By connecting to an insecure network you’re giving a backdoor to anybody trying to access your information. If you really have no other choice never type your passwords when you’re connected to one.

Instead, it’s important that you:

  • Set different passwords for each account. Use a different password on every account that needs a password so if one is compromised at least you still have some level of protection on other accounts.
  • Use long and complex passwords. The longer the password the more secure it is. You should aim for more than 12 characters and mix up some letters, numbers, and symbols because complexity is key in creating a good password.
  • Use a string of words. By using more than one word that you find easy to remember, you will make it much harder for automated hacking software to guess.
  • Make use of the password analyzers some companies use. Are you told your password is ‘weak’ when you enter it? If you are, you should take note of this and make some changes

a

a

a

Campbell, J.B. (2004). Greek and Roman Military Writers: Selected Readings. Retrieved from http://books.google.com

McMillan, Robert (27 January 2012). “The World’s First Computer Password? It Was Useless Too”. Wired magazine. Retrieved 15 June 2019.

Morris, R. & Thompson, K. (1979). Password Security: A Case History. Retrieved from SPRG University of Michigan, June 15, 2019.

Rachwald, Rob. “Microsoft’s Hotmail Bans 123456”. Imperva. July 18, 2011. Retrieved 15 Jun 2019

Arthur, Charles (September 1, 2014). “Naked celebrity hack: security experts focus on iCloud backup theory”. The Guardian. Retrieved June 15, 2019.

Alistair Charlton (January 2, 2015). “iCloud accounts at risk of brute force attack as hacker exploits ‘painfully obvious’ password flaw”. Retrieved 15 June 2019.

“Apple – Press Info – Apple Media Advisory”. Apple Inc. September 2, 2014. Retrieved June 15, 2019.

Hall, John. (2018). “SplashData’s Top 100 Worst Passwords of 2018”. Retrieved  from https://www.teamsid.com/splashdatas-top-100-worst-passwords-of-2018/ 15 June 2019

Kotadia, Munir (25 February 2004). “Gates predicts death of the password”. ZDNet. Retrieved 15 June 2019.

Herley, Cormac & Oorschot, Paul C. van. “A Research Agenda Acknowledging the Persistence of Passwords”. IEEE Security & Privacy. Jan 2012. Archived from the original on 20 June 2015. Retrieved 15 June 2019.

Bonneau, Joseph; Herley, Cormac; Oorschot, Paul C. van; Stajano, Frank (2012). “The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes”. Cambridge, UK: University of Cambridge Computer Laboratory. ISSN 1476-2986. Retrieved 15 June 2019.

Martinelli, Katie (April 6, 2018). ” Password Security Guidance”. High Speed Training. Retrieved June 15, 2019.

Icon made by Freepik from www.flaticon.com

Tags:

Leave a Reply

Your email address will not be published. Required fields are marked *