Is Password Security Becoming Obsolete?
Is Password Security Becoming Obsolete?
The use of passwords as entrance to secure sites is quickly becoming a thing of the past, as well it should, for a number of reasons. Passwords are generated by software programs and people to guard access to personal computers, websites, mobile telephones, and other types of technology. However, the users of technology are becoming more uncomfortable with the lack of security provided by passwords and with remembering all the passwords needed for such data as credit card numbers, health information, and bank accounts (Luukkonen, 2015). Advancing technology has provided users with the ability to link devices to each other that store huge amounts of personal information and more devices means more passwords for security reasons. A survey of 24,000 users over 24 countries found that 77 percent of the respondents indicated interest in using alternatives to passwords for internet security; more than 92 percent of Chinese users would consider other security measures, East Indian users 84 percent, Brazilian and Swedish users 78 percent, and American users 74 percent (Accenture.com, 2015). Passwords have been around since the first soldier needed one to come into camp centuries ago, but electronic methods of breaking internet security are a major argument against the continued use of passwords.
A password generally is a string of numbers, letters, and/or special characters used to establish the identity of a user (Walters & Matulich, 2016). Passwords are usually the first security wall against unauthorized users obtaining access to information systems. Unfortunately, they may be the only defense since many types of software do not require any other authentication; the user is identified only by the ability to enter the password. As people are asked to remember passwords for more and more access to account, many use the same one for multiple companies. The average person needs password access to more than 25 sites and applications, but only uses 6.5 different passwords; a strong password needs more than twelve letters, numbers, special characters, and punctuation (Reiner, 2016). Most people are unable to remember that many passwords and the solution is either repetition or keeping a list, a security risk in itself. Fernando Corbató, the man who invented the password in the early part of the 1960s, states that, “Unfortunately, it’s become kind of a nightmare.” (Yadron, 2014).
Data hackers may operate on a large- or small-scale basis. Cracking passwords is as easy as looking over someone’s shoulder when he is entering it, looking through trash to find passwords that are written down or clues to passwords, and even guessing by using children’s name, birthdates, or the most common passwords such as “password”, “admin”, or “12345” (Walters & Matulich, 2016). Garry McKinnon was accused of hacking to military computers for the United States through the use of a simple program that searched for default passwords such as “Guest” (Kelly, 2006). Calls from a hacker posing as a representative from a company with a common website trick users into revealing their passwords (Walters & Matulich, 2016). Phishing is another method of social engineering that uses false emails to get people into disclosing their password or other sensitive data through the use of disguised hyperlinks, source addresses, copied images, and specific fonts to send users to a fake web page to “update” their information (FraudWatch International, 2009). Security administrators use a software application to test password integrity or recover lost passwords, but hackers use it to gain entry to accounts (Gregory, 2009). The programs usually use a combination of strategies such as trying common words or slang or mixing characters used in acceptable passwords. Spyware software sends information gathered from computer activities secretly to a third party (Walters & Matulich, 2016). Sniffer programs monitor and evaluates network traffic by reading network packets (Mitchell, 2009). The programs have the capability of recording sensitive personal information when a network is used. They frequently are used to obtain passwords and personal data sent without encryption; networks functioning in a wireless capacity are particularly exposed to sniffer programs.
There have been numerous high-profile data breaches in the last several years by data “hackers”. Passwords have been the point of entry for the 145 million users who lost security to their eBay accounts, the 36 million users of Adobe, and the 76 million users of JP Morgan Chase Bank (Reiner, 2016). Passwords for companies are stored in a form that is cryptographically altered for log in purposes, but without the ability to be read directly (“hashed” form). It is frequently possible for hackers to access a database dump with the stored hashed passwords. If the site operator is efficient at the hashing process of storing the passwords, the task of reconstructing them is strenuous and tedious, but it is possible. Also, there are still major sites that do not adequately hash the passwords for storage. In 2014, Sony was the victim of a data breach when hackers found the company stored thousands of passwords and more than 47,000 social security numbers for employees and famous actors such as Rebel Wilson and Sylvester Stallone in a file directory labeled “Password” (Curtis, 2014). The files were named in plain text and did not have password protection. Once hackers reconstruct the password for any one site, they may try it on multiple other sites in the hopes the victim uses the same one repeatedly. Finally, social media provides many answers to “security questions” for password reset. The elimination of this process would enhance password security.
Personal password hacking is not the only expense associated with poor password security. Companies who have support systems and applications accessed by unauthorized users may suffer equipment destruction that results in expensive delays in production, missed deadlines, and loss of customers (Secmaker.com, 2016). Garner Group states that over 30 percent of the call to customer IT support concerns issues with passwords. Forrester Research believes this costs companies approximately $200 per user annually.
New Forms of Secured Entry
In an attempt to bypass the need for passwords for security purposes, a number of solutions have been offered. A protocol is in the stages of development at Google that would allow a use to authenticate his identity with his smartphone (Mims, 2016). When accessing online accounts, a code or specific ring tone would be sent to the mobile device. However, there are still problems with the concept such as how long the code needs to be, which random number generator would be effective in resisting hackers, if users will find the method convenient, and if it will eliminate the need for pin numbers or passwords to access email accounts. Even with such challenges, using a ringback code would offer more security than a password.
A demonstration by Google in June 2016 showed how a laptop may be unlocked by simply placing the user’s smartphone next to it. The argument may be presented that a hacker might access a person’s accounts by using their phone, but a mobile device can be shut down quickly when it is missed while stolen passwords are not detected until too late. The practice of locking a smartphone with a PIN code or even a sensor for fingerprints when not in use is also always a good security practice. Google is also testing Trust API, which uses a number of sensors in phones to authenticate that the use of the phone is the owner (Deveza, 2016). They would electronically recognize voice, face, characteristics of walking, typing speed, and other factors.
Similar to the Trust API technology, biometric sensors are becoming more common as recognition applications for security purposes (Reiner, 2016). Facial and voice recognition, fingerprints, and scans of the iris have problems with current development and still require accompaniment by a password. They have specific requirements for lighting, noise level, two hand applications, needing to be on every device, where the user lives, and other issues. Facial recognition software has problems with distinguishing a real person or a photograph of the person; researchers are working on requiring movement in the program. USAA currently allows customers to take “selfies” on their phone to access their accounts after opting for the method when signing into their accounts with the company (Marte, 2016). Mastercard holders has introduced “Selfie Pay” for online shoppers; the customer confirms their purchase after checking out by taking a selfie using a mobile app issued by Mastercard. In the state of Georgia, taxpayer can verify secure accounts next tax season by taking their own picture and if it matches the photo on file, selfies will guarantee the tax return submitted is not fraulent.
It is even possible today to obtain multi-factor authentication to replace the use of passwords (Reiner, 2016). Biometrics and factors such as cities or Wi-Fi networks increased barriers against hacking, but in addition they would have to use the device of the intended victim. Possession of a password would be useless in the face of multi-factor authentication. Features included in the CPU of a phone or laptop computer allow identification of the device while the user also provides a biometric confirmation. A problem with the use of this security method is that it would have to be applicable to all the sites the user currently employs without them needing technological updates. In addition, it would have to work around the need for passwords until the time when they are not longer needed. The issue of convenience also impacts the level of security possible. Therefore, an individual should be able to choose which security measures he desires based on his environment and accounts accessed. The user may even request low level security for some sites used and higher security for others.
Conclusion
Each time a person forgets a password or has to answer security questions or even has his information hacked, he wishes passwords were not longer needed. As biometrics and authentication by devices become more common, the use of passwords will decline. Pindrop is a new security company that uses voice recognition to detect phone fraud (Kuchler, 2016). Using 147 different factors to formulate a voice profile, the company also tracks the device and location to raise a red flag for banks, retail stores, and insurance companies. Last year, Pindrop monitored 360 million calls, representing a wave of biometric security for the future. Companies are developing software that recognizes patterns of clicking and screen sweeping, supposedly as individual as fingerprints. These types of user authentication may be the end of employing passwords for internet security, but the process is not going to be available as quickly as some people wish. Someday, passwords will be as obsolete as the occasional payphone seen in an old convenience store. In the meantime, measures such as not replicating passwords across sites and locking mobile phones are temporary actions for personal site security.
References
Accenture.com. (2015). Digital Consumer Survey for Communications, Media and Technology industries – Accenture. Accenture.com. Retrieved 16 July 2016, from https://www.accenture.com/us-en/insight-digital-consumer-survey-communications- media-technology
Deveza, C. (2016). Google Begins Test on Face Authentication Technology: Passwords to be Obsolete by the End of the Year?. iTech Post. Retrieved 14 July 2016, from http://www.itechpost.com/articles/19376/20160527/google-begins-test-on-face- authentication-technology-passwords-to-be-obsolete-by-the-end-of-the-year.htm
FraudWatch International (2009). Phishing email methods. FraudWatch International Pty Ltd.,
http://www.fraudwatchinternational.com/ .
Gregory, P.H. (2009). CISA Certified Information Systems Auditor All-In-One Exam Guide,
McGraw Hill.
Kelly, S. (2006). Hacker fears UFO cover-up. BBC News Click Online,
http://news.bbc.co.uk/2/hi/programmes/click_online/4977134.stm.
Kuchler, H. (2016). Why the password may be passing into history - FT.com. Financial Times.
Retrieved 16 July 2016, from http://www.ft.com/cms/s/0/6650dcc4-2455-11e6-9d4d-
c11776a5124d.html#axzz4EXqlTAX7
Luukkonen, S. (2015). Forbes Welcome. Forbes.com. Retrieved 14 July 2016, from
http://www.forbes.com/sites/valleyvoices/2015/10/12/are-passwords-becoming- obsolete/#10434f5e360a
Mims, C. (2016). The Password Is Finally Dying. Here's Mine. WSJ. Retrieved 14 July 2016,
Mitchell, B. (2009). A-Z Networking Terms.
http://compnetworking.about.com/od/networksecurityprivacy/g/bldef_sniffer.htm
Reiner, R. (2016). Is The Password Dead? The Future of Web And Mobile Authentication.
TechCrunch. Retrieved 14 July 2016, from https://techcrunch.com/2016/01/04/is-the- password-dead-the-future-of-web-and-mobile-authentication/
Secmaker.com. (2016). Passwords are history | SecMaker. Secmaker.com. Retrieved 16 July
2016, from https://www.secmaker.com/passwords-are-history/
Walters, M. & Matulich, E. (2016). Assessing password threats: Implications for formulating
Yadron, D. (2014). Man Behind the First Computer Password: It’s Become a Nightmare. WSJ. Retrieved 16 July 2016, from http://blogs.wsj.com/digits/2014/05/21/the-man-behind-the- first-computer-password-its-become-a-nightmare/
