Passwords are ubiquitous and have been for decades, despite repeated predications over the years of their impending death. They have remained popular for a range of reasons, primarily their simplicity and familiarity, backed up by how widespread technological support for them has traditionally been. As a result, the status quo is often not challenged, despite expert consensus that passwords are—well—a bit naff.
So ubiquitous are they that you may have never stopped to really consider what the point of a password is. It’s just a thing you have to do in order to use software, like some sort of religious ritual the original point of which has long since been forgotten. Plainly put, the purpose of a password is to authenticate a user prior to them being allowed to access something, be it a software program, an online account, an area of a building or anything else that you might not want just anyone to be able to do.
The idea of the password is deceptively simple—by giving a secret code to only those people who should have access, and refusing access to anyone who cannot provide the code, access should be limited to those who should have it. As you may have noticed, that’s an awful lot of ‘should’s. In practice, those secret codes are often shared outside of the select group of people or, perhaps more commonly nowadays, are guessed by attackers, either because they are commonly-used (e.g. ‘password’), guessable due to knowledge of the person who set the code (e.g. their date of birth) or simply brute-forced by software that tries millions of variants every second.
So admins countered by making the passwords harder to guess. They told people not to use common words or information about themselves. They requested the presence of letters, numbers, punctuation, emoji, mathematical symbols, etc., until passwords resembled Eldritch incantations. They asked people to create a different string of nonsense for every account that they used. And then they asked them to remember all of them. And to change them every few months.
It should come as no surprise that this has been a disaster. People used the same, weak passwords as before, except now with a ‘1’ on the end—no trouble for the brute forcers and their millions of guesses per second. People repeated their more complex passwords across multiple accounts, creating a Three Musketeers scenario: it’s one (breach) for all, and all (accounts) for one.
As a famous cartoon strip puts it, ‘through 20 years of effort, we’ve successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess.’ This state of affairs can obviously not continue, but what other options exist for authentication? How can these be used in tandem to even further secure yourself? And, as we unfortunately sometimes have to deal with the real world in security, what can you do when you absolutely have no choice but to use a password?
In the next part of this series, all will be revealed.