Why Passwords and Their Rules are Outdated and Inaccurate

People don’t think twice about typing in their password, except to grumble about them. You’ve got dozens to remember, each website has different rules about length and characters, and it’s easy to mistype them. Plus, thanks to keylogging and other hacker tricks, passwords might not be that useful anyway.

How did we get here, and what are the alternatives?

Password History

Passwords have been used since at least the time of the Romans, though likely earlier than that. The first computer password is credited to engineers at MIT in the 1960s, who shared multiple terminals and needed to log in to access their private files. Password security wasn’t that great then, either. One user found and printed the passwords, sharing them with others.

In 1979, the National Bureau of Standards (now the National Institute of Standards and Technology or NIST), created the Data Encryption Standard. That was the in place until 1997, when the Advanced Encryption Standard (AES) emerged. The AES is still used today.

Encryption works by relying on an algorithm to turn your plaintext password into random characters (ciphertext). To read it, you need a particular key to decipher the code. There are two types of encryption, public and private, but both accomplish the same thing.

Passwords Aren’t Working

Many things have changed online since 1997, making our password system obsolete.

• More Data - First, we’re keeping far more data online than ever. When you first went on the “World Wide Web,” you had an email account and maybe started chatting. Now, you log into everything from your bank and credit card sites to news organizations, cookbooks, streaming media services, games, and more.
• Ineffective Security - Second, the way passwords are stored is not valid. Some websites still store them as plaintext, meaning a hacker can quickly get in and find them. Once he or she does, s/he has access to all the data behind those passwords. Encrypted passwords aren’t much more secure, thanks to keylogging and brute force programs that can hack passwords by going through each possible character. A program like that can determine a seven-character lowercase password in 0.29 milliseconds. Meanwhile, a 10-character password can take up to 54 years to crack. Tossing in a symbol makes it even harder.
• Poor Management - Part of the problem, too, lies in us humans, who choose to use the same password for every website or use weak passwords. Software can go through and guess passwords based on common phrases, dictionary words, and other password lists.

Password Rules are Obsolete

On top of those problems, the rules governing passwords are obsolete. Even if you follow the rules for creating a “strong” password, it might still be hackable. For example, you could take your name and sub out characters, like this: J0hnSm1th. But most people know that the letter “o” is a zero, and an exclamation point or number one is substituted for the letter “I.” As hacking programs improve, they will figure that out, too. Instead, all we’ve done is made the password database happy by following its rules.

In fact, the guy who suggested this format for passwords apologized in 2017.

NIST recommends passcode phrases because they are long and easier to remember than a random mix of numbers, symbols, and letters. They also suggest we restrict users from creating passwords that meet the following:

• Passwords found in previous breaches.
• Dictionary words.
• Repetitive or sequential characters (e.g. ‘aaaaaa’, ‘1234abcd’).
• Context-specific words, such as the name of the app or website, your username, and derivatives

The Future of Passwords

People seem to realize passwords aren’t sufficient. According to the Digital Consumer Survey by Accenture, 60 percent of people in 24 countries say they find passwords cumbersome. About 46 percent feel confident that their personal data is secure.

Many websites now use two-factor authentication. That means users type in a username and password but also something else. That may be a piece of information only they know, or a code sent to the user’s cell phone, though hackers are already finding ways to discover that SMS by intercepting calls and text messages.

Fingerprints are now becoming a more common secondary login tool, as are PINs. Iris scans are another option, though less common because additional equipment is needed. Some programs can determine if it’s the correct user by the way the person types, walks, or holds the phone, and, of course, Apple is using face recognition to lock its new phones.

But the password part of the two-part process may disappear altogether. Microsoft released a new app called Microsoft Authenticator, takes away the password part and relies on you having your cell phone to log in. The security risk is that someone can hack into a user’s account as long as they possess that person’s smartphone.

However, it may be more secure than a weak password overall.

Plenty has been written predicting the death of the password, but we are still using them. Cost, as usual, is holding companies back from making these changes. But as more data breaches hit the news, the password may finally D1$$apear.

Talk to us about making your site more secure.

This article was originally published on the Imaginovation blog.