Should we abandon the password?
As the catalogue of hacked websites and databanks grows, we are warned over and over again to abandon passwords. But can we? Should we?
Life was so simple once. We worked for a company, we signed on in the morning with a password which gave us access to the company server and we went and did our job. The password itself was usually given to us by the IT manager or one of his minions (they always seemed to be "him" in those days). Nobody, pretty much, ever changed them or worried about anyone else accessing their own stuff. After all, the email was for office stuff wasn't it.
And then came email. Great, now we could communicate directly with customers and our colleagues (no need for that telephone conversation where we might really reveal what we were thinking). Plus, it left a great record, so there was an audit trail if things went on. Then, joy oh joy, along came spam. There seemed to be two types of spam in the good-old days - the ones encouraging you to grow various parts of your body, or selling you endless sexual prowess, and then there were the malicious ones. Not much more sophisticated than the first variety, these were the ones where hackers started to see if they could get money from you. I still hold out hope that the Nigerian Prince will come good one day and hope his sister is recovered now, but it has been a long, long time since he got in touch.
But still, with good spam filters, the level of spam emails and these early phishing attempts could be kept under control.
The throwaway email
And then came Yahoo, Hotmail and Gmail and the fun really began. For one, it was the sheer volume of emails that climbed exponentially. For the other it was simply that all these accounts have had an air of the throwaway about them. They were, if you like, the Mcdonalds of online mail. If something went wrong, just discard it and get another. And, anyway, nobody really cared if you left the wrapping paper to blow around the street.
Of course, there was another element to this, that we have not even began to touch on. Data! Bucketloads of data! Now the search engines found us interesting. As online shops began to appear and websites to satisfy every possible taste under the sun, so they naturally wantedus to visit them. Hey, just place an order and we have your email address and contact details. Let's make it easy for yourself and take your card details, hang on to them and you can order that upgrade to your phone with a simple single click. Each time you searched, Google got its next bit of data. The temptation to provide that data to others got larger and larger, while the data itself got more and more valuable.
Let's get social
Now for stage three, the cruncher. Let's get social. Though there was social activity before Facebook, there was never any social activity like Facebook till it came along. It showed the world how willing everyone was to share everything about their lives and to heck with the consequences. After all, everything you commented on and looked at could be fed back to you with an advert. Now I am not condemning Google, Microsoft, Facebook and all the rest of them for wanting to do this, they want to make money. It's the lemming like rush to sign up that is the problem. Each sign up requires you identify yourself and what better than a password. Now ok, the pet dog's name and your wife's date of birth had been ok before, so why change it? Fido1812 it is!
The password is dead
Stage four and we go mobile. Now we can have apps, order online whenever we want, because we do want that new iPad first thing tomorrow don't we. We can walk down the street and let a restaurant tell us it is there, or a shop we signed up can make us an instant offer as we walk past its doors - "Just come in and try these new shoes on offer just for you!", it seems to croon.
All of a sudden, the security experts start shouting at us. Stop using the same password. Change it often. OK, no problem in principle, but who can remember 10, 20 30 passwords any more. Nothing has happened to me so far, so Fido123 my password remains. I am going to say in passing that the banks, basking in the savings made from closing branches and making us do all the work of managing our money online, were amongst the worst and instituting good practice, which is why so many of us have got into trouble with online fraud recently.
Password alternatives
So now we get to the present time when never a day goes by without us being warned about the risks to our money. Stories in the press of old pensioners being defrauded out of thousands of pounds and dollars are rife. Every email has to be checked carefully for attachment (Microsoft when are you going to do something about making Word and Excel documents safe again?). But no problem, technology will save us. Let's list some of them here:
- Multifactor authentication - this is not so much a break from the password as a way of ensuring there is a double check, a randomiser based on hardware or software that has a limited lifetime or requires that you are in the right place.
- Various biometrics such as:
- Iris scans
- Fingerprint scans
- Facial recognition
- Voice recognition
- Temporary passwords - this is the sending of random codes which have a limited lifetime
- Heartrate - apparently each of us has a unique heart signature. This requires us to wear a device to measure this signal
- A combination of these various elements
Is this really the end?
So, which of this is it going to be? The probable answer is the one that is easiest and the one that we trust, and the one that works. The latest news that Tesco Bank has had 9,000 customers hacked does not give too much room for hope that complex security is going to work any better than the password does. There are plenty who sing the praises of "technical" solutions, but what the hack reveals is that, if you simply use a 6 digit pin on a phone (and or a fingerprint) to access an SMS message, how is that really more secure than the password that was entirely in your own brain to begin with and which only you know.
Half of humankind wants nothing to do with complex security. They want easy solutions provided on a plate and will simply carry on ordering blissfully from Hungry House without a care in the world for who or what is harvesting their data, while the other half neurotically try to balance their wish to be in control of their own security with the worry that organised hacking gangs are out to get them. Every new security system has hurdles to overcome which some accept and others will have nothing to do with. It looks as if the password, for all its limitations, is going to be around for a long time.