August 5, 2014 10:58 am

Is the password really dead? (Hint: Not even close)

Nico De Pasquale Photography/Flickr

TORONTO – A few weeks ago Wall Street Journal reporter Christopher Mims did something most other Internet users would never think to do – he published his Twitter password in an article for all to see.

The bold move was meant to help drive home the point of his article – the password was finally on its way to the grave.

Story continues below

In the article titled “The password is finally dying. Here’s mine,” Mims cited device-based authentication as one of the main reasons the password was going the way of the dinosaur. He said security features like two-factor authentication – where a text message containing a secondary login code is sent to the user’s mobile phone every time they log in – were making the password unimportant.

“Passwords are a uniquely terrible kind of single-factor authentication, in which the one factor identifying you as you is the password itself,” he wrote.

Mims said that thanks to two-factor authentication, the password had become obsolete. But experts have warned that we shouldn’t be so quick to dismiss the password altogether.

“Two-step authentication is not foolproof,” said Chris Parsons, post-doctoral fellow with the Citizen Lab at the Munk School of Global Affairs and cyber security expert.

“It’s a layered approach – the more layers you have, you can achieve better security, but nothing is ever foolproof.  You can always get around anything if you are dealing with a sufficiently motivated attacker.”

Parsons was quick to dismiss claims that the password is nearing extinction, for the simple reason that security features work best when they are played off of each other.

The cyber security expert added we shouldn’t be quick to trust new technologies that promise to put an end to those pesky passwords.

“Passwords are very old and understood technology – they’re not great, they really aren’t. But, there is an awful lot of snake oil on the market saying we can replace the password, or all you need is biometrics, or this new hyped technology,” he cautioned.

“The new systems that are proposed, when they are subjected to critical technical analysis, they are often flawed.”

Another problem is most web users are notoriously bad when it comes to creating and maintain their passwords – the very thing that makes them secure.

“The number one issue with passwords is that everyone uses the same password,” said Parsons.

READ MORE: How to create a more secure password

The cyber security expert said that web users must first understand the importance of having secure and unique passwords before graduating to more advanced security features.

For his own purposes, Parsons uses a password manager to create super strong passwords.

All of his passwords are auto-created by the manager and login information for each app or website is saved in the manager. Once he gets to a login page, he opens the manager and it auto-fills the information for him.

“I don’t know the passwords to most of my accounts,” Parsons said. “That means I have a unique, secure password for every single place I need a password. If one of my passwords gets cracked or stolen, it’s just that one site that’s in trouble as opposed to my entire life.”

Apple recently introduced a similar product for iCloud users called iCloud Keychain, which can suggest complicated alpha-numeric passwords for the user and save them in the keychain. iCloud Keychain can also remember credit card and Wi-Fi information.

As with anything, Parsons said users should do their research before picking a password manager to make sure that it’s a reputable choice. Some of the most popular password managers on the market include Lastpass (Mac, Windows, iOS, Android) and 1Password (Mac, Windows, iOS, Android).

As for Mims, his experiment resulted in many attempts to hack his account. According to a follow-up article, he received hundreds of requests to log into his account within the first 24 hours of the article being published – however, his account remained secure.

Tips for creating secure passwords

Stay away from easy-to-guess passwords like “1,2,3,4″ or “Password” and easy to guess identifiers like your dog’s name.

Passwords that use up to ten upper- and lower-case letters mixed with numbers are proven to be more secure – despite being hard to remember.

One tip is to construct a password from a sentence, mix in a few upper case letters and a number – for example, “There is no place like home,” would become “tiNOplh62.”

Numbers included in a password should never be something easy to guess based on the user. That means your age, the current year, or your address are not good choices. Similarly, the longer the password the better.

And remember, try not to use the same password for any two accounts.

© Shaw Media, 2014

Comments