Blog

Rahul Thadani
Future Watch VI: Passwords are on their way out due to their vulnerability
December 6, 2012

Every individual who is active on the Internet has a secret to protect. This secret is usually just a few characters long and is commonly known as the password. But how effective can a password really be? Passwords are a 20th century creation that were effective back when there was hardly any personal information on the Internet. Today, the web is a hyper buzz of information and personal details and the only thing that keeps all this from getting stolen is a flimsy password.

What makes passwords vulnerable?
Unfortunately, very few of us handle our passwords responsibly. Most of us have multiple web-based accounts but choose to use the same password, or a slight variation, for each of these services. The passwords that we use are simple dictionary words or phrases that mean something to us, making it extremely easy for a dedicated and resourceful attacker to gain our password with ultimate ease. Moreover, many of us are not careful about the people that we share passwords with and the multiple places that we log in from. Services like two-factor authentication and last account activity are also ignored more often than not.

Worst passwords

Source: Splash Data

Malicious parties also use social engineering techniques to gather information about their victims. A Google search or a visit to a Facebook profile can reveal several personal details that can be misused, especially to crack the secret questions that are needed for password resets. To further compound this matter, web service providers are careless with regards to the storage of passwords and this leads to several data breaches. Some services neglect the recommended ‘salt and hash‘ process and this further increases vulnerability. Today, it is very simple for an attacker to gain information about one service from another and then use this information. Since most services are interlinked and integrated with each other, he can spread to other accounts as well.

What then is the use of passwords?
All this makes us wonder why we still use passwords anyway. They were a suitable layer of protection years ago when attackers did not possess the tools to crack them and had very little data to extract even if they did. Today, our entire digital lives are stored online. What is at stake is your email account, your social networks, your bank accounts, your credit/debit card information, your address and locations, your personal images and documents and much more. Are you really sure you want to secure all this with a simple word that is a few characters long?

What is the possible solution?
We need our machines to recognize us with our personal attributes and characteristics just like a person would recognize us after meeting us once in the real world. For instance, ‘Google Now’ is a feature that studies user attributes and presents data based on them. This is the technology that needs to be emulated. Unfortunately, this leads to a reduction in privacy levels so this is a trade-off that we should be prepared to make.

Google Now

Systems and services should recognize attributes like location, device, behavior, time of day, etc. and then grant access. As the value of the information rises, the number of attributes required should also increase. For instance, the password to log in to my secure browser should require lesser attributes than the password required to validate financial transactions from my bank account. People worried about privacy can decide the attributes to be shared. Alternately, they can permit attributes to be cross-checked against a valid authority like a mobile service provider or a nationalized bank or the upcoming UID system in India.

Password protection systems have been around for years but their end is near. They do not offer the desired security and protection and in my opinion, it is only a matter of time before they are declared invalid and a better system that integrates with the best system protection software is put into place. We would like to hear your feedback about the security that passwords provide and what the possible alternatives can be.

Have something to add to this story? Share it in the comments.

Rahul Thadani
About Rahul Thadani
Rahul is a web enthusiast and blogger, and has been writing about the computer security industry for the last three years. Following the latest technology trends,...
Articles by Rahul Thadani »

10 Comments

Your email address will not be published.

CAPTCHA Image

  1. I haven’t got a smart phone yet. I’ve refused to go wifi between modem and computer and I don’t even bother to access the net with my mobile.
    BUT you are right about large chunks of my life now being online. Passwords may be on their way out and in the meantime this article is a salient reminder to us all to update those flakey passwords we’ve had for years.

    At least include some extra characters like !@#$%^&* somewhere in your password to make it slightly harder for the bad guys 🙂

    Reply
  2. Akash BarotDecember 6, 2012 at 8:43 PM

    Hello sir,
    i am a regular user of quick heal anti virus for the last two years. i appreciate quick heal because it keeps user up to date with latest information regarding to security. this blog is really informative. i have heard that department of defence of usa is developing technology to login with only email id. so there will not be password anymore.

    Reply
  3. KrishnakumarDecember 7, 2012 at 8:58 AM

    Somewhat frightening, but will have to give a thought on PWs. Thanks for info.

    Reply
  4. Tarun AgrawalDecember 7, 2012 at 10:05 AM

    How did anyone detect these passwords being used mostly in 2012? Does gmail, yahoo and others share these passwords?

    Reply
    • Hi Tarun,
      This list is compiled based on all the stolen and hacked passwords from 2012. The hackers reveal this data so that they can update their databases with known passwords.
      Regards.

      Reply
  5. Yep! Passwords need the touch of Future! Multi-Way Authenthicating is must.
    Also if a user can set his own secondary question with password, it can be lovely.

    Reply
  6. ASHOK R PUNJABIDecember 7, 2012 at 2:20 PM

    finger print should be the ultimate password.

    Reply
  7. Onil SonawaniDecember 7, 2012 at 3:04 PM

    Hi,
    Complex passwords [ which includes special chars and long bits ] are hard to crack but difficult to memorize since we have so many accounts [ email / online banking / online shopping accounts etc ] .
    There are password generation tools [ demo / paid ] available online which create very complex passwords. You just have to memorize master password of this tool to access all passwords.

    Reply
  8. Thanks rahul for putting light on the need and nessicity of complex passwords in todays technified World

    Reply