Every individual who is active on the Internet has a secret to protect. This secret is usually just a few characters long and is commonly known as the password. But how effective can a password really be? Passwords are a 20th century creation that were effective back when there was hardly any personal information on the Internet. Today, the web is a hyper buzz of information and personal details and the only thing that keeps all this from getting stolen is a flimsy password.
What makes passwords vulnerable?
Unfortunately, very few of us handle our passwords responsibly. Most of us have multiple web-based accounts but choose to use the same password, or a slight variation, for each of these services. The passwords that we use are simple dictionary words or phrases that mean something to us, making it extremely easy for a dedicated and resourceful attacker to gain our password with ultimate ease. Moreover, many of us are not careful about the people that we share passwords with and the multiple places that we log in from. Services like two-factor authentication and last account activity are also ignored more often than not.
Malicious parties also use social engineering techniques to gather information about their victims. A Google search or a visit to a Facebook profile can reveal several personal details that can be misused, especially to crack the secret questions that are needed for password resets. To further compound this matter, web service providers are careless with regards to the storage of passwords and this leads to several data breaches. Some services neglect the recommended ‘salt and hash‘ process and this further increases vulnerability. Today, it is very simple for an attacker to gain information about one service from another and then use this information. Since most services are interlinked and integrated with each other, he can spread to other accounts as well.
What then is the use of passwords?
All this makes us wonder why we still use passwords anyway. They were a suitable layer of protection years ago when attackers did not possess the tools to crack them and had very little data to extract even if they did. Today, our entire digital lives are stored online. What is at stake is your email account, your social networks, your bank accounts, your credit/debit card information, your address and locations, your personal images and documents and much more. Are you really sure you want to secure all this with a simple word that is a few characters long?
What is the possible solution?
We need our machines to recognize us with our personal attributes and characteristics just like a person would recognize us after meeting us once in the real world. For instance, ‘Google Now’ is a feature that studies user attributes and presents data based on them. This is the technology that needs to be emulated. Unfortunately, this leads to a reduction in privacy levels so this is a trade-off that we should be prepared to make.
Systems and services should recognize attributes like location, device, behavior, time of day, etc. and then grant access. As the value of the information rises, the number of attributes required should also increase. For instance, the password to log in to my secure browser should require lesser attributes than the password required to validate financial transactions from my bank account. People worried about privacy can decide the attributes to be shared. Alternately, they can permit attributes to be cross-checked against a valid authority like a mobile service provider or a nationalized bank or the upcoming UID system in India.
Password protection systems have been around for years but their end is near. They do not offer the desired security and protection and in my opinion, it is only a matter of time before they are declared invalid and a better system that integrates with the best system protection software is put into place. We would like to hear your feedback about the security that passwords provide and what the possible alternatives can be.