Have you ever sat in front of your computer, stumped while trying to come up with a unique password that’s the perfect combination of numbers, letters and symbols? If so, you aren’t alone. According to the recently released list of the most common passwords, more than 10 percent of users use some of the most common passwords (“12345” and “password”) to protect their personal information.
Truthfully, it’s not entirely their fault. While many online service providers, like banks and credit card issuers, require users to create strong passwords, one recent study found that almost 80 percent of cloud service providers allow users to use “weak” passwords, meaning those that are all lowercase letters, which are proven to be the most vulnerable to hacking. Given that at least 30 percent of all users use their passwords in multiple places — including sites where they store personally identifiable information, there is a great deal at stake when you use a weak password.
The fact that so many people are using weak passwords, reusing passwords, and engaging in otherwise risky behaviors when it comes to securing their valuable information has led many security experts to look for other ways to keep information secure. Password managers, like the one from Trend Micro which allows you to store all of your logins securely and only needs one password to access everything, are growing in popularity due to their ability to create and store unique, strong passwords. Two-factor authentication, which requires users to enter something they know (like a password) with something they have (like their mobile device, via a one-time use code delivered by text) is also seeing increasing levels of use.
Still adoption of either method isn’t skyrocketing — by some estimates, only about 6.6 percent of Google users downloaded the company’s two-factor authentication software, which has led the tech giant — as well as Apple — to begin looking for other ways to secure user accounts.
Their solution? Get rid of passwords altogether.
Phones as Passwords?
Most of us are already familiar with using access methods other than passwords to access important information. After all, anyone with an iPhone can set up biometric authentication allowing them to use a fingerprint to access the phone itself as well as important apps, such as banking apps. Many of us have taken this even further, using our phones as a tool for withdrawing money from ATMs or paying for purchases using a feature like Apple Pay or Samsung Pay.
Both Apple Inc. (NASDAQ:AAPL) and Alphabet Inc. (NASDAQ:GOOGL), Google’s parent company, are looking at ways to take mobile devices to the next level when it comes to security. Currently, security programs that combine the best elements of two-factor authentication and biometrics, along with the communication technology that allows payment apps to work, are in beta-testing. Apple, in particular, has high hopes for this technology, given that 90 percent of Apple users are already using the Touch ID or a passcode to secure their devices.
In short, the programs in development allow for a user’s mobile device to serve as the physical “key” to unlock access to their computer, and applications on that computer. One of the reasons that two-factor authentication hasn’t seen the widespread acceptance that many predicted it would after the Heartbleed bug in 2014 is that many people see carrying a physical token or key as cumbersome and inconvenient.
Developers sought to overcome this problem by sending text messages with one-time use codes to users, but there are several problems with this approach. For starters, many users don’t want to be slowed down waiting for the code to arrive. And perhaps more importantly, this method doesn’t help if the users phone has been stolen or compromised. Because most people store their login details on their devices, all they need is the code sent to that device to wreak havoc.
The password free technology in development addresses several of these issues. Google’s technology would allow users to log into their computers using near field communication that sends an alert to the mobile device. This approach is also being expanded to Android developers, who are working on ways that users can log into sensitive applications using unique features, such as their speech, typing patterns, or even the way they walk.
Most experts agree that the username and password method of securing access to sensitive data is antiquated at best, and useless at worst. Given that two out of three cyber attacks are either designed to steal credentials or take place because credentials are stolen, new ways of protecting data without passwords are desperately needed.