Password-geddon Is Near

We rely too much on passwords, and the outcome is inevitable. 3 billion people are on the internet, whilst 6 billion people have access to a mobile phone. Whether we talk about passwords, PIN numbers, memorable phrases or security codes, the way we live and do business is increasingly dependent on two parties on either side of a network connection both knowing the same secret string of characters. The problem with secrets is keeping them. Many people talk too much, have poor memories, are lazy, or careless. Others are crooks, snoops, or cheats. Do we really expect to build trillion dollar business models by relying on so many people to keep so many secrets?

The reliance on the exchange of passwords might seem reasonable if not every business depended on the same approach. Most of us can be trusted with a few secrets. The system breaks down when every business wants us to have a unique password for them. Customers are being asked to remember too many secrets. I have hundreds of accounts with all sorts of online providers, and there is no shortage of new businesses asking me to sign up with them. However, not many of us can remember more than a dozen separate passwords. On top of this, there are all the passwords and passcodes that allow one device to connect to another device, because we also demand machines communicate with each other without our needing to get involved. Does it make sense to tell customers they should change the default passwords on all their devices, whilst we hope to sell more and more networked devices to them? Can we not see where this piling up of accounts and passwords will lead us? It results in the following:

When credit checking business Equifax recently revealed that records relating to 143 million Americans had been breached, there was no indication that passwords had been compromised. However, comedian Jimmy Kimmel used the incident as an excuse to test how lax people are. His crew took to the streets, asking members of the public to reveal their passwords. Do you think they did? Check out some of the responses:

Some firms choose to fight human nature. Food delivery business Deliveroo is going to protect customers by telling them every occasion they discover a Deliveroo password matches passwords for other services that have been compromised. Speaking to The Inquirer, Deliveroo security engineer Alec Muffett explained the reasons why:

Sometimes customers reuse their passwords at other sites, and sometimes those sites do not store their passwords under a robust password hashing algorithm. Worse, sometimes those sites get “popped” — bad people hack into them and exfiltrate password data, often sharing their findings with the world through pastebin sites and bulletin-boards.

These actions put at risk any site where the owner has reused the same login name and password… From today, we will be informing our customers when we determine that the password which they use for Deliveroo is publicly known in some way. We will contact the impacted customers to request that they change their password, and advise that they also change that password at other sites where it is also used.

As noble as this is, I fear Deliveroo is fighting a losing battle. They are spending time and money on subsidizing the lousy security of others. Deliveroo’s good intentions can be outweighed by the corner-cutting of everyone else. This explains why more experts are urging that we abandon passwords and switch to alternative security methods (examples of these arguments can be found here and here).

Alternative forms of verification include the use of biometrics and push-based mobile authentication. Both have downsides. Push-based mobile authentication also increases the burden on telcos, leading them to come under increasing attack from criminals who try to take over customer accounts. I expect social media logins will be key to reducing reliance on too many passwords, with people accessing other services through the accounts they have on social media sites like Facebook, Google+ and Twitter. These social media firms play the role of logon aggregators, providing portals to multiple services. Instead of needing lots of different passwords, we will trust the big social media players to manage our identities for us. This will greatly reduce the number of passwords we need to remember. As a consequence, it is possible our societies will experience a ‘passwordgeddon’ where the public loses faith in password security and so the number of passwords in circulation falls to a tiny fraction of those currently being used and created, driven by the switch to social media logons. However, this also begs the question of why we trust social media companies to know so much about us.

Perhaps we will eventually come to a time where the government regulates the way we identify ourselves and verify access, perhaps by overseeing the behavior of the big social media giants, or perhaps by offering their own one-stop-shop logon service. But if we end up relying on governments to protect us from spying and crime, then passwordgeddon may only be a stepping stone to an even worse disaster…

Eric Priezkalns
Eric Priezkalns

Eric is a recognized expert on communications risk and assurance. He was Director of Risk Management for Qatar Telecom and has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and others.

Eric was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He was a founding member of Qatar’s National Committee for Internet Safety and the first leader of the TM Forum’s Enterprise Risk Management team. Eric currently sits on the committee of the Risk & Assurance Group, and is an editorial advisor to Black Swan. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.

Commsrisk is edited by Eric. Look here for more about Eric’s history as editor.

  • akrittok

    first it was “something you know”, then “something you have” and indeed I can see “something youa re” not too far ahead.
    Already biometrics are deployed in several industries, especially banking.
    But this will be as personal as it gets not personally I would hate it seeing it imposed.

    Regarding passwords – what’s wrong with using a password manager with 2 factor authentication? I’m pretty happy with LastPass