Password-geddon Is Near

We rely too much on passwords, and the outcome is inevitable. 3 billion people are on the internet, whilst 6 billion people have access to a mobile phone. Whether we talk about passwords, PIN numbers, memorable phrases or security codes, the way we live and do business is increasingly dependent on two parties on either side of a network connection both knowing the same secret string of characters. The problem with secrets is keeping them. Many people talk too much, have poor memories, are lazy, or careless. Others are crooks, snoops, or cheats. Do we really expect to build trillion dollar business models by relying on so many people to keep so many secrets?

The reliance on the exchange of passwords might seem reasonable if not every business depended on the same approach. Most of us can be trusted with a few secrets. The system breaks down when every business wants us to have a unique password for them. Customers are being asked to remember too many secrets. I have hundreds of accounts with all sorts of online providers, and there is no shortage of new businesses asking me to sign up with them. However, not many of us can remember more than a dozen separate passwords. On top of this, there are all the passwords and passcodes that allow one device to connect to another device, because we also demand machines communicate with each other without our needing to get involved. Does it make sense to tell customers they should change the default passwords on all their devices, whilst we hope to sell more and more networked devices to them? Can we not see where this piling up of accounts and passwords will lead us? It results in the following:

• Lists of passwords for hundreds of routers and IoT devices being openly shared on the internet;
• Cryptography activists demonstrating they can reverse the hashes of millions of passwords; and
• An endless stream of data breaches that reveal customer passwords, leading to urgent warnings to change passwords before they are abused.

When credit checking business Equifax recently revealed that records relating to 143 million Americans had been breached, there was no indication that passwords had been compromised. However, comedian Jimmy Kimmel used the incident as an excuse to test how lax people are. His crew took to the streets, asking members of the public to reveal their passwords. Do you think they did? Check out some of the responses:

Some firms choose to fight human nature. Food delivery business Deliveroo is going to protect customers by telling them every occasion they discover a Deliveroo password matches passwords for other services that have been compromised. Speaking to The Inquirer, Deliveroo security engineer Alec Muffett explained the reasons why:

Sometimes customers reuse their passwords at other sites, and sometimes those sites do not store their passwords under a robust password hashing algorithm. Worse, sometimes those sites get “popped” — bad people hack into them and exfiltrate password data, often sharing their findings with the world through pastebin sites and bulletin-boards.

These actions put at risk any site where the owner has reused the same login name and password… From today, we will be informing our customers when we determine that the password which they use for Deliveroo is publicly known in some way. We will contact the impacted customers to request that they change their password, and advise that they also change that password at other sites where it is also used.

As noble as this is, I fear Deliveroo is fighting a losing battle. They are spending time and money on subsidizing the lousy security of others. Deliveroo’s good intentions can be outweighed by the corner-cutting of everyone else. This explains why more experts are urging that we abandon passwords and switch to alternative security methods (examples of these arguments can be found here and here).

Alternative forms of verification include the use of biometrics and push-based mobile authentication. Both have downsides. Push-based mobile authentication also increases the burden on telcos, leading them to come under increasing attack from criminals who try to take over customer accounts. I expect social media logins will be key to reducing reliance on too many passwords, with people accessing other services through the accounts they have on social media sites like Facebook, Google+ and Twitter. These social media firms play the role of logon aggregators, providing portals to multiple services. Instead of needing lots of different passwords, we will trust the big social media players to manage our identities for us. This will greatly reduce the number of passwords we need to remember. As a consequence, it is possible our societies will experience a ‘passwordgeddon’ where the public loses faith in password security and so the number of passwords in circulation falls to a tiny fraction of those currently being used and created, driven by the switch to social media logons. However, this also begs the question of why we trust social media companies to know so much about us.

Perhaps we will eventually come to a time where the government regulates the way we identify ourselves and verify access, perhaps by overseeing the behavior of the big social media giants, or perhaps by offering their own one-stop-shop logon service. But if we end up relying on governments to protect us from spying and crime, then passwordgeddon may only be a stepping stone to an even worse disaster…