We’ve been using passwords for more than 50 years, with the first computer password developed in 1961 at the Massachusetts Institute of Technology (MIT). We use it to lock our computers and other devices, secure our email accounts, protect our social media channels, and encrypt our data. We use password for everything we don’t want other people to have access to.
But while technology has reached soaring heights, the password technology remained the same. In fact, Steve Winterfeld, Director of Cybersecurity at Nordstrom, said that we have reached the end of needing passwords more than a decade ago, but we’re still using them.
Passwords have been our primary layer of defense against security attacks, but the major data breaches and online privacy attacks have proven that passwords are more susceptible than even to abuse. Hackers are also getting more creative and their hacking technology is getting more aggressive in cracking down those passwords that are meant to protect our data and identity.
Major Security Fails
Over the years, history has repeatedly proven how vulnerable our passwords are. Businesses are one of the hottest targets of online attacks. In January 2009, Heartland, an independent payment processor, paid $110 million to American Express, MasterCard, and Visa for what is considered the biggest credit card scam until today. Popular merchant, eBay, was attacked in early 2014 using login credentials gathered from a couple of employees. The hackers were able to access eBay’s database of all user records and 145,000,000 login credentials. Home Depot and JP Morgan Chase suffered the same attacks that same year.
Gaming companies are also favorite targets of online attacks. On April 2011, a Sony PSN breach saw the loss of 76,000,000 user accounts to hacking collective Lulzsec. The breach cost Sony a whopping $170 million. In 2016, 7 million players using Minecraft’s Lifeboat servers have had their email addresses and passwords leaked. Earlier this year, Armor Games was among the list of 16 affected companies wherein 617 million online accounts were stolen and put up for sale on the dark web.
Social media is another popular target of hackers. In 2016, more than 412 million accounts from the largest adult dating and entertainment company, Friend Finder Network, were compromised. Account data, including usernames, passwords, and emails, were hacked from the world’s largest sex and swinger community. We’re all familiar with the controversial Cambridge Analytica scandal that affected up to 87 million Facebook users.
But social media attacks have been a common occurrence even before. In 2013, hackers abused an exploit in Snapchat and allowed them to access 4.7 million user details. In 2016, LinkedIn reported a theft of 117 million passwords and MySpace with 164 million passwords. The attacks were made by the same hacker and tried to sell the stolen data in the dark web. Last year, a harmless glitch on Twitter caused 330 million passwords to be stored in a readable text, making it visible on the internal computer system.
The biggest security leak of all time involves Yahoo. The popular email provider has suffered an attack in 2013, affecting at least three billion accounts. The next year, another security breach occurred, affecting 500 million users this time, whose data was stolen. Names, email addresses, phone numbers, encrypted passwords, backup email addresses, and security questions were compromised.
Security breaches are caused by a multitude of factors. Hackers are the common reason behind some of the biggest security breaches all over the world, but negligence and weak security protocols play a huge part in this scenario as well. No matter how strong your password is, you can’t be 100 percent sure that you are protected.
Why Are Passwords Not Secure?
Using a password is still the most popular authentication method for logins, but it doesn’t mean that they’re secure. Here are some reasons why using a password is no longer safe.
- Users tend to reuse the same password for different accounts or services. Most internet users are guilty of this. It can be difficult to memorize passwords for different services, so what most users do is create a general password to be used for all sign in purposes. According to a study by researchers at Virginia Tech University and Dashlane analysts, 52% of the users studied use the same or very similar passwords for different services. This means that if the password for one service gets leaked or hacked, it will be a piece of cake to access the other services as well.
- Users don’t often change passwords. Most users find it a hassle to change passwords regularly so they tend to keep the same password for a very long time. So, if the account gets compromised, the unauthorized person can keep using the account for a long time or until the password is changed.
- Some passwords are just too weak. There are still users who use their birthdate or the name of their pet as a password. In these cases, hackers don’t even need brute force tools to guess the password. Some users even write down their passwords, making them very easy and effortless to steal.
- Password-cracking tools are getting smarter at guessing passwords. The technological advances within this industry is really fast. It will only be a matter of time before what we consider as strong passwords will be rendered useless.
- Passwords are easily stolen. There are a number of ways to trick people into giving up their login information. Email phishing is just one of them, but it is the most popular and most effective way of stealing passwords. Spoofing legitimate websites is another way to trick users to share their username and password. Users who are more gullible or who are not aware of these tricks can easily fall for the trap.
- Organizations and businesses get hacked much more often than we realize. In many cases, it takes a long time for anyone to notice that the database has been attacked, and sometimes it never gets noticed at all. This gives the hacker more time to use the passwords as much as they like and access all types of sensitive information.
- Password keyloggers are becoming popular. The malware can be easily downloaded to your computer by clicking malicious links or opening spam emails. Once installed, the keylogger will keep a log of your login details and transmit them to the server.
So, are passwords still safe? The answer is obviously no. Unfortunately, password is still the main authentication being used today. So what can we do?
Tips to Keep Your Password Safe
We’ve long reached the point where passwords are no longer safe to use, but we can’t do anything about it because that’s what is being used by most services. What we can do is employ extra measures to make sure that our passwords remain safe and unbreakable. Here are some tips to add another layer of security to our accounts:
- Change your password regularly. It might be a hassle to do this every month or every six months, but changing your passwords cuts of any unauthorized access that you might not be aware of.
- Don’t use generic passwords. Use long and hard-to-decipher passwords, even if it might be difficult to remember them. Besides, you can always reset your forgotten password. And fight the temptation to write them down somewhere.
- Scan your computer for keyloggers. Clean up your system by getting rid of the malware, then use a PC cleaning software to remove any existing logs associated with the keylogger.
- Don’t click on malicious links or emails. Check the authenticity of every website you log into, especially online banking and online shopping websites. If you get a suspicious email asking you to verify your account using a link from the email body, check the link first without clicking it. If the URL is different from the “sender” of the email, then it is most likely a phishing email.
- Use login alternatives. Some services are stepping away from passwords and introducing other methods to log in. Use these alternatives as possible.
Alternatives to Password
Password leakage can be scary. Fortunately, there are some services who are working on other security methods to replace the use of passwords. Here are some of these alternatives:
This is not exactly an alternative to passwords, but another layer to improve security. It is based on the double check system to authenticate the login. In order to log in to the service, you need to type in your password, then enter the code sent to your phone or email to make sure that it is really you who’s accessing the account. This is often used for banking transactions, and other services that deal with sensitive data. Apple is also a popular fan of this login method.
Account Key Feature
This method uses push notifications whenever a user tries to log in to their account on another device. The user usually gets a notification on their smartphone or the backup email to ensure that the login is legitimate. This method was developed by Yahoo!, but is now being adopted by other email providers and services.
Fingerprint scanning has become a popular alternative to password because of smartphones and digital devices. iPhone 5S, the first mobile phone with a fingerprint scanner was released in 2013. Since then, other brands, such as Samsung, LG, Huawei, Nokia, and Sony have followed suit. Now, almost all smartphones come with fingerprint sensors.
Yes, logging in using the user’s biometrics is no longer a thing of the movies. It is now possible in some devices, such as Windows 10 machines. Windows Hello, the new feature being developed by Microsoft for Windows 10, includes biometric authentication using facial recognition. The computer detects the image of the face using the camera, measures the facial features, and compare it with the one saved in its database.
This authentication method uses the heart rate of each person to verify the user’s identity. This method is suited to high-security environments because the heartbeat of each person is unique. This method does not only measure the number of beats per minute, but factors in the size, form, position of the valves and other elements that affect the heartbeat as well. The creators behind the Nymi Band is already using this technology to identify people based on the heart rate measured at the wrist.
Passwords have long reached their expiration date. But most services are still using this authentication method because it is the easiest to set up and people are already used to it. However, using passwords alone can be risky because they can be easily stolen, forgotten, or misplaced. Because of this, some services have started moving away from passwords and employing more secure authentication methods. Which authentication method do you think is the best alternative for passwords? Share your thoughts in the comment section below.
Author Bio:A Computer Engineer by degree and a writer by profession, Cathy Trimidal writes for Software Tested and Outbyte. For years now, she has contributed articles focusing on the trends in IT, VPN, web apps, SEO, and digital marketing. Although she spends most of her days living in a virtual realm, she still finds time to satisfy her infinite list of interests.