Passwords seem like they have been around from the dawn of computing. Its agreed upon as the most convenient way to identify yourself to a computer. But as technology becomes more advanced, so does the tools hackers use.
When I first started college just about 5 years ago, I was given my student username and a password prompt to create a “secure password” that was 7 characters with at least one capital letter, number, or special character. When I got a job working at my school’s IT department in the following months, we had to issue a new password policy. The new policy increased the character amount to 8 and must contain a special character, number, and capital letter. I find it amazing how quickly and frequently the definition “secure password” has changed.
As I sign up for new services today I am still encouraged to use “strong passwords”, but now are “made up of at least 12 characters, don’t use dictionary words, contain special characters, numbers, capital, and lowercase letters…” As hackers get more advanced, our passwords become nearly impossible to remember.
Have you ever heard a 7 digit phone number and were able to recall it back right away? What happens when someone adds the area code? If you are like me, you have to ask someone to stop and repeat the first half of the number, and then the second half again as I write it on a piece of paper or type it into my iPhone.
The human memory is funny like that. There is a term in psychology called “The 7 digit span” which recognizes for humans can easily move 7 digits (plus or minus two) or characters from their working memory into their long term memory. Any more characters and we begin to find ourselves writing them down, struggling to remember these phone numbers or passwords.
It is no wonder that human behavior for these complex passwords is to write them on post-its and hide them under our keyboard. Many people even report having an excel file on their computer called “Passwords” with every username and password they have.
Password hacking is nothing new. Hackers have found a way to hack databases that store passwords and print them out in clear text. Tech communities since then have have found ways to encrypt the passwords stored… but it didn’t take hackers a long time to crack that either. After hashes of basic passwords were compromised, the good people found a way to “salt + hash” passwords so inhibit hacking of this type… but you’ll be mistaken if you think this is a permanent fix. We can bandage up and lock down the technical infrastructure of passwords, but we can’t change the human memory enough to meet password demands.
Security experts and tech enthusiasts will tell you two-factor authentication would solve all of our login problems, and they would be correct. “Two factor” has been around in the form of ATM transactions (Debit card being something you have, PIN being something you know), to more secure web logins (Password being something you know, 6 digit number being texted to your phone being something in your possession). With the simple combination of something you have with something you know, the threat of authentication based attacks dramatically decreases. But if this is such a life saver, why hasn’t it been widely adopted across the web?
If you have ever seen a path right next to a sidewalk like this, you will realize just how much people crave convenience. We love it, we crave it, we even pay for it (ever see a Roomba?). Two-factor authentication as it exists today is incredibly inconvenient. People don’t like fumbling around with their phone and waiting for a text message. Setting it up is too time consuming and people are simply too busy to be bothered. In order to fix this problem, we need to dig up the sidewalk and lay it down in a convenient place where people are willing to walk.
While automobile manufacturers spend millions of dollars ineffectively converting their cars to electric models, Elon Musk completely redesigned Tesla from the bottom up. By using only parts that are necessary for his car to run, the result became his electric car startup monopoly. Tesla cars are sleek, stylish, and drive four times further than their competition. Musk recognizes what many don’t: Building upon technology of the past will only get us so far, but by going back to the start we can accomplish wonders.
Everyday new technologies are released that can facilitate two factor authentication with minimal interaction from its users. This would be easier, more convenient, and most importantly, more secure than any authentication to date. Unfortunately, “security” companies build upon traditional password technologies and we will always be vulnerable until we go back to the start.