Passwords, whether used to log onto a computer or into a website, are designed to protect the account, identity and other personal information of the user. In fact, many mobile phones even use passwords to deter unwelcome users from accessing the plethora of personal information held within. However, with the increased sophistication of hackers, a simple password or passphrase is becoming seemingly less adequate every day; from identity theft to hacktivism, cyber security breaches are not showing any signs of decreasing in the future.
The Problem with Passwords
While it is certainly helpful to have a strong password (at least eight characters consisting of upper and lower case letters, numbers and symbols), it is only a matter of time before a dedicated and knowledgeable hacker uncovers it through password cracking software that can guess hundreds of thousands of passwords per second. Even worse, many people don’t use strong passwords and, according to a study by Ofcom, 55% of Internet users use the same password for most, if not all websites. As if this weren’t scary enough, 26% of users have a weak password, such as a birthday or a loved one’s name, set as their universal password. This practically invites hackers to steal your identity and access all your personal accounts.
Additionally, cyber security breaches are occurring more frequently, it seems that just about every week a new story develops on a major corporation recovering from a cyber attack. Twitter is currently in the headlines, as they’ve been battling with the Syrian Electronic Army (SEA) over the hacking of major Twitter accounts belonging to the likes of NPR, BBC, CBS and more. Recently, the SEA has published several scary and falsified tweets from the news providers’ accounts, forcing Twitter to cancel the accounts. However, each time Twitter cancels one of SEA’s accounts (at least 5 times now) they’ve simply created a new one to replace it.
This situation has caused Twitter to follow several other big Internet companies (Google, Facebook, etc) in introducing two-factor verification in order for users to login to an account from an unrecognized computer. This can actually go a long way in preventing cyber-crime. Essentially, if you have an account on these platforms, they have your computer’s IP address on file with your account. If you or anybody else were to try and login to your account from a new IP address or mobile phone, they would have to enter the username and password and then proceed through an extra step; this extra step could be answering a pre-selected security question, entering in a one-time PIN that would be sent to the account owner’s email, or something of that nature. Again, this has a significant impact on the ease of hacking somebody’s account. However, if a malicious hacker knows your password already, they may now have access to the other information needed for the second step of verification.
Lately there has been a bit of a buzz about the future of how we will protect our personal information on computers. Google has recently joined Lenovo and PayPal in what they call the FIDO Alliance, and together they are working on new alternatives to reduce or eliminate the dependence on passwords altogether. Although there isn’t a clean-cut single answer, FIDO has come up with several plausible alternatives to the traditional password or two-factor verification. In any case, the user’s device will play a lot more of a role in verifying the account. Some ideas involve the security chip in your PC or phone being checked, while others focus on the idea of a voiceprint, where one would say a particular phrase and the computer would analyze the voice rather than use a password. A similar idea involves users buying fingerprint scanning software to use as a lock. More innovative FIDO alternatives include a personal USB key that would be unique to the user, or a ring that would work similarly by transmitting a unique signal.
However, the most interesting and “futuristic” password alternative so far has recently been researched at Berkeley and it involves, what they have dubbed, passthoughts. The process uses Neurosky’s Mindset Brainwave sensor, and it records brainwaves electronically. In a nutshell, a user would put the sensor on and complete a mental task, such as singing a song phrase in their head, or visualizing a color. According to the tests at Berkeley, the computer could consistently and accurately distinguish between different people’s brainwaves, even when completing the same mental task. It is also capable of verifying that the correct person is entering the “passthought.” If this or any of the above methods were to be implemented, it could revolutionize computer security and completely transform our day-to-day interactions with our electronic programs.
Guest post: Andrew works for Phoenix TS, a cyber-security training company based in Columbia, MD. (www.phoenixts.com)