In fact, hackers are now even attacking password repositories themselves—the places where we store the complicated passwords we’re supposed to use that are too difficult for us to remember ourselves.
It’s not surprising, then, that vendors and the industry are looking at ways to avoid passwords altogether. Intel and McAfee, for example, are looking at biometric solutions such as a combination of fingerprint, gesture, face and voice recognition, while smartphones such as the most recent iPhone use fingerprints for security. And Mastercard wants to eliminate passwords by as early as next year in favor of biometric markers such as heartbeats.
Still, it’s unlikely that we’ll be able to eliminate passwords anytime soon. “Don’t hold your breath,” writes Kevin Sullivan in Windows IT Pro. “There are some interesting changes happening that may move in that direction, but username/password pairs are here to stay, at least for the foreseeable future.”
There’s plenty of advice on choosing secure passwords, and preventing passwords from being stolen. Still, not many of us actually practice what is preached. Splashdata releases a list of the most common passwords each year (which it compiles from lists of breached passwords), and the number of people still using “password,” consecutive strings of numbers, or consecutive strings of letters is alarming.
But there’s more to it. Reminiscent of the computer programmer in WarGames—who used the name of his deceased son as a backdoor password to a military central computer—for many people, passwords unlock more than just their accounts, they house clues to their psyche as well.
A Google study found, for example, that in the top 10 categories of passwords, many are based on personal information:
- A pet’s name
- A notable date, such as a wedding anniversary
- A family member’s birthday
- A child’s name
- A family member’s name
- A person’s birthplace
- A favorite holiday
- Something related to a favorite sports team
- The name of a significant other
- The word “password”
Sometimes, though, it goes deeper. “Passwords aren’t meant to be shared, so they often become home to our personal secrets—a first love, a cherished lost pet, an inside joke or critical date,” writes Fox Van Allen in Techlicious. “It’s bad security practice precisely because it happens so much.”
The New York Times recently conducted a fascinating study to learn how people chose their passwords. The article begins with the haunting story of Cantor Fitzgerald’s chief executive attempting to track down the passwords of hundreds of employees who were killed in the 9/11 attacks. Security experts had to ask for information from their grieving relatives. “What is your wedding anniversary? Tell me again where he went for undergrad? You guys have a dog, don’t you? What’s her name? You have two children. Can you give me their birth dates?”
Aside from demonstrating that password access should be an important part of any disaster recovery plan, the number of passwords that were discovered by this tactic showed how often people use such personal touchstones in their passwords.
“Many of our passwords are suffused with pathos, mischief, sometimes even poetry,” writes Ian Urbina. “Often they have rich back stories. A motivational mantra, a swipe at the boss, a hidden shrine to a lost love, an inside joke with ourselves, a defining emotional scar—these keepsake passwords, as I came to call them, are like tchotchkes of our inner lives. They derive from anything: Scripture, horoscopes, nicknames, lyrics, book passages. Like a tattoo on a private part of the body, they tend to be intimate, compact and expressive.”
While the industry will inevitably come up with something more secure and eliminate this personal, and consequently more hackable, method of authentication, it will be sad to lose this insight into our humanity.
Simplicity 2.0 is where we examine the intricate and transitory world of technology—through a Laserfiche lens. By keeping an eye on larger trends, we aim to make software that’s relevant to modern day workers, rather than build technology for technology’s sake.
Subscribe to Simplicity 2.0 and follow us on Twitter. If what we’re saying piques your interest, head over to Laserfiche.com where you’ll see how we apply the lessons learned on Simplicity 2.0 to our own processes, products and industry.