Every year, new research and new articles appear telling us that the most popular passwords are still things like “password1” and “qwerty123”.
This “big” reveal is then followed up by a lecture on the importance of protecting yourself online. But we’ve been using passwords as digital identification tools for as long as we’ve had technology, and even longer in the offline world, so knowing the basics of password security should now feel as natural as putting on a seatbelt when driving. We should all know what makes for a secure password and how to maintain safe cyber-hygiene habits.
However, to be frank, passwords are inherently insecure. Digital identification and verification is critical, but a simple password is no longer enough to protect valuable business data and intellectual property. They conflict with human instinct, as people are incapable of remembering long or complex passwords. They can be guessed, or attacked with brute force, and they can be accessed at scale as they are always stored online somewhere.
Security and business leaders are well aware that credential theft is gold dust to a cybercriminal, and for many years the cyber security industry has been developing ever more complex systems to protect individuals’ identities. Whole industries have grown up around two-factor authentication, fingerprint or iris identification, designed to protect a person’s identity.
However, the cyber security industry remains a trillion-dollar failure, as cybercriminals develop attack methodologies faster than cyber security vendors can outpace them.
In recent years, even biometric authentication has begun to unravel. For example, facial recognition has gone mainstream thanks to Apple’s release of its iPhone X, which uses a flood illuminator, an infrared camera, and a dot projector to measure faces in 3D – a method they claim cannot be fooled by photos, videos, or any other kind of 2D medium. But the reality is that facial recognition has serious vulnerabilities and has actually already been successfully attacked by security researchers. We predict that this will be the year that hackers will steal the public’s faces.
Having a strong password does help with protection to some degree, but it’s a simple door. Other methodologies add locks and chains – but a heavily protected door simply means criminals look around to find a separate, easier entrance.
A major shift in perspective is needed. Both cyber security vendors and businesses alike need to place far bigger emphasis on understanding the ways that people and data interact: in short, taking a human-centric approach. Rather than adding extra bolts and locks, such as by making passwords more complex (and more likely to be forgotten), we should put humans and their behavior at the centre of security programmes.
People can’t forget or lose their behavior. It’s intrinsic to who they are and can’t be imitated. Additionally, the one thing a cybercriminal can’t fake is genuine user behaviour. If a criminal tries to impersonate a genuine employee, all that the criminal will end up doing is a good day’s work.
The second a criminal tries to extract data from a hacked account, a behaviour-centric security programme will spot the anomaly and alert the security team who can act immediately to stop the data breach.
Are passwords important? Sure, they’re an added layer of protection. Do we need to keep singing their praises? As far as I’m concerned, there are far better uses of everyone’s time.
Image credit: photo by Adrian Bretscher/Getty Images for Kaspersky Lab.