Are passwords enough to provide us with online security?

In Information Security ByTeam Acumin / 5th February 2016

It is fair to say that the vast majority of us now live our lives, to a large extent, online. We do our shopping, banking, bill paying and socialising via the internet, and although this is extremely convenient for us all, it is not without its risks. Indeed, anyone with even a passing interest in cyber security will have noted many of the data breaches reported on in the past year.

For as long as online security has been an issue, in order to log on and access most websites in which we are required to hand over our data, we have been required to have our own password. We are told that having a good strong password made up of various strings of data, including a capital letter, a number and a special character, will help us to foil would-be hackers and cyber criminals, who would otherwise hack our accounts and steal our data. As we’ve seen though, valuable data is still being seized by the wrong people, so are passwords really enough to provide us with the online security we so desperately need?

The short answer is, sadly, ‘no’. Passwords are becoming more and more unreliable by the day, which is somewhat confusing as a large number of internet-based companies continue to use them as their, and sometimes only, defence against breaches.

Password problems

One of the main reasons why passwords are becoming increasingly insecure is the fact that many people use very simple ones such as ‘password’ or ‘123456’. These two appalling passwords were recently revealed to be the two most commonly used of 2015 for the second year in succession, which is obviously not helping us stave off even the novice hacker.

Another issue is that people tend to lazily use the same password over and over again, and most people, if they do bother to use different passwords, tend to use a variation on the theme. This means that if one password is cracked, it’s pretty easy for the perpetrator to gain access to a whole host of online accounts with very little effort on their part.

Savvy software

A further problem with relying on passwords to keep our online accounts safe from security breaches is the fact that hackers are constantly developing new pieces of software, which enable them to effortlessly guess our passwords. Some try out millions of passwords until they get a hit, which will then enable them to access not only people’s personal accounts, but also the accounts of the companies to which we entrust our data.

Extra verification

So, if passwords are simply not good enough when it comes to protecting us from cyber criminals, what more can we do?

One of the things that more and more internet-based companies are doing is asking us to provide them with additional methods of verification, so that they can be sure that the person entering a password is the person who is entitled to do so.

One of the simplest means of verification is a text message, which can be sent to an account holder’s phone when they try to log on to a website. Typically, this text message will contain a verification code that they will need to input into the site along with their password before access is granted.

Other methods could include telephoning account holders or reading their credit card. This is known as two-factor authentication and it is generally a pretty good way of keeping the criminal element at bay, although some people do tend to kvetch about the hassle of having to take extra steps to gain access.

Could passwords vanish?

Although the likes of Circle and PayPal are increasingly using two-factor authentication, many well-known companies, including Google, are considering going a lot further by getting rid of passwords completely, and doing away with the extra hassle of having to use an authentication code every time you wish to log in and use a service.

One company that’s ahead of the game when it comes to doing away with passwords is Yahoo!, which now allows email users who have access to a smartphone to log in using an identity-confirming app rather than a password.

Fingers and faces

Although Gmail and YouTube have yet to get rid of their passwords, they are currently working on similar technology that might call time on passwords at their websites too.

Similarly, Windows 10 is now offering facial recognition and fingerprinting software, which enables users to log on in a much more unique and uncrackable way than entering a string of digits. The benefit of this kind of technology is that we all have unique fingerprints and faces, so it would be practically impossible for hackers to break in to accounts using these kinds of measures.

Company accountability

Of course, all of these measures are only useful to prevent remote attacks on our personal accounts – they do nothing to prevent hackers from breaking into the systems of the websites we use and extracting our data in that way. While they may help to keep us safe from remote attacks, we should never forget that being safe on the internet is not something that comes easy, and we should all take as many measures as we can to ensure our safety.

Putting pressure on large internet-based corporations not only to implement these new measures, but also to generally bolster their own security practices in terms of their databases, is an important step if we are to be as safe as we can. This is something that is only too evident after the well-publicised hacks on VTech and Ashley Madison, where hackers did not steal individual passwords, but were able to breach the security data of the companies involved and gain access in that way.

These cases also highlighted just how important it is for companies to use SSL and encrypt our passwords as a matter of course, as this makes it much more difficult for cyber criminals to gain access to passwords and accounts in this era when hacking developments are arguably outpacing security measures.