Experts’ View of the Future of Passwords

Passwords have been used to help keep computer data safe for decades. Unfortunately, as computer hackers and password-guessing software have improved, the complexity of password requirements has subsequently increased. As technology has become a larger part of everyday life, computer users have been forced to develop more creative passwords to protect their email accounts, bank accounts, software and other essential functions.

Not only has the quantity of passwords increased, but their requirements also have become more complex. It is not out of the ordinary for a password to require capital and lowercase letters, at least one number and a special character. Additionally, some accounts and software programs require that a password not contain anything familiar to your person, such as your name or date of birth. Because of all this, remembering passwords has become a difficult task.

Many people will attempt to create passwords that are extremely easy to remember or they will create a single password for all of their accounts. This practice is incredibly dangerous. While it may make things easier on the user, it is also making it easier for computer hackers to guess your password, and then access and compromise your data.

SplashData released its annual list of passwords most commonly used on the Internet. The longest it would take to crack any of the top five is less than one second.

So how can someone create an effective password without constantly dealing with the threat of cybercriminals? We asked several industry experts their thoughts of the future of passwords:

1. In your opinion, how secure are today’s alphanumeric passwords?

George Waller, Executive VP of StrikeForce Technologies

Alphanumeric passwords are not secure at all. Today’s hackers use very successful tools i.e. key loggers which can easily defeat single-factor authentication (using a password only) by copying all usernames, passwords and everything typed on a keyboard and forwarding that to the hacker.

Damon Petraglia , CRISC, Director of Forensic and Information Security Services at Chartstone Consulting

Today’s alphanumeric password security is dependent on a number of factors. When passwords are used as a single factor to authenticate users, or in a similar manner along with one or more additional authenticators, then they need to follow some guidelines to ensure the optimal security that they can provide:

• Impose password complexity and length requirements consisting of at least eight (8) alphanumeric (i.e. upper- and lower-case letters, and numbers) and/or special characters
• Prohibit the use of dictionary names or words
• Automatically forces users (including administrators) to change passwords every sixty (60) days (this time frame will depend on the sensitivity of data accessed by account)
• Require a minimum of four (4) changed characters when new passwords are created
• Encrypt passwords in storage and in transmission
• Enforces password minimum and maximum lifetime restrictions
• Prohibits password reuse for six (6) generations prior to reuse (this time frame will depend on sensitivity of data accessed by account)

Without employing the above seven standards, the password security strength is exponentially decreased. Additionally, there must be account lock-out after specified number of failed logon attempts. This prevents a malicious user from running a program that continually guesses passwords, known as a Brute Force Attack. Whatever platform is being used in which passwords are being entered, it must be up to date with patching. Unpatched systems and applications have vulnerabilities which may allow a malicious user access to sensitive data.

It is also important to never use the same password for more than one account. For instance, If I use the same password for a Facebook account, on-line banking account, and email then a malicious user only needs to “crack” one account to have access to multiple. Malicious users know that people often use the same password for multiple accounts and once they know one password they will attempt to use that password on all the other accounts they were able to find.

Jeromie Jackson, Security Practice Lead at Nth Generation Computing

With strong passwords in place, I would say they supply a fair amount of security. There is definitely something negative to be said about having complex passwords with short password change time periods. The rapid change, with complex password requirements, often causes people to store passwords on notepads, insecurely on their phones, etc. I believe it may be more valuable to back off the need to change passwords based on timeframe, and instead base it on events in the environment, such as role changes, user provisioning/deprovisioning, incidents, etc.

2. What are your thoughts of the future of passwords? Five-year outlook? 10-year outlook?

Don DeBolt, Director of Threat Research Total Defense, Inc.

Passwords are likely to be with us forever and we need to work to ensure their integrity by better securing the platforms in which they are used. If the device in which we enter a password, or even our fingerprint is compromised, then all forms of authentication used by the device are compromised. Vendors must work towards the “App Paradigm” where only vetted and trusted code is authorized to run on the computing device. In this world our computing devices become more “appliance like” and run specific code for specific tasks thus reducing the potential for execution of unauthorized code. Achieving this goal will go a long way towards protecting the integrity of our personal passwords.

David Ackerman, Managing Member of Internet Biometric Security Systems

My five-year outlook on passwords is that 20% of the mainstream will be Biometric Identification. Internet Anonymity, except for criminal offenders, will be out of the mainstream and within 10 years passwords will be gone, 100%.

Bill Goldbach, Executive Vice President of Confident Technologies

We believe that the near future will bring a growing use of graphical and image-based approaches to authentication, as well as a growing use of biometrics. Text passwords will likely stick around as one layer of authentication, but we believe other approaches which are both easier to use and more secure will start to become more popular. They will start to replace text passwords or be incorporated as additional layers of authentication for businesses, on websites and mobile applications and on mobile devices.

3. What do you feel is the best alternative to passwords?

Mark Herschberg, MIT graduate

Cells phones are the most likely common alternative since they are personal commonplace devices. That said, the system to which the cell phone is engaged but somehow connect to it through some combination of a camera and/or network (wifi, bluetooth or cellular). That hardware is not yet common enough and the infrastructure isn’t quite in place to make it easy. Once cameras are standard on electronic devices (computers, ATM’s, public kiosks) and a public key system is in place on cell phones, passwords will begin to be replaced.

Jenner Holden, Director of Information Security at LifeLock

Passwords may never go away completely, but they will be increasingly supplemented by other, better forms of authentication. These other forms of authentication will go beyond what we currently think of as multi-factor authentication. These useful bits of authentication attributes include the specific devices people use, facial recognition, voice recognition, or movement patterns. These attributes can be combined with smaller, simpler passwords, or pins, to achieve a much better approximation of true authentication than passwords alone.

Password Guidance & Tips

Don DeBolt provided a great tip that explains how to be more secure with today’s passwords. Don’t use Personal Identifiable Information (PII) in your password: Name, User name, Birthday, Pet’s name, Child’s name, Alma mater and Hobby keyword. Don’t use any word in your password that can be found in the dictionary. Don’t use the same password for online banking that you use for social networking or email. Don’t give your password to someone over the phone. Try to use special characters such as non-alphabetic characters. Try to use a password vault application to protect and help manage your many passwords

• Private
  online banking
• Personal
  email accounts
• Public
  social networking
• Business
  corporate email,
  web & vpn access

Sometimes creating a different password for every website and every application can be problematic. If this does not work for you here is a tip to reduce the number of passwords but keep some level of logical separation: Group sites and applications into different categories then create a password for each category. This control limits the impact if one of the passwords is compromised.

Some of us are quite creative when thinking of passwords and others of us, like me, need some help. Here are some possible strategies for creating your passwords: Think of a phrase, quote, or song verse and select the first character of each word to create a password. “In the middle of a difficulty lies opportunity.” translates to “Itmoadlo.” Passwords are often case sensitive and here we’ve used a capital “I” just like the start of the sentence. Vowels can be replaced with numbers to add entropy “Itmoadlo.” translates to “1tm0adl0.”

Note the use of the period punctuation mark in the password. Punctuation is a good way to add entropy to your passwords as well as a little length. Create a unique string that you can prefix or append to your passwords.

– prefix string + password = stronger password
– tdr0cks! + itm0adl0. = tdr0cks!itm0adl0
– tdr0cks! + torvt11. = tdr0cks!torvt11

Obviously, the standard, simplistic password usage is not the best way to keep information secure. Whether new technologies will be introduced to replace the need for passwords or people start following strict password guidelines, it is clear that the way that passwords are used is still evolving. No matter what the future holds for password usage, this topic is vital for creating secure systems and reducing the chance of cybercrime.