The Problem with Your Password? Everything.

The password management service SplashData made a splash this past December when it posted its list of the 25 worst passwords of 2018. For the fifth year in a row, “123456” and “password” ranked first and second respectively. Around 3% of Internet users in North America and Western Europe used “123456” in 2018, based on five million hacked passwords the company found for sale on the Dark Web. That works out to 25 million of the 750 million Internet users in those regions, enough to keep even a tech-savvy criminal busy for at least a few weeks.  

Passwords like these are nearly pointless since they are so easy to guess. But today no password is truly secure. That incredibly strong password your algorithm came up with using a long string of indecipherable letters, numbers and special characters? It’s on the Dark Web. (“!@#$%^&*” made this year’s Worst 25 List.) A popular hacker forum currently lists more than 1.1 billion pairs of stolen email addresses and passwords, according to the database “Have I Been Pwned?” When you consider that 100% of online fraud occurs after the user has been authenticated, it becomes obvious that passwords are not doing the job.

“You're Gonna Need a Bigger Boat”

 In 2003, a former Army programmer, Bill Burr, wrote a short booklet on password security for the National Institute of Standards and Technology (NIST).  Burr’s pamphlet advised replacing letters in common words with special characters, upper case letters and numbers. He also suggested changing passwords every 90 days. Burr's pamphlet became the standard guide to password security for more than a decade and its techniques should sound familiar to most IT professionals.

But it turns out that Sun5hinE21 is no harder for a "bot" to crack than Sunshine21. The latest research shows that longer passwords are harder to break than shorter ones, special characters and other gymnastics notwithstanding. NIST now advises using long, easy-to-memorize phrases. It also drops Burr’s advice to change passwords regularly unless you believe they have been compromised. “Much of what I did I now regret,” Burr recently told The Wall Street Journal.

It will take time for the latest NIST recommendations to trickle into the market. Most banking and financial sites still lag behind the curve, only now employing two-factor authentication.  TFA is more secure, but it’s also more time-consuming and intrusive to the customer. A recent FICO survey showed that only about half of those surveyed in the U.K. were willing to give their mobile number to their bank.  Moreover, more than 60% of people over 65 do not own a smartphone, according to a study by the Pew Research Center, meaning TFA for these folks must be done over email, which is inherently unsafe.

Physical biometric patterns such as fingerprints, facial recognition and retina scans are currently gaining popularity as a possible next approach to online security. But these can be “stolen” too: fingerprints can be removed from a phone, as famously demonstrated at an Apple user conference.  Faces can easily be captured from the Internet. And while retina scans can't be copied, they are time consuming, unreliable and intrusive.  No corporate treasury officer is going to want to face print himself every few seconds.

Open the Door, Let ‘Em In

There is some good news though: artificial intelligence and machine learning have now advanced to the point where they may soon leapfrog these biometric techniques such as fingerprint and facial scans.  With AI, users can be vetted based on their online behavior. Rather than relying on someone to correctly enter login credentials, behavior-based systems develop user profiles by tracking activity once a user has logged into a site. Since people are creatures of habit, they tend to do things the same way every time they log in. The resulting profiles make it possible to quickly recognize who is a genuine user and who may be a potential threat, with a higher degree of accuracy than most other techniques, and importantly, without disrupting the user experience.
 
Unlike the physical biometrics examples mentioned above, subtle behavior like mouse movements and keyboard cadence can’t be copied. This is far more secure than authenticating users by who they are or what they know. What's more, systems based on behavior operate "under the hood." They are invisible to the user and impossible to duplicate. IBM recently entered the behavioral market, chasing a number of startups that have demonstrated its effectiveness.

Already systems based on AI and machine learning are processing as much data in nanoseconds as the average person could process in a year.  As they continue their march forward, it is obvious that no technique devised purely by humans will be able to keep up. At that point, profiling user behavior will form the core of online security systems in industries ranging from banking to logistics.  And the leaky, intrusive password will be retired to the trash heap of history, where it belongs.