Jury-rigged and hanging by a thread: how passwords have survived so long

Born at the Massachusetts Institute of Technology in 1961, predating the internet itself and the most commonly used form of identity protection, the password has long served as the most prevalent way to authenticate users and secure their data. Over the years though, it has become an unwelcome and dangerous relic from a bygone age.

At its inception, the password was a valuable and secure tool – in the sense that the data it protected wasn’t sufficiently sensitive or valuable to warrant hackers trying to gain access. This continued right up until the early days of the web. In 2016 though, a world where driverless, connected cars are becoming a reality and an era in which we’re liberally pouring all of our personal information onto the web, we should surely have a system better than what essentially equates to a ‘secret handshake.’ So how have we come this far without one?

The answer is through a series of improvised, makeshift improvements to username/password protocols that serve as a sort of iron lung for the aging system. First, we tried upping the required length of passwords. When this turned out to be insufficient or too clunky, we started adding further stipulations, and they kept coming. To list a few:

• Including upper and lower case characters
• Including numb3rs
• Including $ymbols
• Enforcing regular password changes

Were it not for human nature, this might have been sufficient – unfortunately though, that’s not the case. There’s also nothing preventing users from using the same password across any number of sites – 73% of people do exactly that – so when one account is compromised, they all are.

In enforcing these ever more comPlic4teD passwords, users have now been met with a brand new problem: it’s incredibly tricky to remember all the different passwords you use across the web. And that leads to us doing the unthinkable in security terms – writing them down! Research has shown that the average UK citizen holds a staggering 118 accounts online, and forgets passwords 11 times a year. Doing so opens them up to a swathe of new security risks, not least of which being that 10% of companies send replacement passwords in plain text via email.

As a cobbled-together, band-aid solution to this problem, we saw the rise of password managers: a method of generating and then storing as many strong passwords as you like. The trouble is, they’re secured by one master password: talk about putting all your eggs in one basket! Unsurprisingly, the most popular password manager Lastpass suffered a pretty high profile attack last year.

So what’s the latest bolt-on update to keep passwords alive? Passphrases are one of them: a random sequence of words that’s much harder for hackers to guess. The trouble is, these passphrases have to be stored somewhere, and even the largest companies have proven to be potential victims of password hacks. At Intercede, we and our clients believe it’s time to turn off the life support system on passwords – they simply need to be done away with altogether.

With RapID, such a goal is finally possible, providing strong two-factor authentication that doesn’t frustrate users, and not a single password in sight. We’re excited to see what developments come out of the expansion of the IoT, but believe ensuring bulletproof digital trust is essential before it does. With just a few lines of code and our SDK, developers can now secure their users’ data without inconveniencing them: to find out more, visit rapid.intercede.com.