12/10/2014

The Password is Dead, Long Live the Password

search LiveScience
Like

1m

+193457

Follow

TECH
HEALTH
PLANET EARTH
SPACE
STRANGE NEWS
ANIMALS
HISTORY
HUMAN NATURE
SHOP
search LiveScience

TECH
HEALTH
PLANET EARTH
SPACE
STRANGE NEWS
ANIMALS
HISTORY
HUMAN NATURE
SHOP
TRENDING: Geek Gifts // Ebola Outbreak // Military & Spy Tech // 3D Printing // OurAmazingPlanet //
Best Fitness Trackers // Human Origins

The Password is Dead, Long Live the Password

http://www.livescience.com/48508-the-password-is-dead-long-live-the-password.html

1/9

12/10/2014

The Password is Dead, Long Live the Password

(Op-Ed)
By Alastair MacGibbon, University of Canberra | October 29, 2014 01:28am ET

178
Submit

0
Reddit

This article was originally published on The Conversation. The

publication contributed this article to Live Science's Expert
Voices: Op-Ed & Insights.
In 2004 Bill Gates pronounced usernames and passwords dead.
Gates, a man consistently thinking ahead of the crowd, was right.
Most of us including our employers and the online services we
rely on just havent caught up yet.
Call that security? How safe is your
own password from hackers.
Credit: Flickr/Victor Bayon, CC BY-NC-SA
View full size image

Gates statement came at a time when the devastatingly simple

consumer-focused attack of phishing started. Designed to trick
users out of their usernames and passwords, this was a turning
point in cybercrime. Criminals showed an understanding that the
end user whether in a work or home environment was a
profitable target, and a softer one than central computer systems.

Malicious software designed to steal usernames and passwords has augmented phishing. If the end user could
be compromised, entry through the protected gates of corporate and government systems would be easier,
sometimes guaranteed.
Layered onto this security problem has been the increasing number of services we use that require passwords.
As we all know, even after Gates prediction, the number of passwords we need to remember has gone up,
not down.

How many passwords?

Usernames and passwords are still the key to protect most of what we do at home and work, despite the sheer
number of massive breaches disclosed such as the recent hacking of US bank JPMorgan.
There is also the untold number that are brushed under the carpet and those that have gone unnoticed by the
victim companies, in addition to all of the end users such as you and I who have unwittingly handed over our
credentials via phishing.
It would be fair to conclude that hundreds of millions of usernames and passwords have been exposed over
the past few years with websites tracking the data breaches in the US and records lost. The numbers are so
big accuracy is unimportant. We should just agree that there are a lot of them.
So how do we go when it comes to our password discipline? Do we use complex, hard to guess passwords
that combine letters, numbers and symbols? A different one for each account? Changed regularly?
http://www.livescience.com/48508-the-password-is-dead-long-live-the-password.html

2/9

12/10/2014

The Password is Dead, Long Live the Password

No, no and no.

We know from the hackers who dump unencrypted passwords onto sites such as pastebin what the most
popular passwords are and they make you shudder:
1.
2.
3.
4.
5.

123456
password
12345678
qwerty
abc123

We know from surveys that nearly two thirds (60%) of Australians use the same password across more than
one of their online accounts. This means we are recycling our passwords. This isnt a naming and shaming
exercise, but we know who we are.

Are websites serious about security?

But it gets worse. Websites who use usernames and passwords are worried about one thing other than
accounts being taken over, and that is a legitimate user not having access to their account.

A typical login
and password
request.
View full size image

So the user forgets their password. No problem click on the link and websites will generally do one of two
things: email a password to your registered address, or ask you answers to what is known in the industry as
shared secrets.
Theyre things such as your birth date, your mothers maiden name, your dogs name, your old school
questions you were asked at the time of registering the account.
Now, emailing you a link to your email address seems fine, except it may be that the criminal also controls
that email address (because they tricked you out of the password, or guessed it because youve given them
the password for a different account, which has the same password).
Now the criminal merely clicks on the link and resets the passwords. At this point the criminal might change
the account details to make sure all future notifications go to them. Or they merely delete the you have
changed your password email from your email account.

Not so secret secrets

So what about the shared secret process? If the criminal already controls another of your accounts, they
http://www.livescience.com/48508-the-password-is-dead-long-live-the-password.html

3/9

12/10/2014

The Password is Dead, Long Live the Password

may be able to simply look up the answers you gave to that account. More likely, they will just research you
on the internet.
You see, the problem with shared secrets is that weve started to share them a little too widely to still call
them secrets.
LinkedIn, Facebook, Twitter, electronic newsletters, blogs and so on all tend contain useful information that
can be seen by others. The age of social media and the phenomenon of over-sharing came after the shared
secret lock became the default for account security.

So many passwords to so many accounts that can reveal many personal details about us.
Credit: Flickr/Jason Howie, CC BYView full size image

Further still, if our password isnt strong, and the web service hasnt implemented the right controls,
criminals can use what are called brute force attacks against accounts to try to force their way in.
They do this by running a password dictionary against a site. Its like trying hundreds of thousands of
combinations against a combination lock. If a password isnt complex, the criminal is in. See how long it
would take a password similar to yours to be hacked with security firm Kasperskys password check (dont
use your real password).

Passwords and underwear

They say passwords are like underwear: change them often. I agree, we should. But we know we dont
(change passwords, that is). So lets try doing it twice a year to start with.
Regularly changing passwords means that even if criminals trick you out of them via phishing, or steal them
by compromising your computer or the organisation holding your data, the password they have simply wont
work.
http://www.livescience.com/48508-the-password-is-dead-long-live-the-password.html

4/9

12/10/2014

The Password is Dead, Long Live the Password

Criminals compile lists of usernames and passwords and trade them on the internet black market. Lists with
old passwords have less value.
The next step is coming up with stronger passwords, and having a unique one for each account. We can do
this by using a pass-phrase system.

Your pA$$woRd!
Start with a phrase from a song or movie you like, or something similar. Im going to use the phrase the
quick brown fox jumped over the lazy dog.

Take a phrase you can remember but make it personal to you.

Credit: Flickr/Matt Gibson, CC BYView full size image

Take the first letter from each word:

tqbfjotld
Capitalise the first or any letter and add some punctuation:
Tqbfjotld!
Its starting to look complex.
Now do some number substitution using a system you devise. Maybe you look at your computers keyboard
and decide to substitute any letters in your phrase which are below a number on the keyboard.
So in this case our q becomes 1 and our o becomes 9:
T1bfj9tld!
Now you have a password that is random letters, uses a capital and has numbers and symbols.
But how do you make it unique for each and every website? Perhaps you do something like the name of the
website in front, using the same number substitution as above.
http://www.livescience.com/48508-the-password-is-dead-long-live-the-password.html

5/9

12/10/2014

The Password is Dead, Long Live the Password

So, if this was my eBay account, I would add 3Bay to the password which now becomes:
3BayT1bfj9tld!

Take the next step

Many websites now offer optional two-step authentication, such as an SMS code sent to your phone to gain
access to the account, or if changes are made to the account.
Always, always, always use these options if available.
Of course, none of this is foolproof. Criminals have been known to take control of a victims mobile phone
service so that they can intercept the authentication SMS and there are man in the middle attacks where
hackers intercept passwords and codes to open another parallel session.
But the two-step security is way better than just a user name and password.
At a consumer level more robust biometric security on devices (such as fingerprint readers) is increasingly
ubiquitous. Some companies providing services over the phone have started to explore voice biometrics.
There are no silver bullet biometrics to full-proof account security. No doubt criminals will innovate and find
cracks to exploit, but online crime is a volume game and our responsibility is to drive that volume down.
Was Bill Gates right about passwords? Yes, but not for a while yet. Until that password-free world arrives,
none of us can afford to let our guard down.
Alastair MacGibbon does not work for, consult to, own shares in or receive funding from any company or
organisation that would benefit from this article, and has no relevant affiliations.
This article was originally published on The Conversation. Read the original article. Follow all of the Expert
Voices issues and debates and become part of the discussion on Facebook, Twitter and Google +. The
views expressed are those of the author and do not necessarily reflect the views of the publisher. This version
of the article was originally published on Live Science.

Editor's Recommendations
Heartbleed Bug: How to Create Strong Passwords
Love, Honor & Cherish But Share a Password?
Attack on Reuters Makes Mockery of Cyber Security (Op-Ed)
More from LiveScience

Why Hasnt A Major Hurricane Hit the U.S. in 9 Years?

http://www.livescience.com/48508-the-password-is-dead-long-live-the-password.html

6/9

12/10/2014

The Password is Dead, Long Live the Password

Dazzling Images of the Brain Created by Neuroscientist-Artist

Big Data Helps Predict Infectious Disease Spread | NIGMS

Drugs in Early Americas Included 'Magic' Mushrooms and Toad Skins

Two 'Pseudoscorpions' Discovered in Grand Canyon Cave

Two-Headed Baby Salamander Isn't Radioactive, But It Is Weird

Stressed Momma Squirrels and Their Pups

Ancient Bacteria in Water Pose a New Worldwide Danger

Science Newsletter: Subscribe
enter email here...
http://www.livescience.com/48508-the-password-is-dead-long-live-the-password.html

7/9

12/10/2014

The Password is Dead, Long Live the Password

Follow Us

Add a comment...
Also post on Facebook

Posting as Brett Roberts (Change)

Comment

Facebook social plugin

Most Popular
US Birth Rate Hits All-Time
Low

Photos: Ancient Shell

Carving Is Oldest On Record

Artificial Intelligence:
Friendly or Frightening?

Opulent Clothing Unearthed

in Ming Dynasty Tomb

Why Men Love Lingerie: Rat

Study Offers Hints

Private Cargo Spacecraft Gets New Rocket Ride After Accident

Phew! Giant Asteroid Not a Threat to Earth, NASA Says
Five Holiday Gifts for the Space History Buff

http://www.livescience.com/48508-the-password-is-dead-long-live-the-password.html

8/9

12/10/2014

The Password is Dead, Long Live the Password

Math for Drones, Self-Driving Cars Wins Top Student Science Award
US Airports Screened 2,000 Travelers for Ebola, But Found No Cases
Parents May Overestimate Marijuana's Effects on Kids' Seizures

Tablet Meets Projector in Wonderfully Weird Combo

Samsung Galaxy Tab Active Can Take a Beating
HP's Sexy New Laptop Makes MacBook Air Look Fat

MASSIVE SPOILERS: 10 Questions Answered & Asked on AGENTS OF S.H.I.E.L.D.s Game-Changing

Fall Finale
SPOILERS: Marvel's AGENTS OF S.H.I.E.L.D. Season 2 Fall Finale Reaction & Easter Egg Liveblog
Who Are Marvel's AGENTS OF S.H.I.E.L.D.'s [Redacted] & [Redacted]? SPOILERS

Do Your Employees Secretly Dislike You? What to Do About It

5 Signs You Need New Tech (and How to Pick the Right Tools)
Dropbox Teams with Microsoft to Help You Be More Productive
COMPANY Company Info About the Site Contact Us Advertise with Us Using our Content Licensing &
Reprints Privacy Policy Sitemap
NETWORK TopTenREVIEWS Toms Guide LAPTOP Toms Hardware BusinessNewsDaily Toms IT Pro
SPACE.com LiveScience
FOLLOW US

SUBSCRIBE
enter email here...

Copyright 2014 All Rights Reserved.

http://www.livescience.com/48508-the-password-is-dead-long-live-the-password.html

9/9