Webster in The Oldie - Password pain

Contact Webster...

Newsletter - sign up here

Ask Webster

Search Webster

Webster's pieces from The Oldie

Webster's Webwatch

Password pain

May 2019

I’ve been saying for years that computers are still in their infancy and that one day operating them will be as simple as driving a car; however, despite all the advances we don’t seem to be making the progress I had hoped for.

As things stand, you and I could probably swap cars and drive to Edinburgh with minimal instruction, if any. But if we swapped computers, the odds are very strong that we would soon take a wrong turn, digitally, at least.

An example of this slow progress is the continued use of passwords to access websites. It’s obvious that we need some way to securely identify ourselves to the website we are using, especially if it is holding private information about us, but it is also clear that passwords, which may have seemed like a good idea twenty years ago, have long since passed their best.

In fact, they have run amok. I use a password manager – that’s a piece of software that remembers the passwords for me – and I have over 600 passwords recorded in it. Without that software, I couldn’t possibly cope unless I used the same password everywhere, which would be very foolish.

On top of the effort of managing passwords, there is the risk that someone might guess, or steal, them. Most of the time, no one will try, but it’s not a risk worth taking. If you go to haveibeenpwned.com/passwords you can enter the passwords you use and see if they are on the list of over 500 million passwords that have been exposed in data breaches somewhere in the world; if your favourite password is on that list, you should change it to one that isn’t. Don’t panic; this doesn’t mean that you have been hacked, just that the password you used is on a list that hackers will certainly try if they ever do attempt to get into your accounts.

So, let’s accept that passwords, as we know them, are outdated, clumsy, vulnerable and badly in need of replacing with something rather sharper and more secure.

Fortunately, the World Wide Web Consortium (w3c.org) agrees with us. That’s the body led by Sir Tim Berners-Lee that controls web standards, and for some years it has been working on a new industry standard to abolish passwords. In February it approved the first version. It is called WebAuthn and allows the wholesale replacement of passwords by using devices such as smartphones, a security key (like the ones banks give us), a fingerprint scanner (many phones include them) or a webcam.

You may already know about ‘two-factor identification’ which many websites offer. You log in with a username and password and then encounter another hurdle of security, often a unique code sent to a phone, or emailed to you.

The new standard, WebAuthn, will simplify the process by eliminating the password altogether. Once you enter your username, you will immediately receive a text, phone call, email or whatever you have agreed to allow you to prove it really is you. My preference would be for using the fingerprint reader that is on my phone, which refuses to accept nine of my own fingers, never mind anyone else’s.

The beauty of this is that it will eliminate password theft, as there is nothing to steal; the information that passes between devices and logs you in is unique every time.

The ditching of easily guessed or leaked passwords in this way will be a step forward in both simplifying and making more secure your links to a website. This, in turn, will make it easier for them to safely provide more personal services for you, and we should welcome it as websites start to use it.

And I can finally forget my 600 passwords.

A few links:

World Wide Web Consortium you can read all about the Web Authentication Working Group here: https://www.w3.org/Webauthn/ although I warn you, it’s pretty impenetrable stuff.

Password Manager: This is the password manager I use: Click here

It’s free, and built into the Chrome browser, and will also suggest very complex passwords for you if you want. This, of course, makes it completely indispensable; very clever.

Check your password

Check if your password has been used and exposed in a security breach: Click here

The same site, CLICK HERE, also lets you check if your email address has appeared in any security breaches – it has a list of 6.5 billion on its database. If you are on it, don’t panic, but change your password. This is good practise every few months, anyway.

373

All content on www.webstersblog.co.uk is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License.