Ramblings about password security and how you can better secure your data
Pssst - what’s the password?
In late 2017 there has been some developments and discussions around the security of personal data. Everyone seems to be bad-mouthing the idea of protecting systems with passwords - you know, those annoying, forgetful jumble of letters, numbers, and possibly expletive characters that you trip over any time you want to access your own junk? Well, a plethora of experts have lined up to offer helpful advice and alternatives, such as word substitution, password generation, temporary passwords, two-factor authentication, biometric data, or writing down your password in blood and then burning the paper (Ok, maybe I made that one up). Helpful ideas like “choose some well-known expression, song lyric, or dialogue, and derive the password from the first letter of each word” have been the bane of hapless users and security experts alike for decades. But some methods are gaining traction, for better or worse.
Two Factor Authentication
Two-factor authentication has been a pretty decent development. It involves sending you an access code via a system unrelated to the thing you are trying to do. For example, to log into a website using your computer, you need to enter a code that is sent to your phone. There are examples however of accounts being hacked by people getting phone companies to send the codes to the wrong phone, so it’s not foolproof. It’s also pretty inconvenient to have to go through the second device or process to log in - like, what if your phone is flat? The latest craze is to use biometric data to secure your access.
Frankly using biometric data is the opposite of security & privacy, in fact I’d say it is dangerous. Not just in an Avengers Loki-stealing-eyeballs way. Using fingerprints, retinal scans, voice authorisation or other biometric data means that your personal, unchanging and unique data is now stored in some database somewhere, where a competent hacker can claim the data for themselves, and any nefarious agency will be able to trace back your entire activities with greater precision. The only benefit is to said agencies, for whom the enthusiastic adoption of these technologies has opened an incredible gamut of opportunity for surveillance, oppression and impersonation. I don’t remember anyone complaining “why can’t my iPhone recognise my face” and yet the iPhoneX was completely refactored to support this function. It was not customer or consumer-driven innovation.This is using a popular, familiar device as a vehicle to advance sinister surveillance technologies. The question is, for who? Not you, dear phone user.
Frankly using biometric data is the opposite of security & privacy, in fact I’d say it is dangerous.
Anyway let’s take a step back from the abyss of crazy conspiracy theories to address the issue at hand - your passwords. So here’s my simple idea. We should be asking users for passphrases, not a password! It’s been a long-held standard for spy agencies, and nobody is more secretive than them. Basically the longer the password, the harder it is for a computer to crack - so make it super-long, make it a phrase. Like Oh from the movie Home, whose uncrackable password was “My name is Oh and Captain Smek is great and anyone who does not think that is a poomp 1”.
It’s been claimed that human-friendly passwords don’t protect from a dictionary attack, because humans tend to just pick lowercase letters and spaces, reducing the number of variant characters. Gary Kessler calculated that a password of 32 characters would be required for a plain english password, and no human would remember that word. I’d counter that by making passwords require a phrase that includes a minimum number of words, not a minimum of letters. A sentence is typically between 10-20 words, and if the average word is five letters, a six-word (sentence) minimum would be close enough to that 32 character requirement. Oh’s example clocks in at 87 characters! Any memorable phrase could be used, like a favourite song lyric or a recipe for a of favourite food, or even a statement of solidarity with the captain. And just like Oh, don’t bother checking the case of the letters, humans and aliens always seem to click the CapsLock key by accident.
A Personal DataStore App?
A security passphrase might be a practical and safe alternative but it’s a lot of typing. On a keyboard it’s no big deal but on a phone it’s horrible. Perhaps there could be a special security app that sits on your phone and contains personal details, credit cards numbers & passwords for easy pasting into forms. The data is encrypted to your device using some ridiculous level encryption and, crucially, the app has no interactivity whatsoever with the internet - there is no risk of leaking the details through snooping TCP packets, no risk of some central repository somewhere getting hacked or sharing you intimites with third parties. Your data stays on your device, it is yours and yours alone!
Whenever you visit a page or application that requires your details, just open the app and drag out the data. It inserts them into the form, no typing required. Credit cards, passwords, shipping details, whatever. Bang and done. It might even remember each form so the next time it just prefills it.
The app would require it’s own security. For a phone, I’m thinking a 5-digit passcode. The encrypted data would expire every few days and require the user to regenerate the encryption key to retain the data. Or maybe just require a regular app upgrade (like any other app) to regenerate the encryption. This would prevent someone stealing the phone and attempting to hack the data directly. If they tried to guess the 5-digit passcode instead, it would lock after 6 failed attempts per minute, and remained locked for 10 minutes. That leaves 7,200 combinations per day out of 100,000 possibilities.
Does such an app exist? I'm not sure, haven't checked. But, the idea of personal data that stays with you runs against the trends of the industry where companies try to harvest & horde every detail about you. But as a human being, I think we're all entitled to a little bit of privacy and data security without handing it to some oblique organisation lurking in the shadows of the internet (or in outer space, of course.) What do you guys think?
Need help building an app? Talk to us about your worries and needs. Internetrix combines digital consulting with winning website design, smart website development and strong digital analytics and digital marketing skills to drive revenue or cut costs for our clients. We deliver web-based consulting, development and performance projects to customers across the Asia Pacific ranging from small business sole traders to ASX listed businesses and all levels of Australian government.