With an ever increasing online population - 41 million users in the UK alone (source: Internet World Stats) - computer security and user authentication have never been more vital. Unusable security is expensive as well as ineffective. According to Password research, two-thirds of users had to reset their passwords/PINs three or more times in the last 2 years. With each password reset estimated at £35 in help desk costs (source: Mandylion research labs) it's easy to see how expensive an affair this can be.
Passwords are by far the most widely used method of authentication. We're all having to remember more usernames and passwords by the day. It comes as no surprise then that over half of us use the same password for everything from work to banking to ecommerce, which is known to be poor security practice. More worryingly, 21% of people revealed their passwords in exchange for a bar of chocolate (source: Infosecurity Europe)! Clearly it's not all about making systems secure but making them usable too.
Passwords have long been considered insufficient within the security industry. Bill Gates even called for an end to passwords 2 years ago (source: CNET news). As that day still seems a long way away, let's consider what we can do to make the best of a bad bunch.
As a website owner, you can make your customers' lives easier, and your site more secure by adhering to the following guidelines:
To help your users choose secure passwords that are memorable, try suggesting some of the following tips to them:
Do your users have one password that they use for everything and want to keep it that way? They can have an easy life and be security-conscious. Here's how: Advise them to append an additional word/number at the end of the universal password to make it longer and more secure. The add-on can be related to the application/site they're on, so it's easy to remember and yet unique.
Here's an example - let's say the universal password is 'password' (which it should never be of course!). The password 'password' is predictably rated weak by Microsoft's Password Checker:
For a florist's site they can turn it into 'p@ssw0rdfl0wers' (for 'passwordflowers') and for e-mail it can be 'p@ssw0rdem@1l' (for 'passwordemail'), both of which are much more secure than the initial choice and unique to the respective sites. With just a few modifications, the new password 'p@ssw0rdfl0wers' achieves the best rating by Microsoft's Password Checker:
You can also suggest they check out Get safe online, a site dedicated to helping web users stay safe online.
Should passwords disappear then what'll replace them? An alternative is a system called 'passfaces' that utilises our innate ability to recognise faces with speed and accuracy. Users are required to correctly select their pre-chosen faces from a random set in order to gain access:
Passfaces has already been implemented by a number of websites.
Some online banking customers are being sent chip-and-pin card readers to add a layer of security. A lot of banks and large corporations are using tokens such as random number generators in addition to passwords to increase security:
RSA is a leading provider of tokens for multi-factor authentication.
Another alternative is biometrics where a person's physical or behavioural characteristics such as fingerprint, iris or voice are used for authentication. Examples include laptops with built-in fingerprint readers and the new biometric passports in the UK.
These approaches aren't solutions in themselves but will have to consider the human as being central to the whole authentication process in order to succeed.
Traditionally, security has been considered more important than usability. In reality, security measures only succeed when users' needs are taken into consideration. Contrary to popular belief, security and usability can and should go hand in hand. Let's hope whatever replaces passwords is designed with usability in mind so we don't have to lose ours!