Passwords are “too risky” and should be banned, says new pressure group

Passwords are outdated and “inevitably” fall into the hands of cybercriminals, according to a new advocacy group, Petition Against Passwords.

The group aims to encourage digital service providers to move towards “password-less” authentication systems . The Petition will launch on July 24, and is backed by LaunchKey, OneID and Nok Nok Labs, as well as identity management startup Clef, which offers a smartphone-based authentication system.

“Because passwords must be stored on a central server, sites are tasked with protecting them from a persistent onslaught of attacks. Even the best protected servers eventually fall. The results can cost the company millions of dollars and drastically impact consumer trust,” says Brennen Byrne, CEO of Clef, according to a report by PC World.

The movement comes in the wake of a number of high-proile breaches where customer data was accessed or compromised, including attacks on Sony, Ubisoft,daily deals site LivingSocial, LinkedIn, Zappos and Evernote. When passwords are published online after such data breaches, insecure choices such as “123456” and “password” remain among the most commonly used.

ESET Senior Research Fellow David Harley says in a blog post, “The sad fact is, static passwords are a superficially cheap but conceptually unsatisfactory solution to a very difficult problem, especially if they aren’t protected by supplementary techniques. Biometrics and one-time passwords and tokens are much more secure, especially when implemented in hardware as a two-factor authentication measure.”

Other pressure groups such as Fast Identity Online (FIDO) Alliance  aim to replace passwords with a secure, industry-supported protocol which is also easy to use. FIDO is investigating technologies such as fingerprint scanners, voice and facial recognition, and existing solutions such as Near Field Communication (NFC) and One Time Passwords (OTP) , with a view to creating an integrated solution.

Other companies and scientists have suggested wilder solutions to the problem – from password tattoos and authentication pills to using brainwave scanners for authentication.

Author , We Live Security

  • Ian Simmons

    And what idiot company allows users to have passwords like “password” and “123456”?

    • My guess would be that corporates – large companies, anyway – will tend to be fairly strict on checking password strength. Service providers, maybe not so much. Not because they want to discourage good password practice, so much as because they don’t want to discourage customers by making their lives difficult. The fact is, though, it doesn’t matter all that much if a company can’t keep its customers credentials safe.

  • NerishiQaMaster

    “Passwords are broken”. This is an old war-cry, and there’s much evidence to support it. But the alternative proposals are even worse. Right now, someone could steal my password, and have only that. If we use biometric data, suddenly that can be stolen too, and may be more widely useful.
    Using industry-standard cryptography for the password store. with *salted, encrypted* passwords, makes most thefts pointless. Giving some random vendor details about my iris, fingerprint or brainwaves is not something I’ll ever countenance.
    And the pill idea? Well, didn’t that come from the USA’s head of “spying-all-the-time”? – and why should we make their job any easier? Not to mention how such data might -as in, probably will – be sold to third-parties.

Follow us

Copyright © 2017 ESET, All Rights Reserved.