Us in 10 Years
It’s Time to Get Rid of Our Passwords
It’s the future we deserve
We have many obsolete things in this world. Things we should get rid of and never use again. Things we should find alternatives for, and then adopt worldwide. Like toilet paper or plastic straws (switching to paper straws was a recent trend where I come from and a ban in other places).
Let’s talk about our passwords.
It makes no sense to have passwords anymore. The whole concept shouldn’t be existing by now.
Think about it. Every single website you encounter requires you to register with a unique password, and it better be a strong one — a combination of letters, numbers, and random signs.
Remember when you still had one password for everything you needed?
Now you need to keep track of 50+ different passwords, all in one place.
Some time long ago (very long ago) you were still keeping one or two passwords for your favorite websites in your head, but now you barely sign out to even need to remember anything.
And if you accidentally sign yourself out, you just need to hit a few buttons and sign in right back from your mailbox.
Passwords are part of what makes our world complicated
Your Computer Is a False Friend
I get it. We need personal keys to access personal things.
But in recent years it came to the point where every single website you want to view requires you to have some sort of personal identification and sign up. I’d say, maybe, 10 years or so? Why?
I am guilty of it myself with the projects I work on. In today’s world, it feels like the most basic thing is to make users sign up for your website. But the truth is, it’s not always a necessity to build a membership system.
All the Eggs in One Basket
So someone invented the password manager, which keeps track of all your passwords and even helps you generate new ones. All without even looking at what the password is, and in less than a second.
Also, giants such as Google and Facebook, which have your identifying information anyway, have come up with developer kits allowing web developers to include a verification process, which lets users sign in/up to a website without even think about what they are doing.
It just makes it so easy and effortless. Not just that the access process is easier, it also adds personalization and social functionality to the user experience. Although if you’d ask, some will tell you they would rather avoid implementing it. Rakesh Soni points out security issues found in social logins:
Sometimes I find myself wanting to check out a website but then passing on it because I see I need to type in all my information to do anything.
Oftentimes it is also necessary to confirm your email address before it lets you in, whereas when a Facebook login form welcomes me I barely hesitate to hit the blue button.
However, your personal computer and phone are the keys to everything you own online. When someone opens your computer when you’re not around, they can access everything you’re logged into. The same goes for your phone.
This is also a problem with password managers. It is essentially a local database (or list if you will) containing all your passwords.
Some password managers (if not all) require a master pass to gain access to the actual database, however, by visiting any of the saved websites in the password manager, the information is being filled automatically and access is granted. That is, of course, assuming you’re not already signed in to that website in the first place.
My password manager, for example, does not require me to enter a master pass to view my password vault. I need to set it up actively. It takes me two clicks to access all of my passwords, and it doesn’t ask me for anything.
Hackers Will Make Your Favorite Website Squeal
How to Build a Login Access Page 101
Let’s go through the anatomy of a login page real quick.
For a simple password login to work, a website needs a database of user information, which stores all of their passwords. Whenever you enter your password into the dotted input box, the phrase you entered is being checked against the database.
Given the phrase you entered matches the password in the database, access is granted.
However, you wouldn’t want that website to know your password, would you?
Please welcome to the stage: the MD5 algorithm.
What is the MD5 algorithm?
MD5 is a hashing algorithm. Simply put, hashing is the process of taking a phrase and turning it into an irreversible “scrambled egg”.
So, MD5 takes an input (a password in our case) and returns a hashed output, which looks something like this:
ddd0531e2e73d1c82703746eaf3bd320
So whenever you sign up for a website, your password is being hashed before it is saved in the database. Then, whenever you sign in, your entered phrase is being hashed and checked against what the website has in the database.
That way the website you’re using doesn’t have your actual password.
The problem with MD5?
It’s not secure enough.
Hashing algorithms such as MD5, SHA1 and SHA256 are designed to be very fast and efficient. With modern techniques and computer equipment, it has become trivial to “brute force” the output of these algorithms, in order to determine the original input.
Because of how quickly a modern computer can “reverse” these hashing algorithms, many security professionals strongly suggest against their use for password hashing.
Anyone who can type Google can “decrypt” it with the help of databases listing already known hashes. Check it yourself.
So we also have SHA-1, SHA-2, SHA-3, bcrypt, Argon2, and others. Each with its pros and cons when it comes to password protection. Some are more secure than others. Some are exiled from use. But no matter how good an algorithm is in keeping hackers away now, in the future it just won’t be good enough.
What a Time to Be a Hacker
Whenever a website you use gets hacked, your password can be leaked and distributed. Supposedly, some websites don’t hash your password at all.
Troy Hunt’s project alone has listed 9,760,722,439 leaked accounts from 454 websites, including 555,278,657 passwords, according to the project’s website (as of June 2020).
You’ll be amazed at how many of your favorite websites were hacked over the years. Chances are you’ll find yourself in at least one list, if not more.
With services getting hacked every day, it’s just a matter of time.
Nintendo is the most recent one.
If you haven’t found your leaked password yet, you need to understand — It’s not if, it’s when.
They Are Coming to Get You
It will happen sooner or later. And you won’t enjoy it when it happens.
Trust me.
Last year I found my password hanging around with other 1,600+ user passwords in a Udemy leaked list on Scribd, by a simple Google search of my username. It was visible from its Google meta description.
I emailed support and cited their terms of use regarding exposing private account information. It took them only 7 minutes to remove the document, which is great response time.
However, it took Google a couple of weeks to remove the document’s metadata from its index.
A Hero to Save the Day
Unlike MD5, other hashing algorithms cannot be cracked so easily with the help of Google, because hashing algorithms are irreversible.
So they can’t be decrypted, but they are still brute-forceable. Although some hashing algorithms are good at keeping hackers from trying to brute force in the first place, brute-forcing is still a thing.
Enter the Two-Factor Authentication (2FA)
A couple of ways to protect against brute-forcing are out there. One way, for example, is to limit the number of trials one can enter a password before they are blocked. But depending on the implementation, it could be subject to failure.
Our hero is quite straight forward and demands only 2 things:
- Something you know
- Something you have
By simply adding one more step before you can access the other side, the website provides you with increased security, which isn’t based only on your password. Our guy simply wants to make sure you know your password and have your phone — because these are the two things he trusts.
Google Authenticator, for example, allows you to have a timed 6-digit access code on your phone which is valid for 30 seconds and then changes. A website using it watches the changing code to provide secure access. Websites can feature an authenticator instead of an SMS code you receive on your phone.
This is about security.
An alternative would be what’s called a magic link and is relatively new. You just write your email address, click a button, and receive a new mail with an authorization link that logs you in immediately. No password, just email.
This is about speed.
But what happens when someone sits in front of your computer and has your phone?
You Deserve Much Better
I could list the many other alternatives we have for accessing a private account. But I’d rather present you with something else.
Image a world without passwords.
A world where you are the password.
This is what great behind the idea of face recognition, voice recognition, and fingerprint-based logins. You are the key. These, too, have their issues, most of which are physical faults.
But they just might be an integral part of our future.
It is unacceptable. Why would we need so many passwords? Some may say diversification. Risk management. When one database is hacked, all the others are still safe.
But come on, couldn’t there be an alternative for physical verification in the future, which throws the use of countless passwords out the window?
Why do we need to throw digital waste everywhere we go?
Do Not Trust Anyone You Know
It’s on you to be responsible with your passwords and devices you leave laying around everywhere. It’s on you to log out when you’re somewhere public. It’s on you to trust the people around you, even the one you consider the closest.
I think I need to remind you that:
The second they have a reason to, they will use whatever they can lay their hands on and use it against you
This is just how the world works.
People use any opportunity and privilege they have.
You Are the Only Key You Need
I’d imagine most of us do the minimum amount of effort to protect our keys. I’d even say we don’t care enough. I say we deserve something much simpler in our lives.
If we want to have a solution that doesn’t involve physical recognition, we could still come up with a system that doesn’t require us to remember more than just a few passphrases.
Which system? I wish I knew.
We Need to Make a Change
Multi-Factor Authentication is the answer for now. And I like the magic link approach, which is swift. But when it comes to security, depending only on your mailbox you’re probably already signed-in to is not the best of ideas.
We are approaching a new world every day, and if something is expendable, we should consider questioning it and replacing it with something better.
Finding a new solution and eliminating the use of more passwords than we can count with our fingers can be a part of our future.
Maybe you could be that person who leads the next big change?
