Passwords are like underwear

trousers-362781_1280.jpg

We all use them. Yes, I mean underwear – at least most of us. In a similar fashion most of us use passwords. Or to be more precise, we are forced to use passwords by a swarm of online services, government agencies, employees and anyone else who just wants us to login to whatever they deem precious enough.

Passwords have been with us since the dawn of times – you may have heard of ‘incident of shibboleth’ and of course a tale of ‘Ali baba’. In modern science we recognise three high-level types of authentication:

1.     Something I know – typically a secret password

2.     Something I have or won – typically a device

3.     Something that is myself – methods are numerous but could include DNA, retina, fingerprint, blood vessels, voice, odour, the way I type on keyboard 

By far the most used authentication method since biblical times (and most likely before) have been passwords. Passwords are like Marmite – you either love them or hate them. Well, most people hate them but consider them a necessary evil to get to those precious assets they need. Passwords are also insecure – based on human limitations and computer technology.

And here lies our problem. Humans are wired NOT to remember many secrets and CANNOT generate strong enough passwords that would also be memorable.

Those with a short attention span please jump to the next paragraph. Today in cryptography, a strong symmetric key is at least 128bits random string of 0s and 1s. Translate it to 'ASCII printable characters’ 1 and you only get 6.57bits per character in a password. This means a 128bits strong password would have to be at least 20 characters long! Be honest now: how many of your passwords are that long? And remember, this length requirement is by assuming an ideal randomness of selecting those printable ASCII characters into your passwords. Well, we already know humans cannot do random. Let’s increase the minimum password length, driven by human limitations, to 26 characters. In my opinion, the vast majority of people will not be able to remember a different password of at least 26 characters for every website they visit.

So now we know that passwords should be as random as possible and long - at least 26 characters. A typical human might have hundreds of online passwords which, with these rules, are impossible to remember or even generate. That is where password managers come into play. Hence, we recommend 1Password which, when correctly implemented, will ensure you only have to remember ONE password. And that is certainly within human capabilities.

If you aren’t sure if your business is protected then don’t delay, we can help.