/ Money, Technology

Would you be happy to say goodbye to passwords?

Passwords

Barclays phone banking customers will be able to use voice recognition technology instead of passwords as security checks. So are we seeing the beginning of the end of passwords?

The name of a first pet, a river in Northumberland or the first song played at your wedding may seem to have little in common. But they are all among the things people in our office have used to create online security passwords…

Password problems

In my own case, you could probably put together a fairly accurate (though not very interesting) biography of my life from passwords I’ve used over the years. I must confess, I’ve previously raided family names, nicknames and birthdays in an effort to make them memorable.

This is of course a classic security error. While it might be pretty tough to guess the name of the first song at your wedding (in this case the unfortunately named ‘Runaway’ by The Corrs), family names are all too easy to guess or find out.

But let’s face it, when you have to come up with and remember passwords for dozens of different websites many of us have at some time taken a security shortcut.

Although it’s still hard to believe that the three most used passwords of last year were‘123456’, ‘qwerty’ and ‘password’…

We’ve previously set our computer helpdesk the challenge of creating the perfect online password but even if you do create secure and unguessable passwords, there is the question of how many you actually need to have.

There’s no getting around it, having to remember multiple passwords is a pain, which is perhaps one reason many people now use password manager websites.

Another shortcut some try is to either use the same two or three passwords across different sites, which of course has its own issues. And I’ve even heard of people who use different groups of passwords for different sites – different types of animals for financial sites for example. Though even then you’ve still got to remember whether cat or dog means NatWest.

The end of the password?

Well alternatives to passwords seem certain to play an ever-increasing role. Other banks, including HSBC, are set to follow with using voice recognition, while other websites, apps and phones are starting to use fingerprints to verify identities.

But for now it certainly seems that passwords and the problem of creating ones that are both secure and easy to remember are set to stay for now.

Do you have a failsafe system for remembering your passwords? Would you be happy to see the back of them?

Comments
Member

Too start with, no one should be using a password. They should be using a passphrase. The some letters converted to numbers.

Hands up if you can remember a few words of your favorite song, moive/tv clip etc.

Member
Chrissi says:
7 August 2016

So voice recognition what happens when due to illness u have no voice or your voice changes? Clearly something needs sorting but voice recognition is not going to help for obvious reasons.

Member

Apple’s fingerprint technology works well for our iPads and iPhones but I’ve never encountered a security system that’s unhackable. We use a variety of passwords, ranging from relatively easy to guess to incredibly obtuse and made-up words. But our Bank uses prime number generating keypads for access to our online banking, which is probably the most secure system for the public at the moment.

But companies are in a quandary. They want to irritate customers as little as possible, but they have a duty to protect those same customers and are continually devising ways to make secure access easier. Trouble is, no system is 100% secure.

Member

Sounds good doesn’t it? but real life brings it down to earth with a bump , William is right all the same dont use a password – easily cracked , GCHQ can crack it in seconds , as William says use use a phrase this is because of the way computers work I wont go into detail as it gets technical . Back onto voice identity University of Alabama (and others ) including “Black Hat ” Official hacking for the masses . were able to penetrate automated and voice verifications systems using an off-the -shelf tool , it could access bank accounts , identity theft and even damage your reputation .With just a few minutes of voice samples captured by hackers listening to your conversations with a recording device , it could fool an automated or human system . I should also add the CIA/FBI have built up a massive identity bank of human voices , not only in the States but Europe as well . Chinese hackers were blamed for the theft of 5.6 million fingerprints . So stick with William he,s right.

Member

This is so topical and relevant. I have recently received notification from Google that someone else is using my password which was not an obvious one like a pet name or a name of anything else. It also contained two numbers. I have now changed it but this is very worrying. I don’t bank on-line but would be more worried if I did.

Clearly it is becoming easier for hackers to get access to your password and a back-up system is needed. I am also continually having to sign in to Which?Convo. I have tried to change my Which? log-in password but I am informed I have to also change my Convo name which I am reluctant to do, but it’s getting to the point where logging in and reregistering whenever I need to make a comment is increasingly becoming a bit of a pain.

I am having to reregister to send this comment, so I would like to change my password without changing my name please to see whether this identifies the problem. Something is obviously amiss.

Member

Beryl the mods on Which should know who you are by IP address although it can vary if it is not a fixed one but It cant usually be hacked although if you have allowed a virus onto your computer then it can be controlled remotely or used to benefit the hackers . If I was you I would do a deep scan of your computer and if nothing shows up there are specialized programmes for -root kits -trojans etc which are hard to remove . I hope your browser is secure I have many blockers on mine one is not enough .

Member

Thanks for your help Duncan. I do have an inkling as to the cause of the problem but it would be unwise to disclose any details for as John makes the point it would pose a security risk. I will however carry out a deep scan asap as you suggest.

Member

Interesting topic, but for security reasons I cannot answer questions on passwords.

Member
Charles Alexander says:
7 August 2016

Fingerprint technology doesn’t work for guitar players, particularly those that finger-pick with their right hand fingers and thumb, as their fingertips develop a tough layer of skin from constant contact with the strings which replaces the unique fingertip pattern that the technology requires.

Member

Charles are you saying the layers of the skin on the fingers is rubbed down to the final layer before it bleeds ? . The latest technology can scan down several layers and can tell if you have cut off a dead persons finger and used that . I see why Which has put this Convo out , its the latest talking point on social websites but it is companies with an interest in it for profit that are pushing this on websites -ie-advertising promotion saying , the public “want it ” -aka- BB want it. While some cant be bothered to input good passwords and are for this , many dont want it for the reasons I gave above but they arent the ones being publicised.

Member

If I cut my finger end and put a sticking plaster on it, I might well be denied access to my account(s) until I have healed. Personally I’ve had no problem with passwords – except not realising at the beginning how many I would eventually need and not organising some system to produce and keep track of them. The important ones to me are where I might suffer financial loss.

Providing the organisation I use approves my password (degree of complexity) and then take responsibility for any losses that might occur through misuse not of my making I would be happy, These institutions have the professionals to help us create secure passwords to suit their security systems, as far as possible, much more so than we can ourselves. Perhaps I am being over-optimistic.

Member

I don’t use my phone for any financial transactions but do use fingerprint recognition to unlock it. My index finger was not recognised for a couple of weeks after a glove developed a hole when I was using oven cleaner, but the phone still recognised my other fingers.

Member

I’ve been following the development of a new technology called SQRL (grc.com/sqrl) that is being designed to replace passwords. I believe it has a lot of promise and would be far superior the banks’ proposals to use voice recognition, which has far too many issues to count.

Indeed it is about time that passwords were confined to history. The SQRL spec and reference implentation is still being working but I hope its official release will be announced soon. I hope Which? will cover this if they are serious about informing their readers of alternatives to passwords.

Member

Dan you are possibly more knowledgeable on this subject than me so I would like your opinion on the leader on website- security.blogoverflow.com/2013/10/debunking-sqrl/ its an IT website dealing with security.

Member

SQRL has some advantages over the usual password / username fiddling, but it’s open to other types of attack. It depends on the old Public key / Private key system that’s been around for years but its weakness is the same as every other system: essentially servers are ‘always on’. And it’s about as secure as Bitcoin, I suspect.

Member

Thats what I thought Ian but was giving Dan the opportunity to respond to what I posted , As you say, according to that website it isnt perfect . I will keep using the normal system , unless Which is influenced by SQRL and introduce it .

Member

I rely on some prompts that enable me to remember passwords and they would not mean anything to anyone else. I occasionally forget that I have updated a password and have to reset it, but only for passwords used infrequently. I think there is merit in devising your own system rather than relying on popular methods of dealing with passwords.

Any worthwhile login system should recognise and reject proposed passwords if they are weak.

I am certainly interested in new systems that don’t rely on passwords but am happy to wait until their security has been demonstrated.

Member

Wavechange you mention prompts to remember passwords and you are not alone very many use programs to store their passwords and in other places but what I dont understand is I use a foolproof method that cant be erased, spied, on , hacked etc by anything on the web -high tech -uh ! no “Stone -Age” tech- Reporter’s notepad and Biro – never fails I have all my passwords on it .

Member

It looks as if we are using a similar system, Duncan. My hints are on some record cards left over from when I started keeping my references on a BBC Micro. I’m not keen on using any commercial software to generate or store passwords.

Member

Mmm? Not sure a pad and biro would suit me! I’ve got hundreds of passwords – I never use the same password for different websites. I doubt I could remember any of them off the top of my head. Don’t need to. I use an easily remembered, but complex, Master Password which I change regularly, to access an encrypted file which holds all my other passwords. This file is readily accessible (by me!) from all my gear – PCs, laptop, mobile phone, tablet, etc. Any password can be cracked given enough time, and the appropriate technology, but the reality is that no serious hacker is going to spend large amounts of money buying the equipment to do this, or spend an excessive amount of time trying to crack the password if the bank account (or whatever) belongs to Joe Blogs with a few hundred pounds in it. If you’re a multinational company or somebody with large amounts of cash, yes, maybe it’s worth the effort. I’ve used this system, or similar, for decades with success – never been hacked. And no, I’m not complacent, I try to keep abreast of changes in the technology, and the way hackers work. Reading Which and Which Computing certainly helps!

Member

An old diary stores mine in a form that is not straightforward. However, never tell your bank that you’ve written down a password or a clue………

I suppose its age, but I use one of my credit cards every few days normally and yet the other night, when thinking of using it to pay for a car park at A&E (you need a card these days unless your wallet is bulging) I could not remember it, and the more I tried the worse it got. Another card I never use I remembered straight away. Luckily once I got to the pay machine it all came back to me.

Member

You are not alone with the “senior moment ” Malcolm , I got a bit embarrassed when going into my bank inserting my debit card and —keying in the wrong password .I tried it twice – wrong ! luckily the girl behind the screen recognised me ,took my card and did it from her side . On reaching home I had to look up the original security slip with the transparent box built into the letter to remember it. I keep several passwords in my head but have now written them down in case I forget.

Member

The best place, and the safest one, for such sensitive information is on the inside of your eyelids, duncan. 🙂

Member
bishbut says:
8 August 2016

No one has up to now come up with a system that is foolproof. When a new one appears someone is trying to find a way to beat it The bad guys have just as clever people working for them as the good guys have. Which side will eventually win. ?? We want the good guys but it will take a long time yet.

Member

Talking about remembering passwords, I decided to compile a list of passwords for our life, (just in case I get mown down one day by an over-enthusiastic council grass cutter,) and I was surprised at just how many there were. You can store it on a Mac and on our system it becomes networked to the nine we have in the house. Apple has very nice encryption systems, and I use a simple but effective one of turning the folder in which everything is stored into an encrypted disc image. I then only have to remember one password to bring up the file of all the passwords.

But in effect making our passwords strong and using combinations of letters, numbers and Egyptian hieroglyphs is largely futile; most ‘hacks’ are nothing of the sort. They come from people who’ve been sold your passwords, because a crooked employee has scarpered with the lot, or from a notoriously insecure server which has been compromised to allow all your confidential info to be shown or quite often because someone had left their laptop on the bus – yes, really. Because folk are becoming cannier about passwords criminals are – as ever – looking for the easiest ways to get at your worldly goods, and that doesn’t involve ‘cracking’ your password. Usually, it involves buying it from somewhere, and then trying lots of sites randomly until they find one that accepts it. Bit like finding a bunch of keys then trying every door.

What we need is for companies to be fined eye-watering amounts if they’re found to have badly secured systems. That should be the crime – not simply the loss of data.

Member
Janis says:
8 August 2016

You refer to Apple’s nice encryption systems – you need to make sure you do not rely on Apple to help your executors in the event of an unexpected encounter with a lawn mower. It seems Apple would refuse to allow access even to your executors without evidence that you wanted to give them access to your data !! An apparent mismatch between UK and US law .

Member

Yes Janice there is a mismatch in Law between how server information is treated in US courts relating to US citizens rights and ours where we are in US Law Foreigners and can be forced to show all UK info to US security WITHOUT US court actuation and the fact of the new Server Legislation in the EU/UK being PASSED on 1-8-2016 , ALL our data transferred to the US legally ! Where is all the massive UK media outcry ?? -silent as a lamb – the US rules ya , okay ?

Member

Talking about security “somebody ” took offense to me criticising China for being the land of built to a price , one of my favourite international news channels was “diverted ” to a Chinese server and I was presented by the website not being in English but in Arabic .Following that I got Chinese spam and Chinese scammer emails . I managed to fix the news channel ,but listen up, China , no, if the cap fits I intend to carry on laying the blame where it really lies. This was on my usually used browser- Firefox the others were okay .

Member

Sorry, I had to give a thumbs-down to this comment, after reading through it four times, I still cannot make any sense of it.

Member

Translation just for you D – I criticise Chinese products that are “built to a price ” , somebody got fed up , insulted, didnt like me saying it , probably somebody who benefits from selling their products or even the Chinese authorities . On opening up Firefox and clicking on my favorite foreign news channel (but hated in the West ) somebody had hacked it and I was presented with a screen showing the Arabic version , I am not Arabic nor can I speak it , at the same time I received two Chinese emails one was blatant advertising and the other was a hacker wanting me to click on a nasty virus/ trojan/root-kit , I didnt oblige him . I dont believe in co-incidence every action has a purpose . IF that isnt plain enough well then ********.

Member

I like the principle of adding an explanatory comment when giving a thumbs down, D. 🙂

Member
Gill Hayton says:
8 August 2016

I agree that no system is foolproof. I use a number of different passwords, of varying degrees of complexity. The problem I see with voice technology is the question of whether you would be shut out from your account if you had a bad cold? Fingerprints seem to work – with the proviso that they get fainter as you get older: at least Apple still provide the code as an alternative. I note that my new iPad needs 6 digit code rather than 4 digits – clearly better. My son tells me that fingerprints are, at least theoretically, hackable.