Passwords are flawed, but they can be used for decades.Here’s Why You Should Review Yours

It could be your pet’s name, your child’s name, your favorite TV show’s name, or something more obscure, but for most people, having to remember (and sometimes failing to) passwords is extremely frustrating. It’s a familiar ritual.

Since the Optus breach, the millions of Australians directly or indirectly affected have had to reflect on cybersecurity and how safe they are from threats such as identity fraud.

Passwords weren’t among the customer details leaked as part of the data breach, but experts say weak or repeated passwords can put people at risk, especially since fraud is on the rise. It said it could leave them vulnerable.

In some instances, other technologies have already begun to replace passwords, but they are projected to stay with us for decades.

We asked experts about the main problems with passwords and how technologies like passkeys will play a big role in the future of cybersecurity.

What’s wrong with your password?

The main drawback of passwords is that people tend to choose easy, obvious combinations and use the same ones on many sites.

The list of most commonly used passwords in 2021 included 123456, qwerty, and the word password itself most commonly used.

Billions of passwords are already available online, said Paul Haskell Dowlan, a cybersecurity professor at Edith Cowan University.

He said that when people choose a password to use on a particular site, a copy is stored on a remote server.

Professor Haskell Dowlan said, “If the site is compromised and the data is extracted, that password will be known to a third party, and if published in a public forum, it will be seen by thousands or millions of people online.” may be known,” he said.

“Hackers assume that many people still use the same password on multiple websites, so they take that password and try it on hundreds of other websites.”

He said that using a password manager is a good way to keep track of unique passwords on dozens of sites, and that the increasing use of multi-factor authentication (MFA) is helping people improve their online security. said.

MFA is a security measure that requires two or more proofs of identity such as a PIN, SMS or email to allow access to a site.

But Professor Haskell-Dowlan says that even though MFA has been around for years, only “a small percentage” of websites use it.

He said one of the “positives” of the data breach might be “getting more people talking about cybersecurity.”

How are passwords related to Optus compromises?

Passwords may not be part of Optus data breachbut ignoring them can still cause serious problems and leave people vulnerable.

Macquarie University cybersecurity expert Jeff Foster said the security of key accounts should be reviewed while those affected by the breach wait to learn more.

“Let’s take a look at the accounts that matter most to you. It’s your bank account, your retirement pension, the brokerage account you have, and your email account,” he said.

“Look at the security set on them. Have you updated your password? If not, please change that password.”

Dr. Foster said adding MFA when available is wise.

He said all of the information leaked in the Optus breach (names, phone numbers, email addresses, date of birth, etc.) is information that can be used to reset accounts.

Dr. Foster said cybercriminals are likely to take advantage of the general uncertainty following a breach.

“Spam calls, junk calls, and general scams have already started,” he said.

“A third of countries now believe they are vulnerable to document theft, identity theft and spam calls.”

What are the alternatives to passwords?

Over the next few years and months, A new type of password called a passkey will become more popular as it is rolled out by major technology companies..

You must create a unique pair of passkeys, one on your device and one on the server of the site you are trying to connect to, and pair them to enable access.

Professor Haskell-Dowlan said, “The idea behind passkeys is to get rid of the concept of passwords.

“I can’t even get the computer to create passwords for me, instead of creating passwords.”

“Create a key pair and do it completely transparently.

“It’s completely specific to you, your device, and the web server you’re connecting to.”

Professor Haskell-Dowlan said the concept behind the technology is not new, but its use as an alternative to passwords is just beginning.

Apple was the first company to introduce it as part of its 16th iteration (ios 16) of its mobile software, but other technology companies such as Microsoft and Google are still developing versions.

Jed Laundry, principal consultant at Cyber ​​CX, said that for security measures to become pervasive, individual websites are working with large technology companies that create software for devices such as smartphones to create passkeys. It states that the use should be adopted.

“This doesn’t happen overnight,” he said.

“We need a lot of infrastructure in place to work with all online services.”

Does that mean the password will disappear?

Despite their drawbacks, traditional passwords will still be around for some time.

Professor Haskell-Dowlan said “big companies” would be the first to adopt passkey technology, but the transition would be a “slow process”.

“You can expect big social media companies, online banking, perhaps auction websites, payment gateways, etc. to start adopting this as another means of improving security,” he said.

“But then you’ll have a much longer tail than anyone else.

“Thus, passwords will be with us for decades to come.”

According to Landry, passkey technology is on the verge of widespread adoption, but is likely to be superseded by new technology in the next few years.

He said Paskey was “part of the next wave” but would not “end it all”.

“I’m sure in 10, 20, 30 years there will be something new and better, because there are attacks that we haven’t thought of yet,” he said. .

“This doesn’t solve all problems, but it definitely solves one of the current problems of too many passwords. Passwords suck.”