by Matthew Davis, Future Hosting
People are bad at using passwords. They create passwords that can be guessed in fractions of a second by modern password cracking systems. They use the same passwords with different services. They write them down on sticky labels and in notebooks. These sound like mistakes a non-technical person might make, but developers, site owners, and system administrators aren’t immune, as last year’s brute force campaigns against Linux SSH servers demonstrated.
Passwords can be made safe. Long and random passwords are practically unbreakable. Password managers simplify the creation and use of safe passwords. But only a minute fraction of users take the time. Convenience trumps security for almost everyone.
Passwords are not a new or confusing technology. Adults under 50 have almost certainly used passwords for decades. Those born more recently have used passwords for most of their lives. Yet we can’t seem to manage basic password hygiene. We’re not good at using passwords securely, which means they aren’t a good security measure.
Every year we laugh when a review of the most popular passwords is released. This year’s list is no different to last year’s, except that starwars makes an appearance for the first time: people still choose 123456, password, qwerty, letmein, and admin.
Just before Christmas, WordPress sites were targeted by a massive campaign of brute force attacks. The goal was to infect the sites with malware that mines cryptocurrencies. At the time of writing, the infected sites had been used to generate more than $100,000. Brute force attacks are only possible because site owners choose passwords that are easy to guess.
If passwords are so bad, what are the alternatives? The most widely used alternative is two-factor authentication that uses a one-time code in addition to a username and password. The code is sent to the user’s phone or a dedicated device. They can only authenticate if they can prove the device is in their possession and that they know the password. This type of two-factor authentication system takes account of people’s proclivity for weak passwords: even if the password is easily guessed, the one-time code isn’t.
Biometric authentication uses physical characteristics to verify the identity of users. Fingerprint scanning is common on most high-end smartphones and is used in conjunction with a password or PIN. The biometric system is activated by the password and future authentication uses biometric sensors.
Apple’s iPhone X introduced reliable facial recognition, which the company claims is more secure than fingerprint scanning. Both fingerprint scanning and facial recognition are more convenient than having to enter a password every time a user wants to authenticate, and it reduces the likelihood that the user will choose an easily guessable password to simplify its entry.
It’s important to note that biometric authentication of this type isn’t strictly speaking two-factor: either the passcode or the fingerprint grants access most of the time, with periodic verification that the user knows the passcode. If they choose a low-quality passcode, then the problem remains.
For as long as we use passwords, we will choose them poorly. For web hosting clients, developers, and site owners, two-factor authentication is the simplest and most effective solution. Don’t trust your users to choose well: help them stay secure by providing reliable two-factor authentication.
About Matthew Davis — Matthew works as an inbound marketer and blogger for Future Hosting, a leading provider of VPS hosting. Follow Future Hosting on Twitter at @fhsales, Like them on Facebook and check out their tech/hosting blog, http://www.futurehosting.com/blog.