The tyranny of passwords â is it time for a rethink?
M odern life is the act of entering the third character of a long-dead family pet into an online form three times a week, getting it wrong, and speaking to a call-centre worker in India whose real name is almost certainly not Kenny, ad infinitum, until you die. Our ancestors lived short, brutish lives and died in childbirth, or were gored to death on the battlefield, but at least they didnât have passwords, and thatâs something.
The tyranny of passwords; it colonises modern life. These petty dictators deny us access to our bank accounts, our baby photos, our phone contracts, even our heating. They reproduce as endlessly as bacteria, and yet, like Tupperware lids, you can never find the one you need. They are our boyfriends, our girlfriends, our children, our pets. A talented and motivated adversary could probably work yours out in the time it has taken you to read this paragraph.
Most of the time, not being able to remember your password is merely irritating. But sometimes, password amnesia can be life-altering. After going public with his account of losing the password to around $220m (Â£161m) worth of bitcoin, German programmer Stefan Thomas, 33, sparked a conversation around passwords, loss, and how you grieve a fortune youâll never get back.
Thomas had three copies of his bitcoin passwords saved on hard drives and a USB stick, but the first two versions failed due to software updates, and the USB stick is password protected. If Thomas enters the password incorrectly 10 times, the data wipes. He has two attempts left, and he canât remember the password. When we speak, Thomas is remarkably sanguine. âThere are some days where Iâm almost grateful for it,â he says cheerfully.
âThere were weeks where I would lie in bed, looking at the ceiling, just completely desperate,â he says. âIâd spend hours trying to think of ways to recover the data, jump up, run to my computer and try it and then it wouldnât work, so Iâd go back to staring at my ceiling.â Eventually, he decided: enough. He climbed out of bed, and forged a career in technology, before founding his own company, Coil.âPeople think they are being smart by going diagonally on the keyboard, but itâs in all the hacker dictionaries.â Photograph: Xijian/Getty Images
Not everyone can move on from such a wringing loss. âIâm coming up against a brick wall,â says James Howells, his voice rising. âThey donât even want to have a conversation with me about it! Which is so silly, given the valuation.â He is referring to Newport city council, owner and operator of the rubbish tip into which he accidentally slung a hard drive containing the key to the bitcoins heâd mined in 2009.
The bitcoins are now worth Â£210m, and the 35-year-old cryptocurrency trader from Newport is so desperate to get them back heâs offered 25% of his haul, or Â£50m, to Newport city council. The council has declined Howellsâs offer repeatedly over the past eight years, due to the cost.
As gently as possible, I ask if it might be better to let this go? âIâm just looking for an opportunity to search for what belongs to me,â he says, sounding wretched. âAnd I am willing to share it. But itâs hard to accept itâs gone without being given the opportunity to search. Knowing the hard driveâs there, and thereâs still a chance.â
We lose things; we forget. It is in our nature, itâs what makes us human. âThe art of losing isnât hard to master,â observed Elizabeth Bishop in her poem One Art. Life is a continual surrendering to loss. Some fare better than others: for every Thomas, there is a Howells. âLose something every day,â Bishop writes, and we oblige her. We lose coats, books, bags, phones, friends, money, loved ones, mobility and eventually, ourselves. Most of all, we forget our passwords. The average person has close to 80 passwords, hardly any of which they remember.
Technology companies have become the custodians of vast tranches of personal data, which they protect for us and mine for profit. I forgot the password to my Google photos album for many years, and then I got a new phone and it did that miraculous thing new phones often do and somehow logged me in. My life in 2013, preserved in aspic. It was jarring to realise that Google remembers more about my life than I do.
Because passwords are tedious, humans are very bad at them. âThere are literally billions of passwords breached every year,â says Gerald Beuchelt of the password manager LastPass. âItâs a total epidemic. Itâs happening on a daily basis.â A Google/Harris poll from 2019 found that 52% of people reuse their passwords across multiple accounts, which is very bad security practice.
âThe best password is a random password,â says password researcher professor Lorrie Cranor of Carnegie Mellon University. âBut people arenât good at generating random passwords or remembering them.â Almost everything you intuitively believe about passwords is not correct. âIf you struggle to remember your passwords,â Cranor says, âwrite them in a notebook and hide it at home. Itâs highly unlikely that a hacker is going to get access to your house.â
According to research published by the Garner Group in 2017, 20-50% of all IT helpdesk calls are for password resets. âItâs the biggest overhead on IT helpdesks,â says SiÃ¢n John, a cybersecurity strategist at Microsoft. âItâs usually in the first week of January, or after the summer holidays â people go on holidays, come back and forget their passwords.âThe average person has close to 80 passwords, hardly any of which they can remember
Our passwords reveal a humanity that is much more shared than we think. âWe all think alike,â says Cranor, âand we all do similar things, in creating passwords. People think they are being smart by going diagonally on the keyboard,â Cranor says. âBut itâs in all the hacker dictionaries.â John used to play a game where sheâd ask her friends five questions, before guessing their passwords. âIâd ask them their parentsâ, siblingsâ and childrenâs names, anniversaries and birthdays, their petâs name, and their favourite sporting team,â she says. âIâd usually get 70% of them right.â
We would not leave the door to our house open and yet many of us leave our digital accounts vulnerable to cybercriminals every day, because of our laissez-faire attitude to password security. Sometimes, criminals access accounts using personal information a person has shared online, or matching passwords from previous data breaches but, increasingly, hackers also use brute-force software â programmes which match thousands of dictionary words until something fits. âYou can brute force most eight character passwords within 10 minutes,â says Beuchelt.
The World Economic Forum estimates that cybercrime costs the global economy $2.9m every minute. Around 80% of those attacks are password-related.
Matt Hall, a 44-year-old electrician from Walsall, lost his Â£52,000 life savings through a password breach. He was in the process of buying a house in October 2019 when an email from his solicitor was intercepted. Fraudsters replaced his solicitorsâ bank details with their own. âIt was the worst day of my life,â he tells me, âapart from losing family members.â Barclays, has yet to refund his money. Hall isnât sure if it was his email that was hacked, or his solicitorâs â he insists his password was secure. Still, he changed all his passwords after it happened. What are they like now, I ask? âStrong!â he jokes.
Modern societyâs insistence on password protection can be disenfranchising for older people, who find the number of passwords theyâre expected to memorise bewildering. âShe doesnât hear the questions on telephone banking because sheâs hard of hearing,â says Anashua Davies of her mother, Dima, who is 84, âand then she forgets her password and tries to put the wrong code in.â Davies often has to help her elderly parents get back into their accounts.
Last year, Davies had to drive Dima to the bank because she locked herself out of her telephone banking. She doesnât blame the bank for having strict security protocols. âPeople are out there trying to steal from other people,â Davies says. But she wishes there was a way of making things easier. âItâs unfortunate for people like my parents, who donât have the technology skills to keep up.â
There is a solution to all this chaos and confusion: a password manager. âThese are apps or small pieces of software,â says Beuchelt, âthat store all your different usernames and passwords in secure vaults.â A password manager like LastPass (Google also has a version) will randomly generate impenetrable passwords for all your various accounts, and store them for you. âAll users need to do is remember your master password,â says Beuchelt, âand LastPass remembers the rest.â Itâs the equivalent of having a book in your house, with all your passwords written in it â only digital and highly secure.
Of course, your master password needs to be extremely strong: LastPass recommends a minimum of 12 characters, but the longer the better. A long passphrase, composed of random words, numbers and symbols, that is pronounceable â meaning youâre likely to remember it â but doesnât use personal information, works best. LastPass doesnât store its usersâ passwords centrally, meaning that even if hackers were able to get into their internal systems they wouldnât be able to break into accounts. âThat gives users the highest degree of security you can get,â says Beuchelt.
Before speaking to Beuchelt, Iâd viewed people who use password managers with a sort of horrified respect. Who has the foresight to endure the tedium of setting one up? But after speaking to Beuchelt, Iâm a convert. I spent a rainy weekend afternoon setting up LastPass.
But wouldnât it be even better to never have to remember another password again? That day is almost nigh. âWeâre on the cusp of a passwordless future,â says John. âIâd say, for the ordinary consumers, passwords will be gone within the next two to five years.â
The solution is biometrics. The Israeli start-up BioCatch has developed software that can analyse the unique way a person drags their mouse, and use it to catch cybercriminals impersonating users. Other firms are developing technology based on the unique contours of a personâs ears. It is also possible to use the accelerometer sensors that detect motion in smartphones to identify users, based on the way they hold the phone. âWe will have a constellation of biometrics,â Cranor says, ânot just your fingerprint, but your voice, how you hold your phone and your gait.â
I ask Googleâs security and identity director Mark Risher whether Google is developing hi-tech alternatives to fingerprint and face ID. He says not. âWe want to be equitable because we have users in every country. Fingerprint sensors are cheap now and robust. Technology like ear prints and breath detectors are more esoteric â theyâre still at the science project stage. As the technology becomes more mainstream, weâre hoping to invest in it.â
The key to integrating biometric data into our lives smartly is to ensure the data never leaves the device. âI love biometrics if they are local,â says Beuchelt. âIf theyâre on your own phone or laptop and the information isnât shared anywhere else, thatâs good biometricsâ¦ Giant centralised databases in India or China â thatâs not good. Then you end up creating extremely sensitive databases that are incredibly valuable to cybercriminals and oppressive regimes.â You can change your password, but you canât change your face.
The tyranny of passwords â it is coming to an end. We may soon move seamlessly through life, unencumbered by passwords, like an ermine-wearing oligarch with a chauffeur opening doors. Until that day we labour on, brows furrowed, fingers typing in hope, before an endless flashing computer screen that reads âaccess deniedâ.