ANALYSIS: Despite its flaws, the password’ legacy means it still has a place in the cyber-crime battle argues ZoneFox CEO Jamie Graves
User passwords have been in existence for decades. Initially introduced to allow time sharing on large mainframes in the 1970s they were stored in plain text file with no perceived need for them to actually be secure – crazy when you look at the cyber-security landscape today.
For more password history, you can go back even further to the days of Ali Baba, who upon overhearing a gang of thieves uttering ‘open sesame’, hacked their mainframe and entered their cave of stolen treasure.
There is of course some irony that one of the oldest ever password hacks related to someone stealing from crooks.
Read More: The history of the password
The role of the password
Back to modern passwords though. Their invention was during a simpler and perhaps more naïve time. Before the internet and when the idea of widespread cyber-crime was not even a concept. Fast forward nearly four decades and passwords still exist, but their security is under constant attack – there is not often a day that goes by when their very purpose comes under scrutiny.
Yes, it’s true that the humble password finds itself in a world that has outgrown its sophistication. But rather than being destined for the scrapheap, they still have a role to play alongside other layers of security. You see they have become so ingrained in our everyday lives, that removing them altogether would be a huge step that would cause more chaos and uncertainty than actually fixing a problem.
Just as the demise of cold, hard cash and replacing it with digital money is yet to materialise, the fact is that passwords have become so engrained in both our personal and professional lives that it is nigh on impossible to get rid of them. Humans by nature don’t accept change quickly.
Like many aspects of the brave new, technology lead world we live in password security needs to adapt, rather than disappear. For this reason, it is important the security sector makes a strong effort to fully implement additional ways for people to access their data – especially in the work place.
Passwords alone, as we know are susceptible to brute forcing, which means increasingly there must be protections built around them. Organisations like Google, Dropbox and Facebook have done a great job of doing this.
First layer of defence
They have essentially made the password the first layer of defence, supported by more sophisticated techniques, such as a IP listing and two-factor authentication, whereby an email, or a text message is sent to a user to confirm that access to an account from an unknown machine.
Estonia is another example where sophisticated, mutli-factor authentication techniques are used. The country, often lauded for being the most digitally advanced in the world, requires citizens to access government portals with a user ID, password and SIM card.
Such approaches, where passwords, alongside other techniques are used, can once again be compared to the way that we currently use money in society. As well as having coins or notes in our wallets, we also now use mobile phones alongside plastic cards to pay for things. It’s a perfect example of an ecosystem of old and new working together.
Where it gets more exciting and where we, as an industry can make real strides towards a far more secure digital world, is when we add smart technology like machine learning into the mix. I see a future, where every portal, website and bank account is protected by sophisticated technology that
is able to verify a user by a complex set of algorithms, based on amongst other things, location the device they are using and their online behaviour. Quite simply, if your online behaviour doesn’t add up to your digital footprint, then computer will say ‘no’.
There is also the ability to use machine learning and similar techniques to protect data further – in the case, the initial ‘gateway’ is breached and all layers are compromised. Such technology is advancing rapidly and can provide a real-time 360-degree overview of what activities users are carrying out – which can identify and alert IT administrators to unusual behaviour on IT networks.
This enables a quick reaction time and the ability to stop any suspicious behaviour before it leads to a more serious incident, such as data theft of the spread of ransomware.
Ultimately, cyber-security is and will remain a fundamental issue of our times. While the coming years will create a range of intelligent and exciting new security functionalities, they will all evolve and ultimately operate around the humble password – as it serves as the first, vital step in any battle against cyber-crime.
As Ali Baba showed – unless there is adequate and ongoing protection, it’s far too easy for unwelcome guests to enter your domain.
Jamie Graves is the founder and CEO of Edinburgh-based cybersecurity firm ZoneFox