Our lives are increasingly online. Banking, communication, shopping, learning, work – the list is endless. For the most part, the keys to the locks which protect our online lives are passwords.
One of the biggest problems with passwords in today’s world is the sheer number of them. According to one study, the average number of online accounts each computer user in the UK has is 118.[1]
We are human and we struggle to remember complex things in any great quantity. It’s unlikely you can remember over 100 passwords. Most research on the topic suggests that most people can only remember between five and seven complex, unique passwords. [2]
People use different methods to get around this problem.
Some use a password manager with a unique, possibly auto-generated password for each account. This is a sensible solution, but unfortunately is not the most common one.
A huge number of people will reuse the same password on multiple accounts, or use a very similar password with a slight variation, such as the name of the account.
Even worse, these passwords will often be predictable and be made up of personal information, such as addresses, loved ones or pets names.
In the security industry, it’s easy to disapprove and warn about this behaviour and talk about educating the user about the perils of their ways. This is what the cyber security industry has been shouting about for years.
But why should the user have to learn about passwords? Why are we trying to fix the user, instead of addressing the underlying problem?
‘The password is dead’
This is a recurring statement in the tech world. From Microsoft to Google, everyone is predicting or declaring the demise of passwords.
The end of passwords would be the best thing for the user. It’s much easier to touch a button and have it recognise you by your fingerprint than to remember a pin or password and enter it every time you unlock your phone. Biometric authentication is becoming more widespread and it seems that the future does indeed look to be one without passwords.
Unfortunately, that is the future. For the time being, passwords are here to stay and they’re still the dominant form of authentication online[3].
So the immediate problem is how do we discourage predictable passwords? How do we discourage password re-use?
That means we’re back to educating the user, at least as a stop gap whilst we await our passwordless future. It seems that there are people who either don’t know how to use a password manager or don’t want to, and those people may struggle to secure their online accounts without either using predictable passwords, or reusing passwords.
As a low tech solution to contribute to password security, Naimuri have created the Naimuri Password Card.
This is a plastic card with a unique keyboard on the front which the user can scramble their password with. Using the card helps to protect against a dictionary attack as well as obfuscating predictable passwords such as pets names.
You can find out more about the card and how to use it here.
There have been a few other suggestions about how to use the card, which although we don’t officially recommend, would offer better protection than the alternatives.
Password Re-use
It’s been suggested that the card could allow password re-use (to a point).
Suppose for your ‘less important’ accounts (nothing with financial or sensitive data), you want to reuse a password. You could use the password, but include the name of the account in the password and scramble the name of the account with the Naimuri Password Card. In this case, a compromised password could not be used on other accounts, because each account would also be protected by a random scramble of the account name.
This is not full protection and it’s better to use a random password for each account, but it’s certainly preferable to just re-using the same password.
In summary, yes, it would be great if everyone followed every bit of advice about passwords, but it’s not going to happen. The Naimuri Password Card is just a simple way of nudging people in the right direction by giving them a low-tech aid to help them navigate the world of passwords. If it even makes people think twice about their password security, then it’s done a good job.
Currently, we are giving out Naimuri password cards to friends and partners of Naimuri. Look out for us at conferences, where we’re likely to be giving them out. If you have any questions or comments, feel free to get in touch at askus@naimuri.com.
You can read more about the card as well as instructions for using it at naimuri.com/password.
[1] According to Dashlane Password Manager research – https://blog.dashlane.com/infographic-online-overload-its-worse-than-you-thought/
[2] There’s a lot of research on this topic, much of it arising from George A. Miller’s famous essay ‘The Magical Number Seven’. http://psychclassics.yorku.ca/Miller/
[3] In “The Persistence of Passwords,” Cormac Herley and Paul van Oorschot argue that passwords are not yet dead. They claim that “no other single technology matches their combination of cost, immediacy and convenience” and that “passwords are themselves the best fit for many of the scenarios in which they are currently used.” http://research.microsoft.com/apps/pubs/?id=154077