Investec Says Union Must Seek Answers For Phantom Shares from Cell C

Investec has told the Information Communication Technology Union (ICTU) to direct its questions about the Believe Phantom Option Share Scheme for Cell C workers to the...

Latest Posts

A Compassionate Society Requires Authentic Leadership

The global COVID-19 pandemic has placed extraordinary demands on leaders in government, society and business. At times like these, the news can be overwhelming and...

Dimension Data Announces New Data Centre in Johannesburg

NTT, a global technology services provider, and Dimension Data, the South African systems integrator and managed services provider which represents the NTT business in...

Opportunity Knocks As Copper Bows Out

South Africa's digitisation journey is gathering steam as Telkom's wholesale division, Openserve announces moves to decommission its copper network on an area-by-area basis in favour...

SASSA Once Again in Chaos Over August R350 COVID-19 Grant Payments

The Democratic Alliance (DA) calls on the Minister of Social Development, Lindiwe Zulu, to once and for all sort out the chaos that persists...

There must be smarter security than a ban on ‘dumb’ passwords

In cyberspace we are facing password fatigue, caused by having to recall (seemingly) endless streams of (apparently) unrelated numbers and letters at odd times. By Mike Johnstone

One answer is to make those passwords longer and more incomprehensible. The logic here is that people have an unlimited capacity to remember such things, or perhaps they have an unquenchable desire to write passwords on yellow post-it notes.

Why do we want or need passwords at all? We want to be assured that only the right people (ourselves) have access to the information contained in the systems we use. Witness the after-effects of the Ashley Madison hack.

So many passwords

Privacy is a basic human right and one that many people take seriously. Authenticating to many systems is something most of us do without thinking every day. Unfortunately, those systems often have different rules about what is considered a good or acceptable password.

The need to remember competes with the requirement for security leading people to devise memorable (to them) schemes for passwords that they think are unique and unguessable.

For example, if I have to access 12 systems, I might use the months of the year, coupled with my birth date and rotate combinations around. At face value, this appears a clever scheme because no-one else knows my birth date.

Except of course for several government agencies, health service providers, an insurance company or three, some social media systems (which might have been hacked recently) and anyone else with whom those bodies share information. Of course, then there are my family and friends with whom I like to celebrate my birthday each year.

I could use the dog’s name instead. No one is aware of that. Except of course for the local vet, anyone who hears me yelling at the dog down the local street, my legions of Facebook friends and so on.

Coming up with so many different and apparently secure passwords that you can remember can be tricky, despite the many tips and guides, hence the password fatigue.

One potential solution is a single sign-on for many systems (into one, into all) – an idea which is interesting, but also has its own issues.

A different approach

To quote from Led Zeppelin’s Stairway to Heaven: “Yes, there are two paths you can go by, but in the long run, there’s still time to change the road you’re on.”

One path is systematic, based on the idea that if small passwords are bad, the answer is larger, more complex passwords. For example, Microsoft now says it wants to compile a list of what it calls dumb passwords that will not be allowed on its system.

That dumb passwords are a problem is undeniable, as the online security company SplashData gleefully publishes its annual list of the most common passwords, where “password” and “123456” are, ahem, quite high in the list. This shows people choose convenience over security when it comes to setting a password (but they still want privacy).

The systematic response is that users are constantly being asked to set more complex passwords with upper, lower case, numbers, symbols etc., to the point we get password fatigue. Asking us to keep changing passwords just encourages minor or incremental changes to the same supposedly unguessable passwords, something even Britain’s intelligence agency GCHQ recognises is a problem.

This mode of thinking works well for some problems, but the whole idea is rendered moot when anyone can easily download a lists of millions of the most common passwords.

Yes, “123456” can be cracked in a fraction of a second, but a random 15 character password could be cracked in less than a week using relatively inexpensive hardware. It all depends on the time value of information. Your bank account will still be there in seven days (the funds remaining therein are a different matter).

Think again

Do we need to re-think the whole system? The other path is a systemic approach. This uses the concept that components of systems are connected in ways that are not immediately obvious.

An example of a systemic effect, that could not have been predicted directly, is where Cornell University’s associate professor Garrick Blalock and his colleagues found that driving fatalities in the United States increased significantly after the September 11, 2001 terrorist attacks. The reason? People chose to travel by car in place of aircraft, the former being much more dangerous.

So what might a systemic solution to password fatigue look like? If longer passwords are not the answer, but we still need to authenticate ourselves, why not dispense with passwords altogether?

When we provide a credential, it is one (or more) of something we know (a password), something we have (a card) or something we are (some physical property of ourselves).

It is this latter idea that is most attractive. A biometric signature – such as your iris, retina, thumbprint or voice print – means not needing to remember anything, not having to bring an access card. You just be yourself and some property of you will identify you. Such a system would be very hard for any cyber criminal to replicate or hack.

At present, biometric solutions are expensive (compared to other technology) and imperfect (they get it wrong more than we would like), but the future would be nicer if you could phone your bank account and be authenticated by your voice print.

You could then simply ask to transfer ‘X dollars’ to the travel agent for a holiday and book a rental car, all at the same time, without having to remember three separate passwords (or you could just talk to a real person).

The Conversation

Latest Posts

A Compassionate Society Requires Authentic Leadership

The global COVID-19 pandemic has placed extraordinary demands on leaders in government, society and business. At times like these, the news can be overwhelming and...

Dimension Data Announces New Data Centre in Johannesburg

NTT, a global technology services provider, and Dimension Data, the South African systems integrator and managed services provider which represents the NTT business in...

Opportunity Knocks As Copper Bows Out

South Africa's digitisation journey is gathering steam as Telkom's wholesale division, Openserve announces moves to decommission its copper network on an area-by-area basis in favour...

SASSA Once Again in Chaos Over August R350 COVID-19 Grant Payments

The Democratic Alliance (DA) calls on the Minister of Social Development, Lindiwe Zulu, to once and for all sort out the chaos that persists...

Don't Miss

COVID-19 Delays TymeBank’s Partnership With ZCC

TymeBank, a digital bank that is owned by billionaire Patrice Motsepe, announced on Tuesday that its partnership with the Zion Christian Church (ZCC) has...

Rain is Now Valued at More Than R15 Billion, Making it Bigger Than Telkom

South African mobile data network operator Rain is now valued at more than R15 billion by its parent company African Rainbow Capital (ARC). The...

2021 New Jaguar F-PACE Brings Connected Technologies

The 2021 new facelift of the famous Jaguar F-PACE is connected and electrified. The new F-PACE is available with the P400e PHEV powertrain as well...

Startup Plans to Upend South Africa’s Freelance Market

South Africa's gig economy, which is made up of freelance, short-term, and on-demand work, is growing. Since the lockdown was imposed at the end of...

Enjoy a Revitalizing Weekend Away With The Whole Family at Knorhoek

Wide-open spaces are a great place to decompress after months of lockdown, and Knorhoek ticks all the boxes for the perfect country escape. Situated in...

Stay in touch

To be updated with all the latest news, offers and special announcements.