Password panic: how W3C and big tech can save your memory

Views, News & more

At one time or another, we have all fallen afoul of a mis-remembered password that sends us on an hour-long journey to reset our online accounts and set a new one. Most of us have also probably had our accounts compromised in some way due to an insecure or easily hackable password. A recent survey by SplashData found that, yet again, the top two passwords among online users in 2017 were “123456” and “password”. New additions to the top 25 most used passwords include “starwars”, “monkey” and “iloveyou”.

Others tend to use the same password on multiple sites. If just one of these is maliciously obtained, a user could see all of their accounts compromised in the space of a few minutes or, more significantly, a site could see its own user records or password hashes leaked (like recent incidents with LinkedIn, Adobe and Dropbox).

As with many IT security issues, the technology is only as clever and secure as its human users. Passwords, as a result, are not half as secure as they could be.

Past passwords

But what if we didn’t need to remember passwords anymore, let alone come up with strong, hard-to-hack ones?

Well, with the advent of a new web standard, the dream may well become a reality. The newly introduced WebAuthn standard has opened the way for online users to replace their passwords with other devices they already own or even biometrics.

The standard, introduced by the World Wide Web Consortium (W3C) earlier this month, means that users will be able to replace an increasingly long string of characters with their body - using their retinas or fingerprints - or tech like a mobile phone that can then communicate directly with the website they’d like to visit.

The change could mean that users are prevented against phishing attacks or the use of stolen credentials as there will be no password, no text for attackers to obtain. Authentication tokens are created and used by the device in question each time a user logs on, a process kept secure by tying it to just one piece of hardware.

As Jeff Jaffe, chief executive of W3C says, the new standard will “change the way that people access the web”.

He adds: “While there are many web security problems and we can’t fix them all, relying on passwords is one of the weakest links. With WebAuthn’s multi-factor solutions we are eliminating this weak link.”

Authentic solution

At present, WebAuthn is at W3C’s “candidate recommendation” stage, the last step before it becomes best practice for the entire world wide web.

W3C say that Google, Microsoft and Mozilla are already committed to supporting the protocol, too. Support for it will be included in the next release of Google browser chrome - version 67 - and Firefox 60  while support could also become an option in Windows 10, according to a company that makes USB dongles.

Yubico, which makes the popular YubiKey USB authenticators, said its new Security Key supports the WebAuthn standard. Microsoft in turn said the new key would key would be supported by Windows 10 and Azure Active Directory users.

But it is not a given that WebAuthn and related authentication processes will completely replace passwords. And there have been other security measures that have proved as popular as WebAuthn could be.

One option favoured by many online services - including Google, Facebook and Microsoft’s Outlook - is 2-factor authentication, whereby users have login credentials and some separate, physical confirmation, such as a text to their mobile phone. Then there was OpenID, which promised a different solution to the password problem, allowing users to be authenticated by a third-party, independent site, meaning websites no longer had to host their own login systems. It too was welcomed by a similarly starry list of big tech firms at the time.

However, WebAuthn has one big advantage over its forebears: it makes life easier for users. There’s no extra work required and, often, the tokens it enables make logging in effortless as well as more secure.

It bodes well for the protocol, for sure. But you’ll probably need to keep your password manager going for the next few years, at least. Just make sure to add a few more symbols into your old favourites.

Get in touch

 020 7847 4510

 info@hso.co.uk

We may process your personal information in order to send you information you request, measure and improve our marketing campaigns, and further our legitimate interests. For further details, see our privacy policy.

Contact us

    • Head Office:
    • hSo, 50 Leman Street, London, E1 8HQ
    • Switchboard:
    • 020 7847 4500