Why Passphrases Are Still Better than Passwords & Fingerprints
Remember the days when you set “password” as your password? Many still use such insanely insecure methods , but even the humble password has evolved.
We now use passcodes or passphrases wherever we go. They unlock your online banking, games accounts, and devices.
But to some, even these have been rendered superfluous, replaced by supposedly-superior validation practices. Here’s why you should stick with passcodes and passphrases.
What Are Passcodes?
Most of us use passcodes or passphrases for our smartphones, emails, and other apps and services: they’re simply a string of characters and digits, typically longer than a password. So if your password is MakeUseOf, this might translate into M@k3U$£0f2006!
“MakeUseOf” is easy to guess. Changing the majority of vowels into numbers, adding in the year this website was launched, and finishing it off with punctuation makes it much harder to figure out.
Perhaps the most important passcode we use all the time is the one to access Wi-Fi. It’s initially a string of numbers, and upper- and lower-case letters. You can change it, but be sure to alter it to a passcode, not the name of your dog.
What’s Wrong With These Other Processes?
In a bid to tackle hackers, firms are using or trialing other means of verification.
But nothing is infallible. Passcodes are still king.
We rely on Personal Identification Numbers (PINs). If you pay by card — and don’t or can’t use contactless payments — you need to put in a four-digit code. Many of us lock our smartphones with PINs. It seems pretty darn secure, especially considering that a four-digit number, consisting of the numbers 0 to 9, can have 10,000 potential combinations. If we factor in 6-digit codes (once again using 0 to 9) even without repeating a number, there are 136,080 possible combinations.
The chances someone would guess your PIN, whatever you may use one for, seem remote, but they might not be as astronomical as you’d initially think. This is especially true if your PIN is 1234 or a similarly-popular code . Hackers can predict the action of an average person.
Your date of birth will be one of the first things cyber-criminals will find out about you, and further basic information isn’t hard to come by on the Dark web. People set their PINs as something memorable, for obvious reasons, so some might elect to use their anniversary, year of their 21st birthday, or birthdates of parents or children.
More likely, a hacker would use a brute force attack . Very basically, this is a programme that systematically runs through a multi-digit system. It may start with 0001 then continue 0002, 0003, and carry on in a similar fashion very quickly.
You might think that setting your password as something obscure should be alright: nobody will ever guess it’s in another language, a personal pet-name, or your favorite Chesney Hawkes song… right?
While passwords are preferable to a pattern lock , if a hacker finds out enough details about you, they could make an educated guess as to what words you might use. How? They could buy details about you, or scour your blog and social media presence. Just take a look at how Digital Shadow pulls apart Facebook profiles and runs through potential passwords.
Even scarier, a hacker could employ a variation of the brute force attack called the dictionary attack. This runs on the same principle but further tries out strings of characters; its first attempts, though, specify words pinpointed by hackers as the most likely passwords. If they’re not immediately successful, it might try adding years to the end.
It’s worse if you use the same passwords for different accounts.
Arguably, your email password is the most important: if someone gains access to that, they could go through all the other accounts you might have and click “Forgot Password?” then reset them through that. You should definitely make sure you use a password unique to your email address. Wired‘s Mat Honan says:
“How do our online passwords fall? In every imaginable way: They’re guessed, lifted from a password dump, cracked by brute force, stolen with a keylogger, or reset completely by conning a company’s customer support department.”
Touch ID seems like an ingenious way of securing your devices. Apple introduced it to their smartphones with 2013’s iPhone 5S and their iPads in 2014, and many saw it as a brilliant new security measure. Because fingerprints are unique. It seemed impossible that someone else could copy your fingerprint.
But they can. Of course they can.
We leave fatty fingerprint residue wherever we go, but it’s certainly all over the device anyway — what’s less certain is if it’s a complete, useable fingerprint — so a clever thief might consider Touch ID easier to unlock than a phone that uses a PIN!
That’s becoming a widely-held viewpoint, helped along by various techies finding a way around the security protocol. Most notably, the Chaos Computer Club (CCC) , hackers dedicated to exposing such flaws, took a high-resolution image of a fingerprint, printed it out in reverse using excessive printer ink on a transparent sheet, then is smeared with white wood glue.
In addition to that, the bio-metric technology itself wears out. Let’s take the iPhone as an example. This uses a Complementary Metal Oxide Semi-conductor (CMOS) scanner, and is easily damaged. In fact, just dirt will affect it. Sweaty hands? Your phone might not recognize you, and it might be damaged. CMOSs have a very limited lifespan, which is probably great for Apple because you’ll take it as a sign your phone’s getting old and you’ll buy a new one.
Okay, that’s not a security risk per se, but is indicative of their uselessness. If Touch ID fails, you fall back on a passcode. Nonetheless, we admit that fingerprints will probably be secure enough for the average person — just not if you’re concerned about law enforcers wanting you to unlock your device .
How You Can Make Your Passcode Even More Secure
Passphrases are especially useful: you reduce a sentence to the first letter of each word. Maybe you’ve a favorite song title, quote, or book. Let’s say you love The Golden Apples of the Sun by Ray Bradbury. This becomes TGAOTS. You could add RB at the end of that. You could change the “O” to a zero. If you’re a Bradbury buff, you could even add its publication date, 1953.
In the end, your passphrase would be TGA0TSRB1953.That looks like complete gobbledegook to an onlooker, and not something easily guessed, but it’s easy to remember if you know what the acronym means.
Throw in some punctuation too. Most go for an exclamation mark, so why not use something a little more obscure? An “S” can easily turn into “$”, and no one ever uses a back-slash, so that’s always an option too.
Mix upper- and lower-case characters, but do so without simply having the first letter capitalized with the rest lower-case. If you’ve a favorite author, combine two book titles. So if we take Fahrenheit 451 into account, you add “F451” to the phrase.
If you do use a four-digit number (ie. a year), why not bookend the rest of the password with two digits? You’ll end up with something like…
And to top it all off, you can test the strength of passcodes at various sites .
What other tips do you have? Which identification method do you think is the most secure? Let us know below.