Technology has reached its highest point in human history.  The past ten years have yielded a technological revolution, even though computers were first invented in the 1950s.  The one idea that has been around since the advent of computers and the surrounding technology is security.  People have always been concerned with how to keep the information on these systems safe and secure.  Right now, security is one of the biggest issues that modern technology faces.  This is due to a combination of two factors: people becoming their digital footprints and new attackers and methods for performing attacks becoming available all the time.  Especially over the past few years, nearly everything in day to day life has become digitalized.  Everything about a given person can be found on the internet, whether through Facebook or a generic Google search.  You could “drive” a self-driving car to work that has an app on your phone, and buy a coffee along the way with a piece of plastic that you merely swipe to make a payment, and the money is deducted from your account remotely.  Along with the information people display publicly, there is also information that people want and need to keep private in order to stay safe.  What protects most of this information as a sort of front-door style security is a username and password login.  This security measure has been one of the enduring features included in computers and many other modern technologies.  Computers can be setup to require a password in order for a user to login, phones can be set to have a four-digit number password or similar, and websites that people trust their information to require a username and password combination that verifies themselves to that service.  These passwords are the lifeblood of their owners, since they are the first, and sometimes only, safeguard for the data they are entrusted to guard.  Because of recent data breaches in major tech companies, people have called the effectiveness of the current system of security into question.  With advancing technology, new ways of protecting data are explored every day.  Whether these new systems implement fingerprint security, voice recognition, or any other alternative, their aim is to make the typical security system of a username and password combination obsolete.  Passwords, however, provide a secure and time-tested system.  If users put in even the minimal effort of understand the inner workings of passwords and what goes into their “strength,” as well as how best to arrange and care for their array of logins, the current system of username and password authentication can be the most secure and effective means of account security.  

What would happen if there was a major data breach at a company that housed your login data on a specific website?  For any given user, the attacker might attempt to login with the data they have extracted.  If they manage a successful login on your account, they would then have free reign on that single account.  But what would happen if you reuse username-password combinations on more than just that single site?  Then, a random person would have access to potentially damaging information.  If you keep your financial information on the internet, they would have access to that.  If they gained access to your emails, they would then be able to see every email you have sent or received, as well as send anything to anyone on your contacts.  A single weak link in the array of online logins your cyber footprint includes could spell disaster with a single breach.  Everyone who uses or has ever used the internet is constantly at danger.  There is no way any one person can be absolutely safe.  The best way to protect yourself is to be as know as much possible.  With knowledge about passwords and the sites you entrust your data to, you can ensure that you are as safe as possible on the internet.

The question then becomes: What do I need to know about our current system of security to protect myself and be as sure as I can that my data is safe?  To start, passwords have been misrepresented over the past couple of years.  In the clamor for secure login systems, websites introduced much hated designs to “strengthen” passwords, this referring to the requirements of having an uppercase and lowercase character, a number, a symbol, and be a certain length.  When creating these passwords, many websites include a bar that shows its “complexity” based on these requirements.  This is the first misconception about password security.  Laurie Cranor, a chief technologist for the FTC and a professor at Carnegie Mellon, gave a TED talk at CMU about this exact topic.  She claimed that “because of these requirements and the habits of most people, almost all passwords today can be boiled down to a simple formula.  A typical password consists of a root and an appendage.  The first character will usually be a capital, to fill the requirement, while the root consists of a pronounceable word.  The appendage usually consists of at least one number as well as a special character.”  She then went on to prove this claim with data from research she gathered both from students on campus and through anonymous users on the internet.  If almost all passwords used can be boiled down to such a simple formula, the system could understandably be called into question.  Two researchers from Concordia University, writing in a journal for the ACM, attempt to understand password meters in place on most websites.  Their research focused on the strength required by a range of web based and app based sites, attempting to reach a conclusion on the effectiveness of these meters, “since password-strength meters play a key role in providing feedback and should do so in a consistent manner to avoid possible user confusion.”  The article continued, “In our large-scale empirical analysis, it is evident that the commonly used meters are highly inconsistent, fail to provide coherent feedback, and sometimes provide strength measurements that are blatantly misleading” (Xavier and Mannan).  But if we’ve reached a point where almost all users passwords can be categorized so simply, are we truly safe?

If passwords are the front door or this security schematic, then its inner workings can be compromised through more than just the front door.  Another misconception passwords face is that passwords in themselves are the biggest link in the chain of security that goes into keeping an account secure.  This claim is mostly untrue.  Two Microsoft researchers and a computer science professor from Carleton University wrote an article for the Association of Computing Machinery, discussing the idea of the “don’t care region” of passwords.  They say, “Simple analysis [from the viewpoint of an enterprise administrator whose objective is to protect a population of passwords] allows insights on the limits of common approaches and reveals that some approaches spend effort in “don’t care” regions where added password strength makes no difference. This happens either when passwords do more than enough to resist online attacks while falling short of what is needed against offline attacks or when so many accounts have fallen that an attacker gains little from additional compromises” (Florencio et al.).  This research may come as surprising, but thinking about it from perspective of the house analogy, it makes very logical sense.  If you are an attacker attempting to enter a house, first you try the front door.  If the front door does budge because it’s locked, you may attempt to force entry first.  If that doesn’t work, you may try to pick the lock so that you can open the door easily.  If both of those measures fail, it would make sense for the attacker to attempt to gain access from a different entry point that isn’t the front door.

  The information a password keeps safe can still be stolen if the platform the user entrusts their data to is attacked, in this case a different part of the house, whether a backdoor or unlocked window.  Bruce Schneier, who is a famous writer in the field of both security and specifically cybersecurity wrote an article that further supported the current system of passwords.  He wrote about about the threat of guessing attacks in an essay that dated back to 2008 saying, “The most serious attack is called offline password guessing. There are commercial programs that do this, sold primarily to police departments. There are also hacker tools that do the same thing. As computers have become faster, the guessers have got better, sometimes being able to test hundreds of thousands of passwords per second. These guessers might run for months on many machines simultaneously. They guess intelligently. They don't run through every eight-letter combination from “aaaaaaaa” to “zzzzzzzz” in order. That's 200bn possible passwords, most of them very unlikely. They try the most common password first: “password1.” (Don't laugh; the most common password used to be “password.”)” (Schneier 229).  This essay, even though written in 2008 is echoed in Lorrie Cranor’s article published on the FTC website in early 2016.  The research done in this article is performed using the guessing attack that Schneier wrote eight years ago: “The UNC researchers used password cracking tools to attempt to crack as many hashed passwords as they could in an “offline” attack. Offline attackers are not limited to a small number of guesses before being locked out. Attackers first gain access to a system and steal the hashed password file. They take that file to another computer and make as many guesses as they can. Rather than guessing every possible password in alphabetical order, cracking tools use sophisticated approaches to guess the highest probability passwords first, then hash each guess and check to see whether it matches one of the hashed passwords” (Cranor).  It could be assumed that if researchers are using these methods in an attempt to crack their set of passwords, that this is still a common method for gaining access to the passwords stored in a system.  This backdoor, in a sense, would get an attacker to their goal without even having to deal with the supposed safeguards users have put in place, skipping the middle man, whose efforts to guard the user’s data were completely voided.

These misconceptions about passwords lead to systems that house user’s data to require mandatory password changes, specifically in upper level education.  Lorrie Cranor, who was mentioned earlier, wrote an article discussing this in May of 2016 for the FTC, referencing a study that sought to find what happens when users are required to change their passwords every three months.  She wrote, “The Carleton researchers demonstrate mathematically that frequent password changes only hamper such attackers a little bit, probably not enough to offset the inconvenience to users.” This is because, “They observed that users tended to create passwords that followed predictable patterns, called “transformations,” such as incrementing a number, changing a letter to similar-looking symbol (for example changing an S to a $), adding or deleting a special character (for example, going from three exclamation points at the end of a password to two), or switching the order of digits or special characters (for example moving the numbers to the beginning instead of the end)” (Cranor).  Mandatory password changes are put in place to ensure that users’ data is never truly compromised, yet these password changes actually cause more harm than good though.  Passwords are not the weakest link, and adding a falsely praised “safeguard” in order to ensure that passwords housed on a server are as safe as they can be only leads to decreased security over time.  

Some people would argue that if a password can be cracked, then the current system is flawed from the very start.  Michael Chertoff, a former head of the US department of homeland security claimed recently that passwords are the weakest link in cybersecurity, citing the Yahoo breach in the fall of 2016.  He says, “We need to acknowledge the failure of passwords and make it a national priority to come up with something better – leveraging the next generation of authentication technologies to authenticate identities in a way that is both stronger than passwords and also easier for people to use” (Chertoff).  The problem with Chertoff’s claims are that the Yahoo breach came from an internal breach.  This means that somehow, an attacker gained access to Yahoo’s hashed, or encrypted, password files.  They then could perform a guessing attack to find the passwords for most of these accounts.  The other problem with citing this breach is that Yahoo is one of the biggest email domain providers on the internet.  When Chertoff claims “500 million individuals” would feel the impact of the breach, he fails to see many of the factors that go into such a large number of accounts being breached.  The “500 million individuals” he refers to only actually counts as 500 million accounts.  There were so many accounts included in this attack because people are not limited to making one email account.  This number of accounts that have been breached could include accounts that are temporary, extra and used for specific services, or forgotten entirely.  The security on most of these essentially unused accounts are bound to be less than subpar.  This means that the actual number of people affected by the attack could not even be determined.  It is dangerous for a former head of US Homeland Security to be spreading this kind of misinformation, especially to go on to make a statement that because of events like this, passwords should be done away with.

With technology permeating every sphere of modern life, it is more important than ever to make sure that your presence on the internet is protected from unwanted intruders.  Each website you use and service adds to a growing list of places you to which you entrust your most private information.  It is a sad fact that most internet users are not well versed in matters of cybersecurity.  But just because some people don’t understand the system that protects all user’s data does not mean that it should be abolished.  Some people will make out the concept of passwords to be a confusing topic to understand.  In this digital world, security should be everyone’s top priority.  The saying “you’re only strong as your weakest link” is most apt for matters of cybersecurity.  Passwords are one of the most important pieces that make up cyber security, and are certainly not the weakest.  The current security schematic in place on nearly every website on the internet does the job just fine, with the proper measures taken to make up for its inherent weaknesses, since no alternative would provide users with the same amount of safety as a password.  If every internet user were to strengthen the security on all their accounts, not only would they benefit from the additional security, but everyone else who uses the same system would benefit simply by association.  Each user contributes to the overall safety of a system, and by strengthening every piece, we could end up with a much more fortified whole.  The arguments against passwords fall away with true information about how best to work the system.  The internet is a wonderful tool, and the one customizable tool to protect yourself are your passwords.  By understanding the way passwords work, as well as the security measures of sites you use and trust, you will be most prepared for an attack in this digital age.  With the proper protocols in place, even with a breach anywhere in your online presence, you will be as safe as possible and almost impossible to harm.
