9 March 2022

The Password Dilemma

Given the myriad of online services available today, a typical Internet user is estimated to own at least a few dozens of online accounts. Keeping track and remembering such a large number of login credentials is hardly possible. Fortunately, we have web browsers to assist by automatically saving the login credentials for new sites that we visit. This may seem like a helpful feature, but it has also given rise to another problem – forgetting our passwords. After a prolonged period of not having to recall our passwords from memory, we tend to forget them. In situations where we need to access our online accounts from another computer, failure to recall our password can be quite inconvenient. If we are lucky, we may be able to guess the right password after several attempts of login. Otherwise, we may have to initiate the “forget password” process to create a fresh password for login. After a certain period, this whole cycle might repeat itself. 

Such a hassle to manage our online accounts, isn’t it? You might wonder, why can’t we just use the same password for all our accounts? According to security experts, this is a bad idea.

We must understand that password-stealing is still a formidable threat in today’s digitalised world. Password stealing is often accomplished through several common cyberattacks such as phishing, keylogging, or malware. Cybercriminals can then use the stolen passwords to gain access to the victim’s online account, potentially leading to disasters such as leakage of personal information and loss of money. In addition, cybercriminals are also known to “try out” stolen passwords at other websites, hoping to gain easy access to additional online accounts that the victim may possibly have. This cyberattack is known as the password reuse attack. 

Despite increasing awareness of password reuse attacks, recent studies found that a significant percentage of users continue to reuse passwords or merely make subtle modifications to transform a basic password, between sites. This shows that users prefer passwords that are easy to remember, favouring memorability over inconvenience. The reason for this behaviour has to do with the limitations of human memory in remembering many passwords across unrelated sites. Over time, users may experience fatigue trying to remember these passwords, leading users to a state where they no longer pay much attention to security issues or just simply ignore them. For example, some users have chosen to write down passwords on a sheet of paper or electronically store them in a text document. Unfortunately, these recorded passwords may get exposed if the physical or electronic document falls into the hands of unscrupulous parties. Therefore, the current security recommendation to create a sufficiently long, complex, and unique password for every website, service, and portal is not that practical.  

To assist users in coping with the demanding tasks of managing passwords, password managers have been introduced. These are relatively modern tools that allow users to store all their passwords conveniently in a vault on a local machine as well as on the cloud. To access the stored passwords in the vault, the user will have to key in their master password. However, the use of password managers has yet to gain much traction. Perhaps the public is still doubtful about the idea of entrusting all their passwords to a single platform, which may very well become a single point of failure if the master password is compromised. 

As observed from the public’s response over the years, stronger security implementation does not necessarily translate to more secure outcomes. Some of the existing security solutions have proved to be rather difficult for practical application. It is important to reconsider security protocols or mechanisms that may potentially contribute to user fatigue. We cannot simply impose any security restrictions without considering how users feel about it. At this point, you may wonder whether there exist any perfect solutions that are truly effective yet practical enough to be used for safeguarding our online accounts. This may not be known to many but such a solution does exist.

Two-factor authentication (2FA), also known as multi-factor authentication (MFA), is one of the latest security implementations that seeks to thwart cybercriminals from accessing our accounts using the stolen first factors e.g., account password.

To access a 2FA-enabled account, a secondary authentication needs to be completed using the legitimate user’s mobile phone through methods such as one-time passwords (OTP), QR code scanning, or in-app verification prompts. Since the mobile phone number of the legitimate user is tied to their online accounts, it is guaranteed that the second factor authentication can be safely completed by the rightful person.

So if you have yet to activate 2FA on your accounts, it is high time to do so. Keep in mind also that even with these security solutions in place, users are urged to remain vigilant against cyber threats and to continue practicing safe computing habits.

Dr Colin Tan is a lecturer with the Faculty of Engineering, Computing and Science. He can be contacted at ctan@swinburne.edu.my.