The big problem with internet passwords is that people get lazy. Incredibly lazy, and year in, year out, when the lists of the most compromised passwords are published, the same basic patterns repeat themselves over and over again. Hands up if you’ve ever used:
As a password. Be honest.
Now, hang your heads in shame — they were all in the top ten worst passwords last year, and variants thereof have been the worst passwords you can pick for decades now.
A number of services have popped up that try to sidestep the issues surrounding lazy password re-use by using another service to verify your login credentials, which is why you see sites that use Google or Facebook login to check identity so often. It’s an easier approach, but it’s also a single-key approach that means that if your Facebook or Google account were compromised — again, say, by a lazy password — then all of your accounts could be.
Equally as worrying in that scenario is that a lot of applications that use Facebook as a security framework also require either posting or data scraping permissions on your Facebook account itself. Would you be happy with a third party getting all your friend’s details, or posting out your weight loss every time you stepped on the scales without you knowing it?
One of the more interesting recent developments in sign-in has come via Twitter. It’s launched Fabric, a developer framework that includes a sign-in system called Digits. Digits doesn’t rely on having a unique password for every service, or indeed a password at all. Instead, it uses something that you’ve already got and you’ve nearly always got on you, and that’s your mobile phone number. Authentication via SMS isn’t entirely new, but it’s usually as part of a two factor authentication scheme rather than as a standalone application. Part of the appeal for Twitter is no doubt the fact that it can target users who have phones but are online rarely if at all.
There’s an ease of use play here as well, because it ties only to the phone number signed in with, which means you don’t have to remember a password or a username, and you should never have to click on one of those little “I’ve forgotten my password” links ever again. Given that mobile number portability is relatively easy in Australia, it’s also something that you could (if it takes off) carry with you for a very long time indeed even if you change carriers or the phone system changes markedly.
I’ve long advocated for the use of a solid password management app to generate passwords for you that you hide behind one long, strong password that you can remember, and there’s no shortage of those. Digits looks like it could make things even simpler, although it will depend on whether developers choose to integrate it within their apps, or continue using other services or systems.
Whatever you do, though, don’t use “Password” as your password. That’s just asking for trouble.