For users who are not system administrators, the biggest impact of the Heartbleed vulnerability has been all the passwords that they have had to change. This, together with improvements in alternative authentication methods (like the fingerprint scanners now embedded in flagship smartphones), have caused some rather bold statements about passwords to be made.
Passwords are out of fashion? Obsolete in the short term, I hear some people say? Not so fast! While it’s true that passwords are not the most convenient way of authenticating yourself and they are inherently insecure, we should not be so quick to dismiss them.
The main advantage of passwords is that everybody can use them straight away. There is no need to tie yourself to a specific authentication token (“I could swear it was in my bag this morning!”), location (“I can’t log in from the hotel, I forgot I enabled that security feature!”), or smartphone (“I let my phone’s battery go dead!”). It might seem odd to some, but forcing users to own a smartphone – or asking a company to provide their employees with one – might be too costly.
Even if passwords are supplemented by other authentication methods, passwords will still be around as a secondary method. What would happen otherwise when your phone or hardware token gets stolen? We are simply not ready for a world without passwords, much as we’d like to get rid of them.
If that’s the case, we might as well learn how to use them properly. It’s not that difficult:
First, use a different password for each online service. If you’re trying to do this manually, it becomes difficult – which is why the best way to do this is to use a password manager. There are multiple options available, many of which are free.
Secondly, once you are using a password manager, use a long, hard-to-guess master password for it. If it’s anywhere in a dictionary, it’s not a good password. Here’s one way to come up with a secure master password: use the initials of a very long sentence. Imagine there’s no heaven; It’s easy if you try; No hell below us; Above us only sky. Add commas and other punctuation for added difficulty and bonus points: Itnh,ieiyt;nhbu,auos! That’s a better password than what most people use.
Thirdly, don’t rely on passwords alone. Yes, we said that passwords won’t be going away soon – but if you can, use what second factor of authentication is available. A smartphone is a good choice, as many services can use one to authenticate – whether it’s via an app or text messages.
I don’t think passwords are going to fall out of fashion anytime soon, if only for the ease of use. This isn’t to say that they will be the only authentication method used – and they shouldn’t be. Complementing them with more factors (two or three!) is the way to go, in my opinion.