The static password is just a fancy way of referring to the type of password that we typically use to login to various accounts and services every single day. It is a password that, for the most part, remains the same from the moment it is created, until it is changed or updated for that specific account. Passwords in this sense have changed much in the last few years. However, it is unsurprising to walk into a room full of typical users and find one who stands above the rest and proclaims for all to hear, “The Password is Dead!” I’ve spoken about this debate before, but it is a continuously evolving monster. Bill Gates himself famously proclaimed the death of the password in 2004, and yet, the static password remains in constant use throughout the web, as well as throughout the corporate, institutional levels. Today, I’m going to discuss why we should all be moving away from a static password – for our own protection, and the protection of the many digital devices and accounts that matter most.
Thanks Christopher, so…what IS a Static Password?
I can talk about passwords until the sun explodes – I find them fascinating, and the practice speaks a lot to how our society has developed, as well as our fondness for secrets. However, the static password is interesting because of its lifecycle. The static password has two cycles of life: one that is defined by its own strength and complexity, and also one that is defined by the human factor (namely, password policies and individual preferences).
A static password is the direct opposite of a dynamic password – where a dynamic password changes with every use, the static password remains the same unless intentionally changed or reset by an end-user or administrator. Its strength is typically measured by its length, complexity, and character set – a topic that is hotly contested, despite the commonly occurring best practices.
This is where the modern measurement of the strength and security of a static password comes into play: it relies solely on external influence. Whether it is defined in the password policy of an organization or service, or in the hands of the end-user manifesting the change, the security of a typical password is only as strong as these overarching conditions. It is a well-known fact that static passwords become weaker with age – and it is left up to the end-user to continually strengthen their accounts by replacing and updating their static password.
How does the Static Password Hold Up Today?
We are currently experiencing a wonderful era in technological development, full of innovation, invention and industrious development – all of which has trickled down to affect the digital community at large. We’ve all seen the news, and we’ve all heard of the constant barrage of data breaches that are hitting companies both large and small. One thing that constantly comes up in these stories is a lack of robust, effective security measures. Unfortunately, standard password practices are partly at fault.
The static password bears an inherent weakness – it remains the same. Multi-factor authentication serves as an advantageous addition the authentication security, but it often becomes unwieldy for certain users – users who might not always benefit from the effort that goes into enacting and following multi-factor authentication policies. Did you know that, if it remains unchanged, it only takes a hacker with a typical computer a matter of minutes to crack a password and access an account? On top of that, if the password remains unchanged after cracked (and lets face it, many of us do not change our passwords as often as we should), the attacker can retain unfettered access to the compromised account.
Therein lies the problem with our static passwords: they rely heavily on user monitoring and updating – constantly being patched by adding more to the authentication process when oftentimes, less is best.
The Future of Static Passwords – a Dynamic Change
Along with multi-factor authentication is the concept of a One-time Password (OTP). These OTPs are prime examples of a dynamic password and the strengths implied by making the switch from static passwords. The true strength of an OTP in multi-factor authentication comes from the OT in its name – each password can be used only once before being denied access by the service provider. Interestingly enough, the same concept can be applied to standard authentication practices without expecting outlandish effort on behalf of the end-user; increasing authentication security dramatically in a way that hasn’t been done since before Bill Gates sparked the famous debate.
With a dynamic password, authentication security relies primarily on a series of back-end communications and redundancies that are, quite simply, much more difficult to crack than a static password that never changes. A dynamic password directly addresses the major issues with a static password without hindering usability. Regardless of the necessary adjustments to many existing service structures, the dynamic password is an innovative change and stands to replace the weaker, more typically used static password.
Stay tuned for our next article on dynamic, fluid passwords and the true strength and security they offer in the current digital marketplace. The static password was a great tool for its era, and while the password is not dead yet – it is definitely due for a serious structural change.
What’s your point of view on the static password? Let me know in the comments below and we’ll see if we can’t get a conversation going!