In our last post we talked a lot about the static password and some of the benefits to ditching them for a fluid, dynamic password instead. Of course, we also discussed a specific authority figure in the world of technology who boldly declared that passwords “just don’t meet the challenge for anything you really want to secure.” The person who quipped this? His name is Bill Gates, and he’s not wrong. But then again, here we are, years later, and the password is still the cornerstone of authentication for many websites, applications, etc. So, if the password as a concept is going to stubbornly refuse to be left in the ash heap of computer history, we should probably talk about how we can make the password a little bit better with the benefits of the dynamic password.
Getting Away from the Static Password: Part II – The Dynamic Password
Chances are, what you use today would be referred to as a “static password.” A static password is simply that: a password that, once set, is left unchanged. Hacking static passwords is not a difficult task for even your typical attacker – commonly used methods such as dictionary or brute force attacks is often enough to get the job done. If your password is left unchanged, it really is only a matter of time before it can be cracked (though there has been some new research on password expiration that puts that question directly into the limelight). While this bit of info is disconcerting, you can take measures on your own to protect the information and other data that is important to you. A good step in the right direction would be to use a dynamic password
What is a Dynamic Password?
Let’s talk a bit more about the dynamic password. Firstly, what is a dynamic password? The basic definition of a dynamic password is a password that does not remain constant – except that it is constantly changing.
Now you may be thinking, “That’s a huge inconvenience. A constantly changing password? Does that mean I have to change my password every day? That’s just inconvenient! I mean, who could possibly guess my password $$$!!!garybusey?”(Busey Pic here)
Now, I agree: the thought of changing your password constantly is an enormous hassle. Luckily, that’s not what a dynamic password entails. In fact, you may already be a user of dynamics passwords. One Time Passwords (OTPs) are a commonly used type of dynamic password – a machine generated, random string that is used once to authenticate. Every time an end user wants to login, instead of entering their usual static password every time, they would simply input a unique, machine generated password. This dynamic password can be received on a mobile phone or made by a dedicated security token. Dynamic passwords are convenient because they don’t have to be remembered, and because the password is never the same, they serve as a major roadblock for hackers who may be looking to break into user accounts.
It is time for the naysayers and the lovers of static passwords to begin to face the facts – the static password will become extinct. Whether it is an easy and quiet slip into the history books or whether we have to drag it kicking and screaming out the door, the static password is going to go away. The FIDO alliance (whose members include tech heavyweights such as Microsoft, Google, and others) has published a report for a system to eliminate the static password for good. I’ll admit it, I do see a bit of an appeal for a static password – set a password once, and forget about it – but, we are at an age where too much is protected behind a simple string of never changing characters. We should begin to embrace the dynamic password, and with it, say farewell to password resets, changes, and hacker attacks.