No one has escaped the frustration of using, remembering and updating passwords for the growing number of devises, sites and apps we choose to use every day. It is estimated that, on any given day, the world collectively spends an equivalent of 1,300 years simply typing passwords. One study concluded that an average user has 6.5 different passwords, 25 accounts requiring passwords and enters an average of eight passwords a day. How did we get here?
In 2003, Bill Burr at the National Institute of Standards and Technology wrote what was then the definitive report on password protection and management – “NIST Special Publication 800-63. Appendix A.” At that time, well before people were overwhelmed with the number of passwords that had to be tracked, Mr. Burr’s advice was well received and warned people to protect their computer information by creating nonsense passwords “rife with obscure characters, capital letters and numbers.”
For example, “N9ke*2#Q@” would have impressed Mr. Burr at the time. He also recommended changing passwords frequently, every 90 days or so. His advice made sense intuitively – passwords made up of cryptic non-words would seemingly be more difficult to crack and before anyone had the chance to really try, they would be changed anyway. Based on this level of confidence, government agencies, universities and the corporate world largely adopted the recommended practice and many people certainly follow similar advice today.
But according to Mr. Burr, who is now 72, he blew it in 2003. Surprisingly perhaps, the password “N9ke*2#Q@” is not all that difficult to crack. In an offbeat fashion, cartoonist Randall Munroe calculated that it would take only three days for this password to be cracked. Other specialists confirmed Mr. Munroe’s finding. Additionally, it turned out, not surprisingly, that a string of letters, numbers and symbols with absolutely no meaning is difficult to remember. This led to the proliferation of resets and continually expanding numbers of passwords to track.
What about the common-sense protection Mr. Burr recommended to change a password every 90 days? Well, it turns out that the average user doesn’t have the time, patience or discipline to create a wholly new password every 90 days. It becomes a lot easier to simply add a 1, 2, 3 and so on to the end of the existing password, at least offering the user a predictable guessing formula.
In June 2017, NIST adviser Paul Grassi rewrote Mr. Burr’s report, essentially starting from scratch. Mr. Grassi recommended discarding nonsense letters, numbers and symbols, and replacing them with a series of unrelated words tied together as one (“lampstationforestmoon”). Similarly, others have suggested tossing the nonsense passwords and replacing them with a phrase that has some meaning to the user. For example, “Whis3tl$e4” might be replaced with “Iliketowhistleinmycar”. And what does our cartoonist, Mr. Munroe, think. His calculation found that it would take over 500 years to crack such a series of words.
Likewise, the advice to change passwords every 90 days has been discredited. After Lorrie Cantor became the Federal Trade Commission’s chief technologist, she was concerned with an official agency tweet reading, “Encourage your loved ones to change passwords often, making them long, strong and unique.” The longstanding support for this process was in large part based upon a belief that frequent password changes would stymie attackers who might be situated inside an organization.
The Touch ID Fix
In late 2011 and early 2012, Authentec, Inc., a semiconductor firm specializing in computer and mobile security, identity management, biometrics and touch control, discussed a new Touch ID product with a number of the leading consumer electronics companies at the time. All took a pass except Apple, Inc., which acquired Authentec in July 2012. The rest isn’t just history but another example of Steve Jobs’ hands-on involvement and persistence with a product in which he passionately believed.
Jobs’ interest in simpler ways to “sign on” to the iPhone started in 2007 and was underscored by his hatred for log-ins and passwords. Though signing in didn’t seem tremendously time- consuming at that point, Jobs accurately foresaw, and helped create, a future where the iPhone would not just be a device for making phone calls but a repository for information gathering and constant communication. Consumers would soon be overwhelmed by the need to sign in hundreds of times a day. Even at that point, many consumers were adopting the risky practice of using no password at all.
Starting with the “Touch to Open” feature, Jobs and his team moved with the Authentic acquisition to develop the comprehensive Touch ID feature. Though others had developed some form of fingerprint recognition hardware and protocol, Apple was the first to introduce the Touch ID solution in 2013, generating a huge wave of consumer adoption. Apple had captured the mobile biometrics market and retained it alone for a long time.
Today, the use of fingerprint identification is common, with market penetration accelerating from 20% in 2015 to 50% today. The use of Touch ID for authentication, online payment and communication security is today ubiquitous for banks, industry as a whole and the corporate world in general.
Diligent, in its provision of secure portals and corporate board management for its more than 145,000 client users at over 4,700 organizations, provides the highest level of security to assure that board communications and decision making is protected. To assure this level of protection while fostering efficiency, Diligent provides Touch ID support on iPads and iPhones, eliminating the need to enter a password every time.