Get the latest tech news How to check Is Temu legit? How to delete trackers
TECH
Symantec

Passwords: The horrible security we all use

Elizabeth Weise
USATODAY

SAN FRANCISCO — Winston Churchill once said democracy is the worst form of government ever tried — except for all the others. The same could be said of computer passwords.

They are annoying, insecure and cumbersome. Even with the recent rise in two-factor authentication, nothing has fully supplanted them, and they remain a crucial portion of most computer security.

Passwords protect everything from banking systems to industrial processes to payroll — so companies need them to be secure.

And yet a surprising number of businesses don't even use them well. Just 59% of companies surveyed in 2014 had adopted account or password-management policies in line with the Commerce Department's Cybersecurity Framework.

With the barrage of breaches in the news recently, more and more companies are using two-factor authentication to provide extra protection to their networks.

That double requirement makes the system "very, very secure," said Piero DePaoli,who directs Web security for Symantec, the Mountain View, Calif.-based security company.

Two-factor authentication requires two steps to enter a system, adding a second layer of protection. One is something you know, like a memorized password. The second factor comes from something you have and can come in multiple forms.

Some systems use a magnetic strip card or cards with embedded computer chips.

Others involve hardware tokens, known as fobs, which generate random numeric passwords. In some, the number appears on a tiny screen and the employee must type them into the computer, in addition to a password.

Others transmit the code themselves when in physical contact with or close proximity to the computer.

One popular format is the Yubico key, which is inserted into a computer's USB slot. The user must also touch a finger to a gold disk on the key, which uses the electrical charge of skin to ensure that a physical person is behind the attempt, said Jerrod Chong, the Palo Alto, Calif., company's vice president of sales engineering.

Increasingly, companies are moving to mobile devices for the second factor. A second code is sent to the phone, which the employee must also type into their computer to gain access to the network.

Phones work well because people never let them out of their sight, said Nick Nikols, a security analyst with Gartner. "People might leave home without their fob, but how many times do they leave without their phone?"

Another type of second factor is based on something you are.

These turn up in movies, where the heroes have to get past iris scanners or facial recognition software to get to the nuclear code room/bank vault/secret alien research facility.

They are called biometric authentication schemes because they're based on a measurement of the user's biology — the pattern of their retina, the swirls on their finger, the outline of their hand, the spectrogram of their voice.

While providing strong protection, they have issues. They're expensive to implement and more of a hassle, and false positives and negatives can be a problem.

"For a while, a lot of laptops were sold with thumbprint reader built into them. In the end hardly anyone uses them given the difficulty of registering them and setting them up," said Nikols.

He believes they'll eventually become easier to use and more popular, but for now they haven't caught on.

Clearly, no one's yet come up with a perfect system — secure, inexpensive, easy-to-use and with a low rate of false positives or negatives.

One way to strengthen them all is a technique called real-time risk analysis.

"If a user is coming in from their normal machine in San Francisco within 9 to 5 Pacific Time, that's less risky than if a user is coming in from a brand-new iPad that the system has never seen before, from a Chinese coffee shop in the middle of Sunday night," said Andras Cser, a security analyst with Forrester Research.

If they're working from home on a computer they've used before, the system could see they're just trying to play Angry Birds, in which case "they don't have to go through a three-part authentication process. But if they want to approve an expense report, they do," said Kayvan Alikhani, senior director of technology at the security company RSA.

Looking toward the future, companies like Google, PayPal, Microsoft in 2012 created an organization called the FIDO (Fast Identity Online) Alliance. FIDO is working to come up with industry standards for online authentication, which would make all of this a lot easier and far more secure.

"That's where the market needs to be," said Chong. "But we're not there yet."

Featured Weekly Ad