Why do we keep using bad passwords?

We have been using passwords and codes for hundreds of years, but still, it seems like our security thinking hasn’t evolved at all. A new survey from Qualtrics and Okta show that the user’s password-management is less than ideal.

For several years we have seen the lists of “most commonly used passwords”, and frequently it’s “123456”, “password” and “111111” that top the list. Other common passwords are ‘666666’, ‘654321’, ‘!@#$%^&*’, ‘charlie’, ‘password1’, and ‘donald’.

What’s more alarming though is that almost 40% of the people participating in the “Okta Business@Work 2019 Report” said they use the same 2-4 passwords for almost everything. Furthermore, a whopping 10% use the same password for everything! That means they use the same password for both their work-login and bank-app as for their Tinder account and Facebook-profile. If you think about a large number of hacks in recent years, you now see that a hacker easily can get access to far more places than the specific site they hacked. In fact, the study shows that 10 % of people have used one of the top 25 worst passwords (some of them stated above). So, a hacker doesn’t even need to hack a server to gain access to passwords. They can just try the ones on the list and they’ll be getting into far more places than they reasonably should in this day and age.

Of course, with all the information surrounding us today, remembering 10-20 different passwords, which should also be switched out regularly, is not an easy thing to do. This has caused a large number of users to write their password down. Unfortunately, they often keep it near their computer, so they always know where it is. More than half of the people in the survey store their password on either a piece of paper, on a sticky note, in a desktop file or the phone’s note-app. Neither of which can be considered very secure.

Luckily, there is also a huge rise in the use of multi-factor authentication apps and solutions. Even more satisfying is that a decreasing number of such systems are using SMS for the verification since SMS has been found very easy to reroute. The Okta-study shows that 70% of companies use two to four factors for authentication, and 29 % use more than four or more factors. This, however, increases the complexity for the users. And as we all know, complex systems are the mother of shadow-IT.

So, when choosing your multi-factor authentication system, security is not the only thing you need to consider. The users must find it easy to use, as well as feel that the system provides a reasonable level of security. A too complex system will both be frustrating to use and raise the question of why such a complex system is needed. In other words, you need to find a system that provides both security and simplicity of use. And please, find an app that can securely store your passwords so you don’t have to write them down on sticky notes and put on your screen.  

What is the preferred authentication method?

In recent years being able to prove who you are has become more important. Companies and online services need verification and use different methods for you to do so. We started with increasingly complex passwords, but more and more are looking at 2-factor-authentication, or even multi-factor-authentication. But what method is actually preferred, both from a security and user-experience perspective?

Having passwords that are so complex that you can’t even remember them yourself has lately proven to be a rather poor method of securing your online accounts. Bill Burr, the former manager at National Institute of Standards and Technology (NIST), created the password-guide that is used today to find a secure password. The problem is that the guide was produced in 2003, and Burr now says that he didn’t really understand how passwords worked during the time. The guide that is being used today actually doesn’t ensure safe passwords. A better method of creating safe passwords is to put together three or four unrelated words, resulting in a longer password without being unreasonably difficult to remember.

But having just a password to verify your identity has proven to be insufficient, just look at the Heartbleed bug a few years ago where thousands of passwords were leaked. Through the years there have been several reports where passwords have been compromised by hacks or simple errors. So, in order to stay safe, there should be some other method of proving you are really you.

The answer has come in the form of 2-factor authentication, where you use your password to login to an online account, and then get prompted on a different device (often your mobile phone) to authenticate that you are attempting to log in to that account. This ensures that you are really you, or at least in theory. Many started using text messaging to send a passcode that you entered to verify the login. But lately there have been numerous reports of such text-messages being redirected to a different phone, and thus the authentication process is yet again insecure.

Many companies, such as Google, have therefore created their own app that ensures that the verification code is only sent to that specific phone. In countries such as Sweden, the banks have joined forces and created a Bank-ID that is linked to the citizen’s personal identification number. The problem with these is that they do not work globally or universally across platforms. In Google’s case, the service provider must then use Googles authentication, and thus their login-system, something that might be undesirable for many service providers. In the case of the Swedish Bank-ID, you must have a Swedish personal number and also have a Swedish bank account.

In other cases, the verification process often requires several steps, which then becomes a hassle for the user. This reduces the willingness to use the verification system. Since people tend to use the path of least resistance, the user experience must be at the centre of the system. If the process of logging in to your account isn’t easy, then you will probably use a less secure method instead.

Developing a universal and global multi-authentication system that is secure and easy to use is, therefore, something that is desired and urgent. Luckily, we are now seeing several such systems being developed, and the one that is currently leading the charge towards secure and easy online verification is Covr Security. They are a Swedish company that has used the experiences from the Swedish Bank-ID to create a system that is non-affiliated to a vendor with their own agenda and works around the globe. The system is easy to use, easy to implement and ensures the highest level of security. Simply put, it offers all that you could ask for in a multi-factor authentication system.

Covr visits Israel to learn from their very active start-up scene

If you would list the three main start-up scenes in the world that produce more Unicorns (+1 Bn USD companies) than any other, you would probably mention Silicon Valley, Sweden, and Israel. So, for a start-up tech-company in Sweden, it makes perfect sense to visit one of these hubs to learn from their experiences. In the next week Covr is doing just that, and the reason? To make smarter decisions and better business in a global market!

In today’s interconnected world, networking is one of the primary skills you need to master. Both companies and business gurus talk more about collaboration than competition, and as a company, in a small market, you quickly need to expand your network on an international market. Covr is, therefore, taking a trip to Israel to exchange ideas, get inspiration and gain insight into how companies on similar, yet somewhat different, markets do things. The Swedish and Israeli market is similar in the sense that they both are too small for a company to make it on that market alone. As a start-up, you must see yourself as a global company from the start, but that also brings a lot of new obstacles and challenges. To then take the opportunity to learn from others in similar positions is nothing but a smart investment for your future business development.

Peter Alexanderson, Founder of COVR Security, speaks in Tel Aviv Fintech week, 5th of March 2019.

Covr’s networking trip will hopefully generate ideas that will position the company for a rapid, and profitable expansion, as they are gearing up to bring their security solution to the global market. However, there’s a considerable difference between expanding globally with the experience others have already gained, or going at it alone, much like learning how to drive with or without a tutor. Preferably the earlier before the latter.

We look forward to hearing the tales and lessons learned, and above all to see them implemented, as Covr takes identity validation and digital security to the next level for individuals and companies around the globe.