Humans are unique. The never ending refining process of evolution works within every generation to produce unique tokens of the same type: all humans and all wonderfully diverse and one-of-a-kind. This is why biometrics make for such wonderful authentication factors. Born unique and grown to be even more so, nothing says “you are you” better than your body.
“Hold on!” an objector might say. “What about the human imagination? Surely that fantastic space of limitless possibility can out-unique the blind watchmaker.”
As much as it’s a romantic idea – especially during an era that promotes the brain over the body so much – to think that the mind can out perform the body, statistics taken from a 2011 survey on the most common passwords, taken from a group of 6 million unique usernames, is enough to end the war between biometrics and brain-generated passwords once and for all.
Forget for a moment that during the iPhone 5S announcement Apple dropped the statistic that more than 50 percent of all smartphone users don’t even protect their mobile devices with PIN codes. According to data which lists the 10,000 most commonly used passwords on the Internet – compiled by the author of Perfect Passwords, Mark Burnett – uniqueness is practically non-existent in the realm of user-made online security.
It reads like a joke, but the number one most common password in use by English speaking Internet users in 2011 was actually “password”, in use by 4.7 percent of the 6 million users. Let that sink in for a moment: one username in 25 allowed account access when the word “password” was entered into a text field literally labelled “password”.
The list continues, showing the staggering depth of complexity the human mind is capable of when creating a code used to protect things like financial information and critical business information. The second most popular password is “123456” followed by the slightly more complex “12345678”. It can be argued that the logic behind this is to fool hackers, who would assume that people would generally protect the most important parts of their lives with at least a modicum of care, but unfortunately for the clever trickster who thinks “qwerty” (ranked fifth most common) or “baseball” (coming in at number nine) is too obvious for an intruder to guess, a brute-force attack doesn’t care how tricky you think you are.
In the end, 91 percent of all usernames sampled by Burnett fall into the 10,000 most common: a list largely dominated by curse words, linear number sequences and references to The X-Files. It is easy to laugh at the folly of the common user, but in his defense, proper password practices are difficult to enact, and even then, said protocols are far from secure.
Luckily, advances in mobile identity technology are solving this problem head on by creating highly secure authentication methods that are built in to the user experience and even easier to use than typing a sequential series of eight numbers. Fingerprint sensors are being integrated into smartphone design at an accelerating rate, and passive authentication methods (also known as invisible biometrics) are allowing for extra layers of security to be added on without the user having to do anything but go about her business.
With these kind of alternatives becoming increasingly available, and considering the average user’s unwillingness or apathy when it comes to proper password practice, we are finally in a position where it is necessary to leave our cute and naive notions of online security behind.
To be a part of the dynamic discussion surrounding the post-password paradigm that we are now entering, register for Monday’s webinar “The Password is Dead!” Presented by FIDO Alliance President Michael Barrett and founding FIDO member Phil Dunkelberger, CEO of Nok Nok Labs, the conversation stands to get to the heart of exactly why open universal standards for strong online authentication are needed now more than ever, and what the rapidly growing Alliance is aiming to do about it.