Think your internet password is safe? Think again...

Are you one of those naive types who believes that choosing the name of your first pet as an internet password is going to protect you from hacking and fraud? Be very, very afraid, warns Memphis Barker, who has discovered some deeply unsettling facts about the increasing sophistication of data breaches.

Until the beginning of this month, I used one tinpot password for pretty much all my activity online. Eight characters long – without numbers or symbols – its prime value was sentimental, the product of a relationship that started in the era of the floppy disk. Then paranoia struck. On 1 February, 250,000 Twitter passwords were stolen by hackers. Had the hackers cracked mine – and found their way to the Gmail and bank account daisy-chained to it – well, they wouldn't quite have been able to retire, but the fear (and raunchy spam I'd been a vessel for) was enough to spook me into a radical overhaul of my online security.

I won't pretend this is a dramatic tale. It is, however, a drama relevant to many garden-variety internet users. As work and social life shift on to the internet, and people freight their profiles with more valuable data, there's growing consensus that passwords – 'icecream', 'tomcat', 'loveyou' – are no longer up to the job of keeping out intruders (be they 14-year-old 'script kiddies' or state-sponsored agents). Passwords can be forgotten, guessed, tricked or stolen from databases. Bill Gates was among the first – almost 10 years ago – to pronounce them "dead"; now the reedy voice of Microsoft's founder has been joined by a chorus of hundreds – from hacked individuals to governments to Google itself.

These password-o-phobes foresee higher hurdles. More complexity. Biometrics. Soon, many hope, you will sign in to your bank or email via fingerprints, voice recognition or the veins in your palm.

Alarm bells have been ringing for security professionals more or less continuously over the past three years. In 2011, the number of Americans affected by data breaches increased 67 per cent. Every quarter, another multinational firm seems to trip up. PlayStation was a larger casualty, forced to pay $171 million (£112.8m) to protect gamers after its network was broken into. Before Twitter went down, 6.5 million encrypted passwords were harvested from LinkedIn, 250,000 of which later appeared 'cracked open' on a Russian forum. ('1234' was the second most popular choice; 'IwishIwasdead' and 'hatemyjob' appeared on one occasion each.) Now all these once-precious words have been added to gigantic lists that hackers can spin against other accounts in future attacks.

It seems security fears spread best, however, from person to person. Late last year, Wired published a cri de coeur from writer Mat Honan, detailing how hackers destroyed his digital life in an attempt to steal his prestigious three-letter Twitter handle, @mat. Much of Honan's work – and pictures of his newborn child – were wiped. Dire warnings ("you have a secret that could ruin your life… your passwords can no longer protect you") punctuate the report – and in the two days after it was published, a quarter of a million people (myself included) followed Honan's advice and signed up for Google's two-step verification process. If his story doesn't do it for you, try the woman held to ransom for her email account, or ex-President George W Bush, who found images of his paintings hacked and published across the web.

But a long queue of critics doesn't mean that a slide away from passwords is being slipped down by all. "Despite their imperfections," says Dr Ivan Flechais, a research lecturer at Oxford University's Department of Computer Science, "they're convenient and a cheap option for developers… I don't see passwords changing across the board anytime soon." This line has been unwaveringly accurate since the first articles dismissing passwords appeared in 1995.

And internet users who don't own valuable Twitter handles – or weren't aware there was a market for such things – might be thankful to find a body of opinion sticking up for the right to use whatever brittle codes they choose. Reluctance is understandable. At the moment, safer also means more time-consuming. That half a second needed to chug through the memory for a complex password ("*874 or 8*47?") or go through Google's two-step process (which pings a code to the user's telephone), can feel gratingly out of sync with the warp-speed of modern computer habits. Chip-and-pin devices for online banking are still seen by most as a necessary evil.

Can we just armour-plate existing password technology? To an extent, yes. Nineties security gurus advised going h@ywire w1th symb()ls to keep out intruders – but free hacking software now available has common substitutions learned by rote, so besides frying the human brain (which struggles to deal with mixed alphabets), these are of comparatively little use today. Instead, passphrases are in vogue, chains of dictionary words – such as 'battery connect horse staple' – that generate a hardy level of length and randomness. Mine (seven in total) include the middle name of a writer, a fictional beast and a species of plant.

In the unwillingness to ditch passwords altogether, some spot a gap in the market. Ravel Jabbour, formerly part of a password research team at the American University of Beirut, argues that any biometric replacement technology (such as fingerprint verification) will have to be "state of the art" and most likely "costly to implement at a wide scale". The solution developed by Jabbour – an amateur drummer – is admirably make-do-and-mend. While a hacker might never be prevented from guessing or stealing a word, he realised that if users had to remember a 'beat' to which the word was typed in (say 'W.o…..r.d') then the code alone would be so many useless letters: its key locked in a user's head. Jabbour's idea flamed through the press but, without commercial investment, falls into the category of unrealised brainwave.

But what do hackers themselves think? Matthew Gough, Principal Security Analyst at Nettitude, an ethical hacking firm, says ideas like Jabbour's are a "stop-gap". He should know. As an ethical hacker, Gough makes a living from finding the weak points in a company's security ("I'm trained to break stuff," he says). He looks nothing like the hacker of stereotypef – he's tall, clean-shaven and, when we meet in the Independent offices, is wearing a blue-and-white gingham shirt under a smart fleece. I had hoped he'd take a crack at my new personal passphrases, but Gough declined. His trade has regulations. Plus, since I was standing in front of him and asking for it, he'd lost the critical element of surprise.

When it comes to the identikit internet user, suggests Gough, hacks are carried out most often not through a crack or a guess but via what's known as "social engineering": tricking us into giving up their passwords, either through clicking on a bad link ("phishing") or sleight of hand. "If you stopped 10 people in the street with an appropriate story," he says, "you'd get one or two to give their passwords up." Gough once infiltrated a private company's legal team for a week, nobody questioning the alibi that he was "needed for IT". It is, he says, this unreadiness for attack that hackers – ethical and otherwise – prey on most. "Most people just aren't aware of the threat."

That may be true. But the clearest sign the password could soon be usurped – and the threat lifted off our gullible shoulders – can be worked out from the players involved in the race to redefine online security. Google and Intel are among those kicking up dust, so too the FIDO alliance, a group whose members include Paypal. The first to come up with a not-too-boring solution will gain an invaluable market share.

Google, for example, wants us to put a ring on it. Eric Grosse, their vice president of security, co-authored a paper published in late January starting from the familiar point that passwords are "no longer sufficient to keep users safe" and revealing his company's response – a tiny USB card that logs you into your Google account, or a smart-card embedded finger ring that can sign you in to a computer through a single tap. Grosse doesn't claim these are for certain the answer to our security woes; he does claim, however, that if it's not them, it will be "some equivalent piece of hardware".

Google's ubiquity gives them something of a head-start. But qualms have gathered like static.

First, as Nettitude's Gough points out: people will "lose [these devices], break them, or have them stolen". Second, fashion and tech don't always sit pretty together. To the only semi-security-conscious, a Google ring might feel like an uncomfortably concrete pledge of allegiance to the internet giant. "Till death do us part…" etc.

Move a technological step forward – to biometric authentication – and the ring or key becomes part of the human body itself. Biometrics remove the need to stash a token about one's person, and a hand or finger or iris can never be pilfered. Sridhar Iyengar, director of security research at Intel Labs, has developed a palm-vein sensor.

Unlike fingerprints, which aren't completely unique (they have a one in a million repeat rate) and – if you leave a fingermark on your computer – can be cracked with the aid of a gummy bear (YouTube it), the veins in your palm have no partner on Earth, according to Iyengar. In Japan, where touch is avoided as much as possible, this style of sensor already grants citizens access to cash machines.

There are drawbacks here too, both in terms of the cost of technology itself and sceptical public opinion. But one of the main fears about biometric authentication, explains Iyengar, is something of a chimera. UK citizens guard privacy seriously. While government-issue ID cards are the norm in Nordic countries and India, the idea was reeled in over here after a hail of criticism. The prospect of registering one's own body parts to some shady central database, then, is unlikely to appeal. Cloud storage systems (like LinkedIn's) have been breached before and will be again.

But the benefit of biometric measures like Iyengar's is that the security circle starts and finishes with the user. Should palm-vein sensors win market-share, your palm's special pattern will be verified by the sensor alone, not checked against a record held centrally by Intel – so a break-in would be immaterial.

Does this mean they'll be commonplace in five years' time? It's a gamble. IBM predicted biometrics would go mainstream by 2015 but sound a more cautious note today. Ian Robertson, executive architect of IBM's privacy and security practice, tells me that developers see it as a "chicken-and-egg" problem: they'll only launch a fingerprint verification system, for example, when "confident that a very high proportion of their customers were in a position to use it".

There is one point of agreement. Representatives of Google, Intel and IBM all foresee a world in which our main security device will be the mobile phone. Always in our pocket, its 'smartness' can be harnessed to perform the role of high-tech key. The most likely mid-term step, says Robertson, will see log-on devices like Google's USB "become yet another 'app' on a smart-phone". In the "long-term", he adds, we may see "biometric readers on mobile phones". At which point, hacking would presumably become a far less appealing career and we could go back to worrying about what our emails say, not who might be snooping.

In part, progress depends on us – the web's innocent masses. It's been four weeks since I changed my password to a cavalry of new passphrases, and muscle memory still sees the old beloved word (a retro chewy sweet) typed into password boxes across the web. Companies will struggle to create security that gets under this convenience limbo. But the web is a darker place than most of us realise, and while we wait for better technology to filter through, it's probably best to get used to slowing down and locking up. Bad passwords are as out of date as 'whambars' (no going back now).

PROMOTED VIDEO
Life and Style
ebookA wonderful selection of salads, starters and mains featuring venison, grouse and other game
News
video
Life and Style
tech
Sport
Jodie Stimpson crosses the finishing line to win gold in the women's triathlon
Commonwealth games
Arts and Entertainment
While many films were released, few managed to match the success of James Bond blockbuster 'Skyfall'
film
News
John Barrowman kisses his male “bride” at a mock Gretna Green during the Commonwealth Games opening ceremony
peopleBarrowman's opening ceremony message to Commonwealth countries where he would be sent to prison for being gay
Arts and Entertainment
Jamie Dornan stars as Christian Grey in the Fifty Shades of Grey movie
filmFirst look at Jamie Dornan in Fifty Shades of Grey trailor
Life and Style
Phillips Idowu, Stella McCartney and Jessica Ennis
fashionMcCartney to continue designing Team GB Olympics kit until 2016
Sport
Shinji Kagawa and Reece James celebrate after the latter scores in Manchester United's 7-0 victory over LA Galaxy
football
Sport
Farah returns to the track with something to prove
Commonwealth games
Voices
voicesGood for Lana Del Rey for helping kill that myth, writes Grace Dent
Life and Style
fashion Designs are part of feminist art project by a British student
Arts and Entertainment
The Tour de France peloton rides over a bridge on the Grinton Moor, Yorkshire, earlier this month
film
Independent
Travel Shop
the manor
Up to 70% off luxury travel
on city breaks Find out more
santorini
Up to 70% off luxury travel
on chic beach resorts Find out more
sardina foodie
Up to 70% off luxury travel
on country retreats Find out more
Latest stories from i100
Have you tried new the Independent Digital Edition apps?
Independent Dating
and  

By clicking 'Search' you
are agreeing to our
Terms of Use.

ES Rentals

    iJobs Job Widget
    iJobs Gadgets & Tech

    Java Developer

    competitive: Progressive Recruitment: My Client are a successful software hous...

    MS Dynamics NAV/Navision Developer

    £45000 - £53000 per annum + Benefits: Progressive Recruitment: **MS DYNAMICS N...

    SAP Data Migration Consultant (LSMW)

    competitive: Progressive Recruitment: Purpose of Role: The SAP Data Migration ...

    OIL & GAS INDUSTRY - SOLUTION ARCHITECT

    Negotiable: Progressive Recruitment: My client, a leader in the Oil & Gas ...

    Day In a Page

    Screwing your way to the top? Good for Lana Del Rey for helping kill that myth

    Screwing your way to the top?

    Good for Lana Del Rey for helping kill that myth, says Grace Dent
    Will the young Britons fighting in Syria be allowed to return home and resume their lives?

    Will Britons fighting in Syria be able to resume their lives?

    Tony Blair's Terrorism Act 2006 has made it an offence to take part in military action abroad with a "political, ideological, religious or racial motive"
    Beyoncé poses as Rosie the Riveter, the wartime poster girl who became a feminist pin-up

    Beyoncé poses as Rosie the Riveter

    The wartime poster girl became the ultimate American symbol of female empowerment
    The quest to find the perfect pair of earphones: Are custom, 3D printed earbuds the solution?

    The quest to find the perfect pair of earphones

    Earphones don't fit properly, offer mediocre audio quality and can even be painful. So the quest to design the perfect pair is music to Seth Stevenson's ears
    US Army's shooting star: Lt-Col Steven Cole is the man Hollywood calls when it wants to borrow a tank or check a military uniform

    Meet the US Army's shooting star

    Lt-Col Steven Cole is the man Hollywood calls when it wants to borrow a tank or check a military uniform
    Climate change threatens to make the antarctic fur seal extinct

    Take a good look while you can

    How climate change could wipe out this seal
    Should emergency hospital weddings be made easier for the terminally ill?

    Farewell, my lovely

    Should emergency hospital weddings be made easier?
    Man Booker Prize 2014 longlist: Crowdfunded novel nominated for first time

    Crowdfunded novel nominated for Booker Prize

    Paul Kingsnorth's 'The Wake' is in contention for the prestigious award
    Vladimir Putin employs a full-time food taster to ensure his meals aren't poisoned

    Vladimir Putin employs a full-time food taster

    John Walsh salutes those brave souls who have, throughout history, put their knives on the line
    Tour de France effect brings Hollywood blockbusters to Yorkshire

    Tour de France effect brings Hollywood blockbusters to Yorkshire

    A $25m thriller starring Sam Worthington to be made in God's Own Country
    Will The Minerva Project - the first 'elite' American university to be launched in a century - change the face of higher learning?

    Will The Minerva Project change the face of higher learning?

    The university has no lecture halls, no debating societies, no sports teams and no fraternities. Instead, the 33 students who have made the cut at Minerva, will travel the world and change the face of higher learning
    The 10 best pedicure products

    Feet treat: 10 best pedicure products

    Bags packed and all prepped for holidays, but feet in a state? Get them flip-flop-ready with our pick of the items for a DIY treatment
    Commonwealth Games 2014: Great Scots! Planes and pipers welcome in Glasgow's Games

    Commonwealth Games 2014

    Great Scots! Planes and pipers welcome in Glasgow's Games
    Jack Pitt-Brooke: Manchester City and Patrick Vieira make the right stand on racism

    Jack Pitt-Brooke

    Manchester City and Patrick Vieira make the right stand on racism
    How Terry Newton tragedy made iron men seek help to tackle their psychological demons

    How Newton tragedy made iron men seek help to tackle their psychological demons

    Over a hundred rugby league players have contacted clinic to deal with mental challenges of game