It may the name of your pet, child or favourite TV show, or something more obscure, but for most of us, having (and sometimes failing) to commit a password to memory is a very familiar ritual.
Since the Optus breach, millions of Australians both directly or indirectly affected have had cause to reflect on cybersecurity and how safe we feel from threats like identify fraud.
Passwords were not among the customer details leaked as part of the data breach, but experts say having weak or repeated passwords could still leave people vulnerable, especially as scams ramp up.
Other technology has already begun to replace passwords in some instances, but it’s predicted they will stay with us for decades.
We asked the experts about the main issues with passwords and how technologies such as passkeys will play a bigger role in cybersecurity in the future.
What’s wrong with passwords?
Major flaws with passwords are that people tend to choose easy, obvious combinations and use the same one across many sites.
A list of the most popular passwords in 2021 included 123456, qwerty and the word password itself among the most commonly used.
Paul Haskell-Dowlan, a cybersecurity professor at Edith Cowan University, said billions of passwords were already available online.
He said when people choose a password to use for a particular site, a copy is stored on a remote server.
“That means if that site is breached, and that data is extracted … then that password is known to a third party and potentially thousands or millions of people online if it’s published in a public forum,” Professor Haskell-Dowlan said.
“Hackers will take that password and try it on hundreds of other websites on the assumption that many people still use the same password on multiple websites.”
He said using a password manager was a good way to keep track of unique passwords across dozens of sites, and said the increasing use of multi-factor authentification (MFA) was helping to improve people’s security online.
MFA is a security measure that requires two or more proofs of identification, such as a pin, an SMS or email, to enable access to a site.
But Professor Haskell-Dowlan said only a “small proportion” of websites were using MFA despite the technology having been around for years.
He said “one positive” from the data breach may be to “get a lot of people talking about cybersecurity”.
How do passwords relate to the Optus breach?
Passwords may not have been part of the Optus data breach, but neglecting them could still pose a serious problem and leave people vulnerable.
Macquarie University cybersecurity expert Jeff Foster said while people affected by the breach are waiting to find out more details, they should review the security on key accounts.
“Take a look at those accounts that are most critical to you — so that’s your bank accounts, your superannuation, any brokerage accounts you have and your email accounts,” he said.
“Take a look at the security that’s set up on them. Have you updated your password? If you haven’t, change that password.”
Dr Foster said adding in MFA, where available, was wise.
He said the information leaked in the Optus breach — name, telephone number, email address and data of birth — was all information that could be used to reset an account.
“So even if they don’t have your password, they can go through and use that in order to gain access through other means,” he said.
Dr Foster said it was likely cyber criminals would take advantage of the general uncertainty in the wake of the breach.
“The spam calls, the junk calls and the general fraud are beginning already,” he said.
“There’s a third of the country that now believes that their documentation has been stolen, their identity has been stolen and that makes us easy targets for spam calls.”
What might replace passwords?
Over the coming years and months, a new type of password, known as a passkey, will become more common as it is rolled out by the major tech companies.
A pass key creates a unique pair of keys — one on your device, and one on the server of the site you’re trying to connect to — that have to pair up to enable access.
“The concept behind pass keys is to take away any concept of password,” Professor Haskell-Dowlan said.
“You don’t create a password, you don’t even let the computer create a password for you.”
“It creates a pair of keys and it does it completely transparently.
“It is completely unique to you, your device and the web server you’re connecting to.”
Professor Haskell-Dowlan said the concept behind the technology was not new, but its use in place of passwords was only just taking off.
Apple is the first company to introduce it as part of the 16th iteration of its mobile software — ios 16, while other tech companies such as Microsoft and Google are still developing their version.
Cyber CX principal consultant Jed Laundry said indidivual websites had to adopt the use of passkeys in tandem with tech giants creating software for devices like smartphones for the security measure to become widespread.
“This is not something that is just going to happen overnight,” he said.
“There’s a lot of infrastructure that has to be put in place for it to work across all the online services.”
Does that means passwords will disappear?
Despite their flaws, conventional passwords will be with us for a while yet.
Professor Haskell-Dowlan said “big players” would adopt passkey technology first but the transition would be a “slow process”.
“You can expect the likes of the big social media companies, online banking, perhaps auction websites, payment gateways, they will start to embrace this as another means of improving security,” he said.
“But you will then have the very, very long tail of everybody else.
“So passwords are still going to be with us for decades to come.”
Mr Laundry said even though passkey technology was just on the cusp of becoming widespread, it too would likely be superseded by something new in years to come.
“We’ve always been trying to iterate things faster than criminals have been trying to get access to our information and steal it and turn that into profit for them,” he said.
He said passkeys were “one part of the next wave” but not the “be all end all”.
“I’m sure that in 10, 20, 30 years time there will be something new and something better, because there will be attacks that we haven’t yet considered,” he said.
“This isn’t going to solve all the problems but it’s certainly going to solve one of the current problems that we have which is that we have too many passwords — and passwords suck.”
