The tyranny of passwords – is it time for a rethink?

They are elusive, infuriating gatekeepers that rule our lives. Easy to crack and hard to remember, forgetting them is pricey – it cost Stefan Thomas £160m in lost bitcoin

Sirin Kale

Sun 31 Jan 2021

Modern life is the act of entering the third character of a long-dead family pet into an online form three times a week, getting it wrong, and speaking to a call-centre worker in India whose real name is almost certainly not Kenny, ad infinitum, until you die. Our ancestors lived short, brutish lives and died in childbirth, or were gored to death on the battlefield, but at least they didn’t have passwords, and that’s something.

The tyranny of passwords; it colonizes modern life. These petty dictators deny us access to our bank accounts, our baby photos, our phone contracts, even our heating. They reproduce as endlessly as bacteria, and yet, like Tupperware lids, you can never find the one you need. They are our boyfriends, our girlfriends, our children, our pets. A talented and motivated adversary could probably work yours out in the time it has taken you to read this paragraph.

Most of the time, not being able to remember your password is merely irritating. But sometimes, password amnesia can be life-altering. After going public with his account of losing the password to around $220m (£161m) worth of bitcoin, German programmer Stefan Thomas, 33, sparked a conversation around passwords, loss, and how you grieve a fortune you’ll never get back.

Thomas had three copies of his bitcoin passwords saved on hard drives and a USB stick, but the first two versions failed due to software updates, and the USB stick is password protected. If Thomas enters the password incorrectly 10 times, the data wipes. He has two attempts left, and he can’t remember the password. When we speak, Thomas is remarkably sanguine.

“There are some days where I’m almost grateful for it,” he says cheerfully. “There were weeks where I would lie in bed, looking at the ceiling, just completely desperate,” he says. “I’d spend hours trying to think of ways to recover the data, jump up, run to my computer and try it and then it wouldn’t work, so I’d go back to staring at my ceiling.” Eventually, he decided: enough. He climbed out of bed, and forged a career in technology, before founding his own company, Coil.

Not everyone can move on from such a wringing loss. “I’m coming up against a brick wall,” says James Howells, his voice rising. “They don’t even want to have a conversation with me about it! Which is so silly, given the valuation.” He is referring to Newport city council, owner and operator of the rubbish tip into which he accidentally slung a hard drive containing the key to the bitcoins he’d mined in 2009.

The bitcoins are now worth £210m, and the 35-year-old cryptocurrency trader from Newport is so desperate to get them back he’s offered 25% of his haul, or £50m, to Newport city council. The council has declined Howells’s offer repeatedly over the past eight years, due to the cost.

As gently as possible, I ask if it might be better to let this go? “I’m just looking for an opportunity to search for what belongs to me,” he says, sounding wretched. “And I am willing to share it. But it’s hard to accept it’s gone without being given the opportunity to search. Knowing the hard drive’s there, and there’s still a chance.”

We lose things; we forget. It is in our nature, it’s what makes us human. “The art of losing isn’t hard to master,” observed Elizabeth Bishop in her poem One Art. Life is a continual surrendering to loss. Some fare better than others: for every Thomas, there is a Howells. “Lose something every day,” Bishop writes, and we oblige her. We lose coats, books, bags, phones, friends, money, loved ones, mobility and eventually, ourselves. Most of all, we forget our passwords. The average person has close to 80 passwords, hardly any of which they remember.

(…)

Because passwords are tedious, humans are very bad at them. “There are literally billions of passwords breached every year,” says Gerald Beuchelt of the password manager LastPass. “It’s a total epidemic. It’s happening on a daily basis.” A Google/Harris poll from 2019 found that 52% of people reuse their passwords across multiple accounts, which is very bad security practice.

“The best password is a random password,” says password researcher professor Lorrie Cranor of Carnegie Mellon University. “But people aren’t good at generating random passwords or remembering them.” Almost everything you intuitively believe about passwords is not correct. “If you struggle to remember your passwords,” Cranor says, “write them in a notebook and hide it at home. It’s highly unlikely that a hacker is going to get access to your house.”

(…)

Our passwords reveal a humanity that is much more shared than we think. “We all think alike,” says Cranor, “and we all do similar things, in creating passwords. People think they are being smart by going diagonally on the keyboard,” Cranor says. “But it’s in all the hacker dictionaries.” John used to play a game where she’d ask her friends five questions, before guessing their passwords. “I’d ask them their parents’, siblings’ and children’s names, anniversaries and birthdays, their pet’s name, and their favourite sporting team,” she says. “I’d usually get 70% of them right.”

We would not leave the door to our house open and yet many of us leave our digital accounts vulnerable to cybercriminals every day, because of our laissez-faire attitude to password security. Sometimes, criminals access accounts using personal information a person has shared online, or matching passwords from previous data breaches but, increasingly, hackers also use brute-force software – programmes which match thousands of dictionary words until something fits. “You can brute force most eight character passwords within 10 minutes,” says Beuchelt.

(…)

There is a solution to all this chaos and confusion: a password manager. “These are apps or small pieces of software,” says Beuchelt, “that store all your different usernames and passwords in secure vaults.” A password manager like LastPass (Google also has a version) will randomly generate impenetrable passwords for all your various accounts and store them for you. “All users need to do is remember your master password,” says Beuchelt, “and LastPass remembers the rest.” It’s the equivalent of having a book in your house, with all your passwords written in it – only digital and highly secure.

Of course, your master password needs to be extremely strong: LastPass recommends a minimum of 12 characters, but the longer the better. A long passphrase, composed of random words, numbers and symbols, that is pronounceable – meaning you’re likely to remember it – but doesn’t use personal information, works best. LastPass doesn’t store its users’ passwords centrally, meaning that even if hackers were able to get into their internal systems they wouldn’t be able to break into accounts. “That gives users the highest degree of security you can get,” says Beuchelt.

(…)

From: < https://www.theguardian.com/technology/2021/jan/31/the-tyranny-of-passwords-is-it-time-for-a-rethink>. Acess: January 31, 2021.