In early February, we celebrated Change Your Password Day. I have to admit that, once again, I missed it. And I hope you will too…
I’m already explaining why.
The concept of changing passwords has its roots back in the days when we worked in UNIX environments, which initially stored our “secrets,” admittedly in encrypted form, but accessible to everyone. This means, more or less, that anyone could try to decipher another person’s password. And since it took – depending on the length of the password and its complexity – from minutes to several months, various tutorials urged us to change our secret word periodically. Later, in the era of the popularization of the Internet, especially the early Web, passwords were sent in unclassified form. And this same good practice was supposed to protect us from situations where passwords could be intercepted and used by someone.
Since then, however, much has changed. We don’t work in terminal environments, the HTTP protocol has become HTTPS, with an extra “S” for “Secure” (among other things, signifying the security of our passwords). Unfortunately, the changes have also gone in the wrong direction. The abundance and value of the data found on the network have caused criminals to develop a number of mechanisms to seize it easily. The most common and first step in this direction is to learn our password by suspecting, eavesdropping, stealing, phishing, guessing, or decrypting it.
Fortunately, today we no longer have to rely on the password alone. This is because other, more secure, and often more convenient methods of confirming identity online, or so-called authentication, have been developed. These are mechanisms based on what we carry with us – for example, flash drive-like dongles or mobile smartphones equipped with appropriate applications that verify our identity based on our biometric characteristics. After all, with the relatively recent introduction of iOS or Android phones, we mainly unlock with a fingerprint or facial image, possibly a short PIN, rather than a complicated password. This functionality – not without reason, after all – is increasingly being taken over by personal computers and the operating systems that run on them.
Changing the password periodically thus loses its meaning. And instead of remembering the obsolete, like the password itself, on the day of its celebration, I suggest that we use other means of authentication. And this happens every day and in every service where we have our account.