Digital Life
I’ve been saying for years that computers are still in their infancy and that one day operating them will be as simple as driving a car. However, we don’t seem to be making the progress I had hoped for.
You and I could probably swap cars and drive to Edinburgh with minimal instruction, if any. But if we swapped computers, the odds are very strong that we would soon take a wrong turn, digitally, at least. An example of this slow progress is the continued use of passwords to access websites. It’s obvious that we need some way to securely identify ourselves to the website we are using, especially if it is holding private information about us, but it is also clear that passwords, which may have seemed like a good idea 20 years ago, have long since passed their best.
In fact, they have run amok. I use a password manager – a piece of software that remembers the passwords for me – and I have more than 600 passwords recorded in it. Without that, I couldn’t cope unless I used the same password everywhere, which would be foolish.
On top of the effort of managing passwords, there’s the risk someone might guess or steal them. Most of the time, no one will try, but it’s not a risk worth taking. If you go to haveibeenpwned.com/ passwords, you can enter the passwords you use and see if they are on the list of more than 500 million that have been exposed in data breaches; if your favourite is on that list, change it to one that isn’t. Don’t panic. This doesn’t mean you have been hacked; just that the password you used is on a list that hackers will try if they attempt to get into your accounts.
Passwords, as we know them, are outdated, clumsy, vulnerable and badly in need of replacing with something sharper and more secure. Fortunately, the World Wide Web Consortium (w3.org) agrees. That’s the body led by Sir Tim Berners-lee that controls web standards, and for some years it has been working on a new industry standard to abolish passwords. In February, it approved the first version. It is called Webauthn and allows the wholesale replacement of passwords by using devices such as smartphones, a security key (like the ones banks give us), a fingerprint scanner (many phones include them) or a webcam.
You may know about ‘two-factor identification’, which many websites offer. You log in with a username and password and then encounter another hurdle of security – often a unique code sent to a phone or emailed to you.
Webauthn will simplify the process by eliminating the password altogether. Once you enter your username, you will receive a text, phone call, email or whatever you have agreed to allow you to prove it really is you. My preference would be for using the fingerprint reader on my phone, which refuses to accept nine of my own fingers, never mind anyone else’s.
The beauty of this is that it will eliminate password theft, as there is nothing to steal; the information that passes between devices and logs you in is unique every time. The ditching of easily guessed or leaked passwords in this way will be a step forward in both simplifying and making more secure your links to a website. This, in turn, will make it easier for them to safely provide more personal services for you, and we should welcome it as websites start to use it. And I can finally forget my 600 passwords.