Remembering passwords can be a real pain, especially if you have multiple accounts and a few interchangeable passwords. Most people have had that moment when they have had to type in various versions of a password because they can not remember which one is the right one for that particular account – but should they even be struggling? At the end of the day, if you can remember your password then it is very likely not a good password in the first place.
On top of that, there are always going to be people with genuine memory related health issues, who ought to be able to have an option for safe access to email, after all, just because they have a medical condition that makes it hard for them to remember passwords, does not mean that they shouldn’t still be able to login somehow.
Now Yahoo are trying to find a way around this problem by giving people the choice to live a life without passwords by making one time passwords a permanent option – and this week at SXSW they have been demonstrating the new system which they plan to make available later in the year to the rest of the world, and which they have already rolled out in the US.
In essence, it is a carbon copy of the two-step verification system that is already in place for some email accounts, the only real difference being that this makes it your permanent option, and relieves you of the need to remember a password altogether.
Chris Stoner, director of product management at Yahoo, calls it ‘a new, simple way to log in’ and no one could really argue with that, it is simple, and it does eradicate the need for users to remember a password to log in, but at what cost?
Talking at SXSW Yahoo’s vice president of product management for consumer platforms Dylan Casey said,
‘This is the first step to eliminating passwords. I don’t think we as an industry has done a good enough job of putting ourselves in the shoes of the people using our products.’
Eliminating passwords? I hate to point out the obvious to Mr Stoner and Mr Casey, but passwords are there for a reason – to protect our personal and private electronic communications – and although ease of use is important, safety and security is enormously more vital, and this whole elimination is giving me the heebie jeebies.
With classic two step verification systems, a password is still required first, only then is a code sent out to the phone. This means that the user must not only receive the mobile phone code, but must also know their password first. In this new system, however, the code that comes via text message to login is the only password needed – leading me to some rather unsettling realizations and conclusions.
Text messages are sent to mobile phones, and these are notoriously easy to misplace, lose, or have stolen from you. They are small and valuable, and unfortunately there is always going to be a criminal element that sees mobile phones as a quick and easy money making opportunity.
Also, text messages sit on your phone until you delete them, meaning that if someone unauthorized does go in your text inbox, and you have been logging on to your Yahoo account regularly with this new system – you will have lots of text message codes from Yahoo sitting in your inbox , alerting your smartphone’s thief to the fact that you are a password-less user… problematic.
I’m sure you are starting to get the picture – the thief has your mobile phone – perhaps if they stole it from your house they also have your PC or laptop too, and now he or she can go on your Yahoo account and ask for a one time password code, and voila, when it arrives to your mobile phone (that they are holding), they can easily log into your email account.
You might be skeptically thinking… but the thief also needs to know your email address – surely you need to tell Yahoo who you are on the login page for them to be able to send you the one time code? The answer is yes, you are absolutely right – but what if the thief is the dodgy friend of one of your siblings – and knows your email address?
I once got robbed, and later on found out that I knew the thief very well (an acquaintance not a friend), but still someone who was known to me in my circles, and who could have easily known my email address.
The point is that passwords exist for a reason, and on top of that, there is a reason that we memorize them and never write them down or share them – we know that we do not have telepathy – and so the password is safely locked in the biological recesses of our ultimate sanctuary, our brain.
When Yahoo took away the password, they also opened up the possibility of login fraud to the technical realm, and they brought your safety out of your personal sanctuary and put it into the air.
Text messages have to get to your phone, and unless you have been living on Mars, you must be aware of the large scale surveillance programs that the NSA and various European agencies have been coordinating. Prism works by taking copies of all communications, including text messages – before they arrive in our phones – opening up the door to the possibility of interception.
No matter which way I look at this issue, I can not help but spot flaws. Yes, I understand that my issues with Yahoo’s new password-less log in system may seem a bit paranoid – but I absolutely assure you that they are not – because I know that if I do not have good op-sec, and that if I do not look after myself, then there is nobody else that will.
So why do Yahoo think this is a good idea? Where are the virtues in offering this new service? Well to answer that question we need to scratch beneath the surface a bit more, because the truth about passwords is actually even more complex than you would think.
We already know that most people choose extremely weak passwords, in Splashdata‘s 2012 awards for the worst passwords the word password was the winner, and this year it was 123456 – giving you a glimpse into a different password problem altogether.
If a person chooses such a weak password that it is easily hacked, then they may fall victim to having their account breached by criminals that have never needed to come anywhere near their mobile phone, and in those cases I have to admit that even though Yahoo’s password-less service might have security issues of its own, the new system would actually be a vast increase in password security.
Any personal issues that I have with Yahoo’s new system, therefore, are only legitimate when the person handling their passwords is doing so in a genuinely safe way – by using a variety of complex passwords that keeps them safe not only from guessing, but also from hacking – because it is with hacking that a password will most likely be cracked. It is for this reason that any security conscious internet user will make sure that their password is truly safe and can not be cracked, and the only real way to do that is by using a password that is so complex, that you simply wouldn’t be able to remember it.
It is understandable that Yahoo would want to try and crack this problem, passwords are not perfect – but for me, neither is this new solution- personally I will not be signing up to Yahoo’s new service, moreover I will also be continuing to not memorize my passwords – because although there is a certain amount of safety in keeping your password in the personal sanctuary of your mind, the truth is that memorizing your passwords simply wont keep you as safe as using a password manager such as the one built into Firefox, or the open source and excellent KeePass, which is everyone’s preferred choice here at BestVPN. Happy logging-in!