There was a lot of news recently about the most commonly used passwords of 2013 (which are “123456”, “password” and “12345678”). If you’re familiar with dictionary attacks, you know that a computer can quickly figure out your password. And if you’re like most people who use the same password across sites, having your password compromised on one site is extremely dangerous. Now how can your mobile phone make this more secure and easier to use?
I saw some great news for a group of guys I met in SF last year who were trying to solve this exact problem and got bought by Google. Their start-up was called SlickLogin and they were using mobile devices to provide two-factor authentication. So even if your password does get compromised, if the hackers didn’t have access to your mobile phone, they wouldn’t be able to access your phone. Let’s think of the following situation…
Let’s say you use your super secure password “password123456” on some new Instagram-like site, the site is some new site created by some 20 year-olds who aren’t being too secure with your password and store it in plain-text in a publicly accessible database and hackers are able to get in, download everyone’s email address and password. These hackers then start using the email/passwords they stole at some of the major banking websites and are able to access your account. They then get enough information to start opening up credit cards in your name and start a buying spree. So how do you keep your information secure and not create a million different passwords? There is really no easy answer to solve this problem. But the guys from SlickLogin say instead of coming up with different passwords, make your mobile phone your system of authentication. So before you even try to enter your password, you use your mobile phone to authenticate who you are. This is done simply by having your phone next to your computer when you’re logging in. There is no need for SecureID, a text message pin-number, or anything else. You simply have pull your phone out of your pocket and place it next to your laptop as you’re logging in. This sounds like magic, but the guys from SlickLogin have come up with some cool technology that allows your computer to broadcast a unique sound that humans can’t hear but your mobile phone will and it will relay to the website you’re accessing that you are who you say you are. That’s the super-basic and simple explanation of how it works. So I’ll be curious to see what the guys do now that they’re a part of Google and how this technology will be integrated into Google. I wonder if we’ll see this technology rolled into Android in the near future.
Of course, this technology won’t be available anytime soon, so until then, we all have to deal with passwords. I’ve heard of different tactics and they basically trade ease of remembering for security. It’s either easy to remember and insecure or hard to remember but secure. For instance, you could have a base password of “password” that you use, but you always append a different set of characters or numbers depending on the site you visit. It could be as simple as appending the first character of the site, so if you’re logging in to Amazon, your password would be “passworda” or if you visit Facebook, it would be “passwordf”. You could get more complex and append the number of characters in the name of the site, so the password for Amazon becomes “password6” and for Facebook, you get “password8”. A simple trick, but this does give you different passwords for different sites thereby making it a little harder (not impossible) for hackers to access other sites if your password does get compromised.
Again, security is only good if you remember to use it, so you have to figure out a system that works for you. Also, you need to asses your own risk levels, if you’re a millionaire that gets lots of press, you’re at a much higher risk than a random person who only goes online to check email. But you also shouldn’t assume no one is trying to hack you because everyone is a target, so keep your password safe.