Professors explain the flaws of a 'password system' in a digital world

Convenience and tradition are keeping around passwords, something ASU professors call a flawed system

The idea of passwords may have flaws in a modern-day tech landscape, but ASU professors and experts said that these combinations of letters, numbers and characters that found on nearly every computer and web account are not going to be replaced any time soon.

"There is enough documented history that (using passwords) is a bad idea, but we use it because we are told to and they are the most convenient things," said Partha Dasgupta, associate professor at ASU's School of Computing, Informatics and Decision Systems Engineering.

The dissatisfaction with passwords is not a new concept. Even the most secure system becomes vulnerable because of weak passwords, Dasgupta said.

“Convenience is the main reason why we still use passwords and industry also went that way," Dasgupta said. "If tomorrow Google says, 'You have to use a dongle to login,' that becomes a standard."

He said even though there have been efforts to replace the password system, like using a public key or a certificate, people don’t understand how to use them. As a result, any effort to strengthen the security involves passwords paired with other measures — a two-factor authentication.

“Passwords are here to stay,” Dasgupta said. 

via GIPHY

Many industries have highly stringent password rules, according to Rida A. Bazzi, an associate professor of computer science at the Fulton Schools of Engineering. 

Even the University requires that users have a strong password and change that password every six months without using the previous password, Bazzi said. However, since ASU does not store all passwords used before, a user can toggle between same two passwords every six months, making their passwords predictable.

“It is the mentality that needs to be changed,” Bazzi said

Bazzi teaches a class called "Usable Security" where he touches on the topic.

“One of the main goals of 'Usable Security' is to have a security mechanism that people can use and not bypass it," Bazzi said. "Even if you have the most secure door, if it is inconvenient to open it every time, then user will use a doorstop.”

He also pointed out a key contradiction.

“People never think their car key is stopping them from entering their car, instead they think it stops others from stealing your car, but this attitude completely changes when it comes to password," Bazzi said.

Because we don’t see passwords getting replaced in the near future, Adam Doupé, co-director of the laboratory at Security Engineering For Future Computing (SEFCOM) said there are some easy precautions students can use to be secure.

“Password managers are one of the user-friendly technologies that I use and I got my parents to use," Doupé said. "Like LastPass generates a random strong password for websites which even you won't be aware of. You just need to have one strong password."

Doupé explained the idea allows users to not worry about remembering different passwords for each website, while providing an extra layer of security. 

The key, he said, is to not use the same password for multiple websites, something that can be disastrous. However secure Google may be, for example, if someone uses the same password for some random website, their Google account is just as vulnerable as that random website.

“Many think of biometrics —  fingerprint, retina scan, etc. —  when you think of future of passwords. But they are more vulnerable than passwords. Your password can be changed when hacked, but not your biometrics," Doupé said.


Reach the reporter at aravind.sreenivasa@asu.edu

Like The State Press on Facebook and follow @statepress on Twitter.