Can you give me a clue?

"Forgotten your details?" Yes I have forgotten my details... I have forgotten my details for your site that I log into about once a year. Any chance you could give me a clue?

As it stands, I haven't a clue what unique password I use for your site and your site only: is it the one that has to have a special character, more than four numbers, and both upper and lower case letters? Is it limited to six characters? Or is it 12?

Sound familiar? I know I can't remember all my usernames and passwords for every site and account I visit. Can you?

open sesame

Passwords are a clumsy and frustrating experience for me. From a user perspective they are a nightmare. Having to remember so many unique and 'strong' passwords is just impractical. I want to interact quickly and simply, not pass a memory test every time I log into a site. And yet, every site insists on a unique and complex password with all kinds of hoops to jump through.

As well as the right combination of letters, numbers and special characters, have you picked something no one could easily relate back to you? Have you in fact created a password so obscure that the future version of yourself will be completely flummoxed too?

But there are strong signs that the reign of the password is coming to an end. In fact, one blogger, Christopher Mimms, declared them dead last month. He was so confident of their demise that he published his Twitter password on his post. Mimms believed that the two factor authentication options he was using on Twitter would ensure that even if his password was publicly available, he would not be in danger of his account being hacked.

First off, let us remind everyone, not that you should need it, that you should NOT share your passwords.

And even though Mimms was somewhat vindicated - as he claims his Twitter account remained uncompromised - he did have to change his phone number as a result of the attacks his account received when he effectively declared open season on his own security.

"Passwords cause too many user issues and, on their own, nowhere near enough security"

The optional two-factor authentication system Twitter employs did keep Mimms relatively secure. The option allows Twitter to send a unique code to a registered mobile - users then enter the one time code to complete their log-in.

We agree that the password is fast becoming obsolete. They cause too many user issues and, on their own, nowhere near enough security. Just this week, thousands of Mozilla developer passwords were compromised, and it's not hard to find stories of similar instances every month, if not week.

Futhermore, while we are all encouraged to use different passwords for different services, many of us unfortunately do not follow this code or at least use variations of the same one. Microsoft recently recognised this issue, and suggested that for sites that don’t carry sensitive information, users should feel free to use simple and previously used passwords. It's inconceivable to expect people to remember so many different unique secure passwords.

"we believe in putting your security and your data, back in your control and in your pocket"

I would love a future without usernames and passwords at all. We're already starting to see a simplification across the web with many sites offering Facebook and Twitter log-in functions, while PayPal are also keen to get in on that act. However, they all still require that core account username and password; and if that should become compromised, you compromise yourself across a range of services all at once.

At Ensygnia we believe in putting your security and your data, back in your control and in your pocket. I sometimes leave the house without my wallet: I never leave it without my phone. It's proof of who I am and where I am.

Ensygnia's Onescan solution allows you to use your phone as proof of your identity and location, not just to log-into websites using our secure app, but actually to register and create an account. All that with just one scan from your smartphone. My smartphone is on me all the time. It's locked, and if I should lose it, I have the ability to find it, remotely access it or wipe the data from it, and even restore that data to another device.

For Ensygnia, a device-based authentication system like ours, which also encrypts its interactions, is so much stronger than any current combination of usernames and passwords. What's more it is just as secure as any two-factor authentication scenario - with the benefit of being a much cleaner and simpler user experience.

With Onescan, there is no central database of usernames and passwords databases to be hacked, so all those headlines like this become a thing of the past. As will passwords. But we don’t recommend you publish any of your passwords today like Christopher Mimms. Instead we recommend you download Onescan and get ready for the new world.

By Matthew Taylor 7th August 2014


Related story around the web:

The Password Is Finally Dying. Here's Mine - The Wall Street Journal

Commentary: What I Learned, and What You Should Know, After I Published My Twitter Password - The Wall Street Journal

Russian gang hacks 1.2 billion usernames and passwords - BBC

PayPal aims to rule the passwords - The Sunaday Morning Herald

Is the password really dead? (Hint: not even close) - Global News

Script fails, thousands of Mozilla developer emails, passwords possibly exposed - SC Magazine

Microsoft tells users to stop using strong passwords everywhere - The Guardian