About this article
This article looks at the pitfalls of passwords in the context of cyber security, and I speak with Shayype who seem to have a very interesting alternative to passwords.Recently I was asked to present my views on the challenges of the exponential growth of data to a group of IT and telecom leaders in Berkshire, UK.
The problem with security is passwords
According to TraceSecurity, It turns out that most data breaches (81%, in fact) come down to poor passwords. What do we mean by poor passwords? Well, it’s easy to guess passwords, lazy passwords or passwords that contain obvious repetitions or patterns.
Earlier this year, CNN posted the top 10 most common passwords for 2019. If you recognise any of these, you really should do something about it. Now.
Top 10 passwords for 2019
- 123456
- 123456789
- qwerty
- password
- 111111
- 12345678
- abc123
- 1234567
- password1
- 12345
Complexity vs Usability
In order to try to improve security, companies enforce what is known as ‘strong passwords’. You’ve probably seen these when signing up for new websites, logging in to your bank, local council or energy provider.
The example I use here is actually quite simple. It just stipulates that you need to have a minimum of eight characters, one lower case and one Uppercase letter. There are some that require special characters like – % * > ! @ as well as numbers. There are some that need to be a minimum of eight characters but also have a maximum length.
Some systems, normally for work, require regular changing of passwords and make sure you don’t just rotate and increment like this; Str0ngPa55word1, Str0ngPa55word2, Str0ngPa55word3.
And nearly every system has a different policy! It is no wonder we can’t keep up with it all. Some of us turn to digital key-lockers, but most of us resort to writing all the passwords down. Demonstrating how prolific this habit is, you can find “Internet Password Books” for sale online and in high street stationary providers.
Having to write passwords down almost totally negates the point of a password. It’s not as bad as using password123, but close.
How does Biometric security help?
Biometrics rely on the uniqueness of personal, physical traits such as fingerprints of faces to act as a unique key to access secure systems. Many of us use both these types of ‘passwords’ regularly when opening our phones and find the convenience very handy 😉. Biometrics is broader than fingerprints and faces, it can include other unique characteristics we possess like, voice, eyes, our walk or gait, and even our DNA. Whilst these seem a really convenient way of accessing things securely without having to remember complicated passwords, there are serious downsides.
What happens when biometric data is lost
A few months ago news broke that the fingerprints, faces and other confidential information of over one million people had been exposed to theft through being on an openly accessible database.
If you are unlucky enough to have your password-protected data hacked, beyond the cost and inconvenience of the data loss, the process of re-protecting your account is quite easy – you make a new password. If you use your face or fingerprints to secure your data, when your fingerprints or face data is lost, you can never use those again for security. For systems that only allow these types of access, you could be locked out for ever.What about two-factor authentication, I hear you ask? Well, I won’t cover all the different ways that can be compromised, but it’s also not a particularly long-term way to protect your accounts. If you’re interested, this is one article on the subject.
The Shayype of things to come.
Luckily, there seems to be another option that brings better levels of security than passwords, but with a similar degree of convenience.
Recently I met a company called Shayype that use the brain’s natural ability to recognise and memorise patterns to provide a simple, but very secure way to log into virtually anything – from email accounts to power plants.
This may at first look similar to the patterns used to secure many Android mobile phones, but is in fact, different in many, important ways, most importantly, with over 33 billion combinations, Shayype‘s system is exponentially more secure.
Another difference I like is that with this solution you don’t need to actually touch the screen, which means that anyone looking over your shoulder can’t determine your code. You probably also noticed that the numbers on the grid repeat. That’s intentional. It means even if someone sees you type in your numbers they don’t know your pattern.
Some techie details
One of the tricks behind the scene is how Shayype deals with what regular cryptography solutions refer to as private and public keys. In order to provide yet further levels of security against malicious attacks and hacking, Shayype uses a technique called Shamir’s Secret Sharing to store and match the required keys. More information on this technique (which was designed in the 1970’s) can be found here.A viable alternative to passwords
Uncrackable, highly scalable authentication
The makers of Shayype claim that because the secrets are broken apart across different parts of the system (e.g. the browser you are using to log in and the servers of the system you want to access), using Shamir’s Secret Sharing, as well as a crucial part of the system being present only in the head of the user, the system is incredibly secure. Some might even venture to say, virtually uncrackable.
With the various mechanisms I’ve mentioned above, the level of security it offers is far beyond most systems out there today, plus it’s easy to use – and that’s a difficult thing to achieve, usability and high security! Also, since it doesn’t require expensive hardware key-fobs or USB dongles, it can be scaled out across large organisations or user-bases without the kind of costs those systems incur.
Who’s this for?
Because of the simplicity of patterns instead of complex passwords, and the high levels of security, this could be ideal for virtually anyone using any kind of service that needs to securely authenticate or prove ownership, without worrying about the inherent dangers of biometrics or having to give up yet another piece of personal data.
Shayype are currently looking to partner with companies in the IT, legal, financial and communications industries who are conscious of cyber security and want to enhance their know-your-customer (KYC) capabilities. If you want to know more, visit their website here or get in touch with me for an introduction.
Want to know more?
If this, or any of the other companies I’ve met sound like they could solve your problem, or you just want to know more about what they do, please get in touch, I'd be delighted to make an introduction.
Get featured
Apart from all the great reasons to be featured on this site that you've probably already figured out (exposure, reach, independence, lead gen etc etc), there's one other big reason to get in touch. I'm easy to speak with and will try to make sure the whole thing will be fun.
Get more info
If you would like to know more about the company, solution or technology I've discussed here, please do get in touch.
Contact me