The final days of user names and passwords

Jan Valcke,

Last week’s announcement that the online password manager LastPass was hacked, made me realize that the term Secure Password has become the leading oxymoron of the 21st century. The issue of insecure passwords has resurfaced; this is once again a reminder to the need for one-time passwords.

The average internet user typically administers twenty-five accounts. These twenty-five accounts are protected by on average six different static passwords, but users seem to have a tender spot for certain kinds of passwords. Nicknames, dates of birth, children’s and pets’ names, and even the word ”password” are very popular.

Most surfers realize that passwords are a matter of the utmost concern. After all, passwords are the first, last and only safeguarding of an account against intrusion attempts. Long lists with tips and tricks to solve the problem can be found everywhere online: do not use real words, mix different character types and numbers, use different passwords for various accounts, change your passwords regularly… It becomes even harder when users are asked to change their passwords every ninety days. It is just an impossible task for the user to remember them all.

Online password managers seem to be a good solution to tackle this problem of inconvenience and to store all these different, complex and regularly changing passwords. However, there is an obvious irony in attempting to protect inherently weak passwords with another password.

We are seeing the final days of user names and passwords as hackers drive the industry to more secure methods of authentication. One-time passwords are the key solution. They only remain valid for about thirty seconds and become invalid after use. Each time a user wants to log on, they get a new password. This means that over a ninety day period, a user password changes not once, but more than 250,000 times. It goes without saying that this is much safer than changing your password only once. Moreover, user-convenience can be increased a lot, since the user does not have to think about the complex password.

The environments that used to be the most preferred target for online fraudsters, such as the banking market, have already abandoned weak static passwords and moved to the use of one-time passwords. At that time, hackers realized that they also had to tap new sources of income. They selected other sectors and looked for other points of supply they could capitalize on, such as confidential or business-critical information. Commercial companies, healthcare and medical providers, governments, educational institutes, and many more have all fallen prey to hacking attacks. It is time that we all move to one-time passwords to protect these sectors as well. Not only will the accounts be protected against fraudulent attacks, but users will also be relieved of the burden of having to remember a password.

Jan Valcke’s resume reads like the history of strong user authentication itself. Mr Valcke was co-founder and member of the board of director of Digiline, the company that developed and marketed the first Digipass strong authentication tokens, back in 1991. From the early start on, Jan Valcke has been one of the architects of VASCO’s leading position as a provider of strong authentication products to the banking world.

In 1992, Valcke was responsible for Digiline’s first major banking deal