Password obsolescence for online authentication


LastPass via Wikipedia Commons

Password managers are often used to store multiple login credentials, proving the inefficiency of passwords

Vishnu Challa, Site Manager

The cybersecurity industry has grown the last two decades not just because of the surge of online attacks, but because of the rapid innovation of technology. To combat the newer changes, programmers need to design architectures that can protect from these prospective, stronger attacks.

One of the biggest risks on the internet right now are password authentications. For almost any application, users prove ownership to their data with password protections. This system becomes flawed when accounting for the ease in password cracking today, people’s forgetfulness and the complexity on the company’s end for storing them.

Senior Emily Hoskins explained how they maintain the various passwords she has. “I basically write my passwords down and reuse a lot of them. Probably not the most secure method but makes sure I don’t forget the password to something important,” she said.

Some common solutions are slowly starting to emerge to replace these issues. For consumers, two-factor authentication has become the largest addition. The enterprise side on the other hand has quickly moved to token-based authentication. These tokens are task and user specific to ensure that each person connecting to the application is only using the services they are allowed to have.

This may work in an enterprise setting, but consumers want to be administrators of their own data. So what would be another way to authenticate a user without having them keep track of a string?


Private/public keys are an authentication system commonly used between devices but can also be used between a server and client.

The premise behind this system is that every application (Twitter, Instagram, YouTube, Gmail and others) knows one’s public key and will send them an encrypted message using that public key. Users respond back with the decrypted message using their private key to prove that the encrypted message was intended for them.

Senior Alex Blackwell showed how well this encryption system is working in other applications. “Actually, key-based encryption already exists on many websites. The actual code for login pages hashes someone’s password before storing it. Hashing basically turns your password into a random string of characters so that when someone who didn’t login looks at it, it’s worthless. When you login though, you are solving the hash back into the original password to authenticate,” he said.

This newer system is much more user-friendly for consumers since there is not any memorization on their end. The private/public keys are generated as a pair so that any message encrypted by one can be decrypted by the other. They are also reusable for any application making them storable on device basis.

The Fast IDentity Online (FIDO) alliance (Apple, Google and Microsoft) have begun to expand this newer standard for authentication. Passwords are still a very prevalent standard that many will be uncomfortable moving away from. Even though current technologies are well rooted in the internet, moving forward to new standards has always been a fundamental notion in cybersecurity.