The use of passwords dates all the way back to ancient times. The Roman military used watchwords, as they called them, to authenticate the rotation of soldiers on guard duty.
Computer passwords have been around since the 1960's. They were first used to secure access to files on a large computer system at MIT.
The computer password served it's purpose well back then, but was never intended for securing access to accounts on the internet. The man credited for creating the computer password even calls them a “nightmare” and “nuisance”today.
Why Passwords Are Problematic
Don't get me wrong. When used and handled correctly, passwords are still pretty good at keeping unauthorized people from gaining access to things like your online giving account. But despite best intentions, passwords aren't always handled with the proper care they need.
Let's take a look at some of the reasons why passwords are problematic.
Passwords are abused
Back in 2012, a study found that people had an average of 26 online accounts. Of those 26 accounts, the number of them that had a unique password was only 5. That means 81% of the accounts shared a password with another account.
If the same password is used for multiple accounts and is compromised, the password thief essentially has access to every one of those accounts. And if one of those happens to be your online banking account, that's bad.
So be smart. Don't reuse passwords across multiple accounts.
(Good) Passwords are hard to remember
If you have 26 different accounts, it's hard to keep track of all those passwords, right? I feel your pain.
To make things worse, good passwords should be complex and hard to guess, so it's usually recommended you include special characters in your password. Good luck remembering a password like t@3$!0idKD3a+ncW4%. Now picture trying to remember 26 others just like that! It's enough to make my brain melt down.
To help with this, the Password Manager was born. They're great at keeping track of the myriad of passwords we all have. Most browsers now have password managers built right in.
But here's the deal. The simple fact that you need a Password Manager in the first place is a signal that passwords themselves are a problem.
Passwords are out of your control
Let's say that instead of picking a password that's easy to guess, like your cat's name (sorry, Fluffy!), you are careful to choose a complex password that's strong and hard to guess. Once you submit that password to log in to an account, you're trusting the owner of the website to store that password responsibly. This means encrypting the password before storing it in their database.
The problem is that while this is accepted practice and basic Password Management 101, not all companies do this. If someone were to break into their system and steal your unencrypted password, they can now log into your account.
While I'd like to be able to give you a good remedy for this one, there's not much you can really do. It's up to the owner of the website to handle your password with care.
The only thing I can recommend here is to change your passwords often so in the event your password is stolen, they'll have access to your account only for a limited time. But again, when you have 26 accounts (or more), rotating your passwords is a real hassle.
A Password Alternative
Here at Txt2Give, we recently rolled out our new online giving option. Anytime we create a feature, we put a lot of thought into the user experience, and how we can come up with creative ways to make typical experiences better.
When we thought about the login experience, and the idea of forcing people to create yet another username and password, we didn't like it. It just didn't feel right. So we set out to do something different!
We've created a login experience we're calling Off-Screen Authentication. If you're familiar with 2-factor authentication using text messaging, it's similar, but with a twist.
With our Off-Screen Authentication process, instead of submitting a username and password to log in, people enter only their mobile number. On the next screen, they're presented with a temporary, random 4-digit number called a Secure Login PIN. Simultaneously, they are sent a text message to their mobile device asking them to verify the Secure Login PIN they see on their screen. Once they reply to the text verification message using the correct PIN, their browser automatically logs them in.
Here's a quick video that shows it in action.
The advantages to this login process are:
- No new password to keep track of
- A new Secure Login PIN is generated each time the user logs in, so there is no static password to be stolen or compromised
- A second, separate element (their mobile device) is needed to authenticate the user, which increases the likelihood that the authenticated person is indeed the authorized user of the account, not just someone who knows their password
As the number of online services we use continues to increase and technology advances, I believe the password will eventually die. Instead, you'll start to see alternatives like our Off-Screen Authentication, or more advanced methods like biometrics become the norm.
This is less secure than a password or two-factor authentication, because there is nothing inseparable from the user. It does not verify your identity, it only proves they have your phone. If someone gets your phone, they are in.
Hey Kevin! I appreciate your comment, but let’s think about this for a minute.
What are the odds of someone getting possession of your phone? When’s the last time yours got stolen?
Now, even if your phone stolen, what are the odds that person would know to go to your church’s website and try to log in to the online giving?
Beyond that, why would a thief even want to log in and make a donation? To annoy you? There’s not much to gain for them.
Now, a more likely scenario is that a hacker, who has no proximity to you or a physical device you posses like your phone, cracks the password to your email account, finds an email confirmation from a past donation in the inbox, goes to the website and clicks the “Forgot Password” link. The system then sends a reset password link to the email account they have access to now because they cracked the password on it. They reset the password and now they have control of your account.
This actually just happened to someone I know. Someone in another country hacked into their email account by cracking their password, locked them out of their email account and gained access to dozens of other sites (including their online banking account). It was easy once they cracked their email password, and it took the victim a month to clean up the mess.
If they only would’ve been using an authentication method that included something they possessed physically, like their phone, it never would’ve happened. This is why methods like the one we talk about here, and others like 2FA are good.
Bottom line is nothing is “hack proof”, but introducing an element that the user must posses in order to authenticate is generally stronger than one piece of information like a password that can be guessed.
I love this idea, but I could not get your demo video to play. I would very much like to explore it and see how it might work for our organization.
Hi Brian, The video plays using the Chrome browser. I’m not sure what browser you’re using. Could you try opening up the article in Chrome and see if the video will play for you? I’m sorry for the difficulty you’re experiencing.
Hey Brian! I’ll be happy to talk with you to determine if our giving platform is a good fit for your church. Please send me an email at chad@txt2give.it and we can set up a quick phone call.
Cool idea, Chad. Anything that provides relief from password pain is welcome! I think one of the most annoying parts of trying to remember different passwords is remembering the “password criteria” that vary so widely from account to account – 6 or 8 letters… capitals or no capitals… “special” characters allowed or not allowed!
Thanks, Eric! I agree. It’s enough to make you let out a big sigh or throw up your hands.
Another thing that’s meant to help with remembering passwords is the password “hint” you can set on some sites when you create your password, but this varies widely, too. Some sites have a predetermined list of “hints” that you have to choose from, but what if none of those hints actually apply to you? Some let you create your own hint that’s more personal and meaningful to you, but some don’t. All of these things are signal that passwords are broken.
Thanks for the comment!