Over the past couple of decades it has become abundantly clear that human beings can't be trusted to come up with decent passwords. We might combine the name of a childhood pet with a two-digit number and proudly use it across multiple services, imagining that it ranks alongside Fort Knox in terms of its security. But it doesn't. Bad passwords continue to be exploited by criminals, either by using computers to work their way through large databases of breached passwords, or simply by guessing them. Credentials, cash and personal identities are stolen and misused on a daily basis.
The password problem
The battle against bad passwords has been waged in many ways over the years. Services ask us to change them, they force us to litter them with unusual symbols, and they send additional codes to our mobile phones to confirm our identities. But an industry consortium has now made a significant step towards a future in which passwords become obsolete. Recent versions of the Android mobile operating system – currently used by about one billion devices worldwide – are now certified to use a security system called FIDO2.
The result is that developers can allow access to websites and apps with a fingerprint or a USB security key. No longer will we have to think up strings of letters and numbers, remember them and type them out. FIDO2 may finally save us from our failing memories and lack of imagination.
The move can’t come soon enough. A report released at the end of last year by password management company SplashData revealed that, for the fifth consecutive year, the two most popular passwords online are still “123456” and “password”.
The difficulty of remembering multiple passwords causes us to reuse the same ones across several different services, and that's what makes breaches of password data so dangerous – by using a technique called "credential stuffing", criminals can force their way into a series of accounts. In the past few days, for example, accounts with smart home product manufacturer Nest were attacked in this way. But it's not their fault, it's ours.
Can FIDO2 save us?
The burning question is why, despite being told repeatedly that our passwords are terrible, have we been reluctant to change our ways? One reason is that we become emotionally attached to them, not least because they often (unsafely) incorporate the names of people or things we hold dear. Also, because we need so many, we make passwords easy to remember. Even computer experts do that. In 2016, researcher Elizabeth Stobert surveyed several experts and was surprised by their password habits. "It is telling that they have chosen to trade off security for usability in certain situations," she said. "The social and contextual pressures that affect everyone also affect computer security experts."
As our dependence on digital services grows, the password problem grows, too, but FIDO2 shifts the whole idea of authentication over to the device you're using. In other words, instead of your device sending a password to a service for checking, FIDO2 merely asks for proof that you are who you say you are. That can be done with a fingerprint sensor or a USB key, so passwords aren't needed. Some online banking services have used this system for a while, but the certification of Android should help to establish it as the norm.
Per Thorsheim, a self-confessed password obsessive who runs a global conference called PasswordsCon, which addresses the challenges surrounding digital authentication, is optimistic about FIDO2. "At the last conference, everyone in the room, from geeks to police, and intelligence experts to hackers, agreed that nothing came as close as this to improving security beyond the username and password," he says. "We actually think this might work – and we haven't said that about anything for the past 15 years."
What's the practical solution?
But while the technology is sound, he believes that there are practical issues that stand in its way. "If I gave a USB security key to my mother and told her that it replaces her password, she wouldn't be interested in spending even two minutes learning how to use it. And people will obviously lose them or forget to carry them," he says.
Thorsheim also notes that fingerprint logins are easily bypassed on an iPhone, for example, because you can swipe to log in with a PIN instead. "That's not security, it's convenience," he says. "It doesn't remove passwords from the equation, it just hides them. Passwords are not disappearing. They'll be around for at least the rest of my days on Earth."
If Thorsheim is correct, and the death blow to passwords is more than 20 years away, how should we secure ourselves in the interim? The commonly held belief that you should use a mixture of capital letters, lower-case letters and numbers, while changing your password every 90 days, has been rescinded by Bill Burr, the American software engineer who championed the practise in 2003.
Passwords are not disappearing. They'll be around for at least the rest of my days on Earth.
One hacker says any eight-character password can now be cracked by a computer in under three hours, so longer phrases are essential. Two-factor authentication, in which your phone receives additional confirmation codes, is worth adopting, but the critical piece of advice is to use different passwords for each service. And if that becomes a headache, use a password manager such as 1Password, DashLane or LastPass.
When breaches are reported in the media, they're often made out to be cataclysmic events, such as when more than 21 million passwords from a number of sources were dumped online in January. But the truth is, they mainly contain old passwords, which with luck, you will have stopped using by now. However, if you're worried, services such as Google's Password Checkup can tell you if yours is floating around the internet, and if it is, Thorsheim says you are a target for hackers.
"People don't understand the benefit of strong passwords because nobody has been hacked until they've been hacked," he says. "That's the moment when they realise how bad it can actually be."
Our legal columnist
Name: Yousef Al Bahar
Advocate at Al Bahar & Associate Advocates and Legal Consultants, established in 1994
Education: Mr Al Bahar was born in 1979 and graduated in 2008 from the Judicial Institute. He took after his father, who was one of the first Emirati lawyers
Company profile
Name: Thndr
Started: October 2020
Founders: Ahmad Hammouda and Seif Amr
Based: Cairo, Egypt
Sector: FinTech
Initial investment: pre-seed of $800,000
Funding stage: series A; $20 million
Investors: Tiger Global, Beco Capital, Prosus Ventures, Y Combinator, Global Ventures, Abdul Latif Jameel, Endure Capital, 4DX Ventures, Plus VC, Rabacap and MSA Capital
Bugatti Chiron Super Sport - the specs:
Engine: 8.0-litre quad-turbo W16
Transmission: 7-speed DSG auto
Power: 1,600hp
Torque: 1,600Nm
0-100kph in 2.4seconds
0-200kph in 5.8 seconds
0-300kph in 12.1 seconds
Top speed: 440kph
Price: Dh13,200,000
Bugatti Chiron Pur Sport - the specs:
Engine: 8.0-litre quad-turbo W16
Transmission: 7-speed DSG auto
Power: 1,500hp
Torque: 1,600Nm
0-100kph in 2.3 seconds
0-200kph in 5.5 seconds
0-300kph in 11.8 seconds
Top speed: 350kph
Price: Dh13,600,000
Quick%20facts
%3Cul%3E%0A%3Cli%3EStorstockholms%20Lokaltrafik%20(SL)%20offers%20free%20guided%20tours%20of%20art%20in%20the%20metro%20and%20at%20the%20stations%3C%2Fli%3E%0A%3Cli%3EThe%20tours%20are%20free%20of%20charge%3B%20all%20you%20need%20is%20a%20valid%20SL%20ticket%2C%20for%20which%20a%20single%20journey%20(valid%20for%2075%20minutes)%20costs%2039%20Swedish%20krone%20(%243.75)%3C%2Fli%3E%0A%3Cli%3ETravel%20cards%20for%20unlimited%20journeys%20are%20priced%20at%20165%20Swedish%20krone%20for%2024%20hours%3C%2Fli%3E%0A%3Cli%3EAvoid%20rush%20hour%20%E2%80%93%20between%209.30%20am%20and%204.30%20pm%20%E2%80%93%20to%20explore%20the%20artwork%20at%20leisure%3C%2Fli%3E%0A%3C%2Ful%3E%0A
INFO
Kandahar%20
%3Cp%3E%3Cstrong%3EDirector%3A%3C%2Fstrong%3E%20Ric%20Roman%20Waugh%3C%2Fp%3E%0A%3Cp%3E%3Cstrong%3EStars%3A%C2%A0%3C%2Fstrong%3EGerard%20Butler%2C%20Navid%20Negahban%2C%20Ali%20Fazal%3C%2Fp%3E%0A%3Cp%3E%3Cstrong%3ERating%3A%3C%2Fstrong%3E%202.5%2F5%3C%2Fp%3E%0A
Learn more about Qasr Al Hosn
In 2013, The National's History Project went beyond the walls to see what life was like living in Abu Dhabi's fabled fort:
The specs
Engine: 2.0-litre 4-cylinder turbo
Power: 240hp at 5,500rpm
Torque: 390Nm at 3,000rpm
Transmission: eight-speed auto
Price: from Dh122,745
On sale: now
Key facilities
- Olympic-size swimming pool with a split bulkhead for multi-use configurations, including water polo and 50m/25m training lanes
- Premier League-standard football pitch
- 400m Olympic running track
- NBA-spec basketball court with auditorium
- 600-seat auditorium
- Spaces for historical and cultural exploration
- An elevated football field that doubles as a helipad
- Specialist robotics and science laboratories
- AR and VR-enabled learning centres
- Disruption Lab and Research Centre for developing entrepreneurial skills
COMPANY%20PROFILE
%3Cp%3E%3Cstrong%3EName%3A%20%3C%2Fstrong%3EKinetic%207%3Cbr%3E%3Cstrong%3EStarted%3A%3C%2Fstrong%3E%202018%3Cbr%3E%3Cstrong%3EFounder%3A%3C%2Fstrong%3E%20Rick%20Parish%3Cbr%3E%3Cstrong%3EBased%3A%3C%2Fstrong%3E%20Abu%20Dhabi%2C%20UAE%3Cbr%3E%3Cstrong%3EIndustry%3A%3C%2Fstrong%3E%20Clean%20cooking%3Cbr%3E%3Cstrong%3EFunding%3A%3C%2Fstrong%3E%20%2410%20million%3Cbr%3E%3Cstrong%3EInvestors%3A%3C%2Fstrong%3E%20Self-funded%3C%2Fp%3E%0A
Mercer, the investment consulting arm of US services company Marsh & McLennan, expects its wealth division to at least double its assets under management (AUM) in the Middle East as wealth in the region continues to grow despite economic headwinds, a company official said.
Mercer Wealth, which globally has $160 billion in AUM, plans to boost its AUM in the region to $2-$3bn in the next 2-3 years from the present $1bn, said Yasir AbuShaban, a Dubai-based principal with Mercer Wealth.
“Within the next two to three years, we are looking at reaching $2 to $3 billion as a conservative estimate and we do see an opportunity to do so,” said Mr AbuShaban.
Mercer does not directly make investments, but allocates clients’ money they have discretion to, to professional asset managers. They also provide advice to clients.
“We have buying power. We can negotiate on their (client’s) behalf with asset managers to provide them lower fees than they otherwise would have to get on their own,” he added.
Mercer Wealth’s clients include sovereign wealth funds, family offices, and insurance companies among others.
From its office in Dubai, Mercer also looks after Africa, India and Turkey, where they also see opportunity for growth.
Wealth creation in Middle East and Africa (MEA) grew 8.5 per cent to $8.1 trillion last year from $7.5tn in 2015, higher than last year’s global average of 6 per cent and the second-highest growth in a region after Asia-Pacific which grew 9.9 per cent, according to consultancy Boston Consulting Group (BCG). In the region, where wealth grew just 1.9 per cent in 2015 compared with 2014, a pickup in oil prices has helped in wealth generation.
BCG is forecasting MEA wealth will rise to $12tn by 2021, growing at an annual average of 8 per cent.
Drivers of wealth generation in the region will be split evenly between new wealth creation and growth of performance of existing assets, according to BCG.
Another general trend in the region is clients’ looking for a comprehensive approach to investing, according to Mr AbuShaban.
“Institutional investors or some of the families are seeing a slowdown in the available capital they have to invest and in that sense they are looking at optimizing the way they manage their portfolios and making sure they are not investing haphazardly and different parts of their investment are working together,” said Mr AbuShaban.
Some clients also have a higher appetite for risk, given the low interest-rate environment that does not provide enough yield for some institutional investors. These clients are keen to invest in illiquid assets, such as private equity and infrastructure.
“What we have seen is a desire for higher returns in what has been a low-return environment specifically in various fixed income or bonds,” he said.
“In this environment, we have seen a de facto increase in the risk that clients are taking in things like illiquid investments, private equity investments, infrastructure and private debt, those kind of investments were higher illiquidity results in incrementally higher returns.”
The Abu Dhabi Investment Authority, one of the largest sovereign wealth funds, said in its 2016 report that has gradually increased its exposure in direct private equity and private credit transactions, mainly in Asian markets and especially in China and India. The authority’s private equity department focused on structured equities owing to “their defensive characteristics.”
