Are Passwords Obsolete?

I have a cellphone, but all it does is make & receive phone calls - text feature off. And, I only turn it on when I go out. So, I guess I fall into the the "old fartett" category.

If 2F verification becomes a must. I guess I'll be left out.

Now where did I put my Selectric?

In response to Marty, the vast majority of sites do store hashed passwords, not clear text. The trouble is if someone steals the hashes, it's very quick and easy with the tools available today to crack all the simple passwords by brute force. Weak passwords will be guessed by this method within minutes or even seconds, and only really strong passwords will stand up, at least for many days of attempted cracking. Most users don't use strong passwords.

Hi Bob can u please explain one of the above comments (2nd May from Marty) as it seemed 2b a possible alternative to passwords that might work 4me...
'save the MD5 or SHA-1 hash of the password. Then whenever anybody logs on they supply their password.'
I'm a mum & a farmer with reasonable computer skills but have no idea what Marty is telling us we can do as a good alternative to 2SA
thanks Bob-really enjoy yr newsletters
yours Jenny :-]

Fingerprint scans have proven to be problematical (probably because of dirty fingers or smudged scan screens). Actually, for me, the option that seems the best and most fool-proof and easily used is the retinal scan. My only question is why it's taking so long considering that virtually every tablet, smartphone and laptop have a camera already.

Recently a friend lost his child living in another country. It has been an added nightmare for the family in trying to find out this person's accounts, insurance details etc.. At one time statements for bank accounts etc would be mailed out which helped leave a hard copy paper trail. Later, details would have been stored on a person's only computer. Now, people often have several devices but complicating things even more, this information now is often stored on the cloud, hidden behind passwords and accounts that loved ones often have no knowledge of. This has been a timely reminder for us all and any suggestions of a work around would be helpful. Eye scans etc would make this more difficult too. Not only is there no knowledge of the accounts, if these were known of, access passwords are not known. I guess banks, insurance etc are not obligated to front up with the information and wonder how much unclaimed money benefits these institutions.

My favorite is your ECG. The BioNym is to be released soon.
http://www.bionym.com/

@Ross >> those key fobs are still being utilized by some corporation for their employees who take laptops home. One brand is called "RSA SecureID" (www.rsa.com) and has an LCD display that rolls a new 6 digit numeric key code every 30 seconds.

Bob, good article, that has also, generated some good debate!

I honestly think, in the "future", who knows how far though, passwords will not be used. I am not sure, what will be used, to access pertinent information, but, I do think, it will not be passwords.

As for now, the 2-Factor Authorization seem to be the "fashionable" trend. I say trend, since, it is not widely used, at the moment. I may have read this article wrong ... But, it seems to be mostly geared to the Mobile Phone user, not the Desktop user.

Someone, somewhere with a "simple" mind, needs to really come up with a bang-up idea, for both the Mobile and Desktop/Laptop users ... To have a method that is easy, for even the Newbies ... To access their personal or business computers/mobile phones/tablets, safely.

Bob, you are exactly point on, when you said, the most computer/cell phone users are lazy. They are, exceedly so. They just want to get to the "business, at hand" and as quickly, as possible. This is why, I really think ... If ... Passwords will be a "thing of the past" ... It becomes paramount, that the "new" method of accessing our computers or communication devices, it has to as simple as a password, but, which much better security levels.

Don't have the solution, to this issue, either. For now, I am trying to change my habit, of using the same password, everywhere I go. Must admit though ... So far, I have been mighty lucky ... I haven't been compromised, yet. (Knock on wood!!!) :)

Finger prints don't work for me! I 'messed up' both my primary and secondary finger prints and couldn't get into my laptop until I figured out how to change to a password.

With Windows 8 touch screen could you just sit on it? :o)

I cringe at the use of biometrics for authentication. You may think your fingerprint is foolproof because it can't be duplicated, but it isn't your fingerprint that is presented for authentication against a database; it's a pattern of bits that can be just as easily duplicated and manipulated as any other such pattern. And in order to be useful, that pattern has to appear in at least one on-line database, so that there is something to which the fingerprint scanned by your bank can be compared. And when that fingerprint is compromised, YOU can't change it - you're stuck with that finger for life. Too bad, so sad, you're screwed. Give me an old-fashioned password that I can change any day!

dear bob,what r we going to do about our passwords...its already exhausting..thanks..

keypass generators are alive and well. I've had one for one of my online gaming accounts for going on 6 or 7 years now ($6 retail for the hardware...). My bank has been saying they will start offering them 'soon' for 2-3 years now.

1)Biometrics can't work unless every computer and device have them and they are all working and the relevant data is available to check against.

2)Mobiles won't work until everybody has one (I don't) and you have a mobile signal you can use. I live in a UK city and our area has poor (sometimes absent) signal (I do have a mobile for work but unless I'm working it's not on me.) What if you are abroad?

One scheme is to have 2 factor for those occasions that do need them. My bank provides a chip and pin card reader as a verification means for some processes, you insert your card, enter your PIN and there is some form of query/response mechanism to proceed on the site.

Most sites really don't need to be that complex, do you really need all that security for a forum? A simple (even shared) password could be OK there. A bit more complex if it's a support forum for software you've paid for and so on. Banking and other sites that are really important you may want to secure further. One issue is people simply using there Google/Facebook accounts as login to other sites.

EDITOR'S NOTE: Biometric data can be stored on the device, as is commonly done with laptops and smartphones. And a mobile signal is not always needed for the 2-factor auth code. Google's authenticator app on Android phones does not. It relies on the date & time (and perhaps shoe size and phase of the moon) to generate a 6-digit code.

Two comments.

One: years ago my wife was issued a pass code generator for work use. It had such a flimsy keyboard and small display that she could never been sure she had typed the right change into the device.(the Web Site gave a 6 digit number and you had to type that into the device and then type the Boxes response to the challenge back into the web site, all in 90 seconds. Anytime She really needed to get loged in I had to help her with the dang machine.

Two: Many cell Plans still charge a fee for each text message here in Canada. I really don't want to have to pay 25 cents each time I use a web site, so that the site can send me a magic number.

The very secure solution I'm looking forward to is SQRL - see https://www.grc.com/sqrl/sqrl.htm. While you are there check out his write up on Password Haystacks. In the meantime, I use LastPass and long, totally random passwords that are unique to every website. Current two factor authentication sounds great, but when I installed Google Authenticator on my iPhone it killed several other unrelated apps.

Security should be looked at as several layers of protection. 1. a firewalled connection 2. a good Antivirus prog 3. two anti malware progs 4. Win Patrol to deny unwanted changes 5. at least 2 alpha numeric passwords 6. inform yourself about "at risk" behavior while on the internet ex: airport free connections 7. read various forums that keep you up to date about changes in technology

A major problem w/ this article is it supports LESS security. In order to get the "one time code" from Google/Facebook/etc, you have to provide them with your cell phone number. They, in turn, use it for advertising. I had to change my cell number after I fell for this gimmick. I hadn't had a telemarketer call in over 10 yrs before this debacle.

Yes, we need a better authentication system, but the options presented are major steps back.

EDITOR'S NOTE: I'd argue this was a coincidence, or that your number was compromised in some other way. It just makes no sense for Google or Facebook to do that. It's never happened to me, and I've been using both for years.

So, how does one use 2FA without a smart phone or laptop? I know, others have asked the same question, but it does not seem practical to have to go out and buy new equipment and have to learn to use it, so that you can log in to GOOGLE or FACEBOOK! Thanks for the post, Bob.

Biometrics are too volatile for reliable use, suppose you damage or lose a finger thumb or eye, even a fairly minor cut on your thumb will change its appearance.

As people age or get ill, they can develop conditions such as retinopathy or macular degeneration, where will that leave them if they need their device?

As for cardiac rhythms, just wait for the day when you can't log on to your device because you've been taking exercise or have just had sex!

Additionally, of course people can develop a whole range of cardiac arrhythmias well short of a full blown MI, particularly as they age.

Now if someone is suffering a full blown heart attack, then access to their device is the least of their problems but, should they recover, their heart will be scarred and its rhythm changed.

Remember, of course, that with the current system of checks and balances, you don't have to give your mother's REAL maiden name or the real name of your first school either if it can be guessed, if I put that my mother's maiden name was R2D2 and my first school was Chicken Curry, the authentication routine is not going to come back and say that was wrong. (I haven't used those by the way)

It seems somehow counter intuitive but you can add to your current level of protection by LYING!

In te future, in my opinion, we will get rid of the simple "pass or fail" gates that protect our accounts.

The way many online services now work, is that they place a wall around the city, let anyone pass with valid papers (even if the black man who carried them last week has inexplicably become a white woman, and

In the future it won't be a simple "pass or fail" - it will be about chance. Intelligent software will monitor our behavior and evaluate the odds that the user logged in is legitimate.

This could be as simple as evaluating keystroke rhythms, mous movements, patterns in navigation, analysiss of a style of writing on forums, typical order of transactions on bank sites etc. Cross-checking data will becoming more prevalent as well, though not without many many issues and controversy.

If a user's behavior has become suspicious, the system will ask for additional verification, or might even alert some pre-defined party/parties so a human can intervene. It may even shut down the account - if my bank's site detects a sudden transfer of a large amount to some obscure account in the maldives. Or if I'm suddenly shopping for expensive book sets when I'm member of a local library and have said buying books is a waste of money.

Hell, identification on online/remote services could become a business where you register with a representative who will monitor your accounts for further protection.

Sure, such systems might require a formalisation/bureaucratisation of web usage. Then again, as we are doing more and more of our formal business online, that's only inevitable.